On July 13, 2021, Microsoft released hardening changes for Windows Key Distribution Center Information Disclosure Vulnerability, CVE-2021-33764. With these changes, smart card (PIV) authentication might cause print and scan failures when you install updates released on July 13, 2021, or later versions on a domain controller (DC). The affected devices are smart card authenticating printers, scanners, and multifunction devices that don’t support either Diffie-Hellman (DH) for key exchange during PKINIT Kerberos authentication or don’t advertise support for des-ede3-cbc (“triple DES”) during the Kerberos AS request.
A temporary mitigation, released in Windows Updates between July 29, 2021, and July 12, 2022, was made available for organizations that encountered this issue and couldn’t bring devices into compliance as required for CVE-2021-33764. However, starting in July 2022, this temporary mitigation will not be usable in security updates. The Windows July 2022 preview update will remove the temporary mitigation and will require compliant printing and scanning devices.
As of July 19, 2022, there will be no further fallback option in later updates, and all non-compliant devices must be identified using the audit events starting in January 2022 and updated or replaced by the mitigation removal. To learn more, see KB5005408: Smart card authentication might cause print and scan failures.
View this message in the Microsoft 365 admin center |