Skip to Content

MC411583: Reminder: Removal of temporary mitigation in Windows updates requires compliant printing and scanning devices

Firmware on smartcard authenticating printers and scanners must be compatible with section 3.2.1 of RFC 4556 in order to successfully authenticate with Active Directory domain controllers before installing the August 2022 security update.

Windows Updates released on July 13, 2021 introduced protections for CVE-2021-33764 which required all devices with a key exchange during the PKINIT Kerberos authentication, including smartcard authenticating printers, to either support:

  • Diffie-Hellman or,
  • advertise support for the des-ede3-cbc (“triple DES) e-type during the Kerberos AS request.

How this will affect your organization

Windows updates released between July 27, 2021, and July 26, 2022 supported temporary mitigation that allowed non-RFC compliant devices to authenticate with Active Directory. As of August 9, 2022, or later, Windows update removes all temporary mitigation released to Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2 SP1, and Windows Server 2008 SP2.

What you need to do to prepare

Firmware on Smartcard-authenticating printers and scanners must be compatible with section 3.2.1 of the RFC 4556 specification required for CVE-2021-33764 prior to installing Windows updates released on August 9, 2022 or later on Active Directory domain controllers.

When will this happen

August 9, 2022, or later.

Additional information

Review the below documentation

Message ID: MC411583
Published: 10 August 2022
Updated: 10 August 2022
Platform: World tenant, Windows Desktop, Online

    Ads Blocker Image Powered by Code Help Pro

    Ads Blocker Detected!!!

    This site depends on revenue from ad impressions to survive. If you find this site valuable, please consider disabling your ad blocker.