Firmware on smartcard authenticating printers and scanners must be compatible with section 3.2.1 of RFC 4556 in order to successfully authenticate with Active Directory domain controllers before installing the August 2022 security update.
Windows Updates released on July 13, 2021 introduced protections for CVE-2021-33764 which required all devices with a key exchange during the PKINIT Kerberos authentication, including smartcard authenticating printers, to either support:
- Diffie-Hellman or,
- advertise support for the des-ede3-cbc (“triple DES) e-type during the Kerberos AS request.
How this will affect your organization
Windows updates released between July 27, 2021, and July 26, 2022 supported temporary mitigation that allowed non-RFC compliant devices to authenticate with Active Directory. As of August 9, 2022, or later, Windows update removes all temporary mitigation released to Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2 SP1, and Windows Server 2008 SP2.
What you need to do to prepare
Firmware on Smartcard-authenticating printers and scanners must be compatible with section 3.2.1 of the RFC 4556 specification required for CVE-2021-33764 prior to installing Windows updates released on August 9, 2022 or later on Active Directory domain controllers.
When will this happen
August 9, 2022, or later.
Review the below documentation
- KB5005408: Smart card authentication might cause print and scan failures.
- CVE-2021-33764: Windows Key Distribution Center Information Disclosure Vulnerability
- RFC 4556 specification
Message ID: MC411583
Published: 10 August 2022
Updated: 10 August 2022
Platform: World tenant, Windows Desktop, Online