Does anybody know what Rapid7 changed in Microsoft Windows: CVE-2021-34527: Windows Print Spooler Remote Code Execution Vulnerability?
Hi @hhwanea,
we had the same issue, CVE-2021-34527 reintroduced - InsightVM - Rapid7 Discuss.
I guess the detection for the registry keys were added to the vulnerability. After we changed the reg keys according to KB5005010: Restricting installation of new printer drivers after applying the July 6, 2021 updates - Microsoft Support, InsightVM showed the vulnerability as remediated.
Kind regards,
Julian
Thank you for replying back. I was wondering if Windows 11 devices were impacted for you? We only see Windows 10 devices being flagged even though both Windows 10 and 11 have the same registry settings
We had this come up as well.
We investigated and looks like MS guidance changed a few months after the release. Now, with that said not sure why Rapid7 had a Modified date of FEB 2025 of this year, and now again in April 2025
We broke open the check to evaluate it and is looking for the Correct modifications of the REGISTRY, not sure if this was the case prior.
We do see that they have the Windows 10 Versions and WIN11 Versions listed for and up to 22H2, i dont think 23H2 and 24H2 are vulnerable due to them not being listed on MS’s page.
Microsoft Updated their Guidance:
If the registry keys documented exist, in order to secure your system, you must confirm that the following registry keys are set to 0 (zero) or are not present:
* HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint
* NoWarningNoElevationOnInstall = 0 (DWORD) or not defined (default setting)
* UpdatePromptSettings = 0 (DWORD) or not defined (default setting)
Hello - we have the reg keys set as per the MS guidance you have pasted above.
We have had it set that way for years, but the April change to the vuln detection now has lots of our systems showing as vulnerable. This appears to be a false positive.
Can you confirm whether you are also seeing this? Do you have the reg keys set correctly and now being informed you’re vulnerable by InsightVM? Or do you have them set correctly and InsightVM not showing as vulnerable??
Support are not being very helpful on this at the moment!!
it wasnt a FP on our side, we spot checked about 20 hosts.
What OS Major and Minor are you see this on, is this via Agent or Network or both?
After Validating the guidance is in place and double checked each, here is a .ps1 Script you can validate is clean and try. If validate as clean, you can try Deleting that ASSET record all together from NeXpose and rescan with Admin credentials.
# CVE-2021-34527 Vulnerability Checker
# This script checks PointAndPrint registry keys for potentially vulnerable settings.
$baseKey = "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint"
$noWarningKey = "NoWarningNoElevationOnInstall"
$updatePromptKey = "UpdatePromptSettings"
Write-Host "=== CVE-2021-34527 (PrintNightmare) Configuration Check ===`n"
# Check if the base registry path exists
if (Test-Path $baseKey) {
Write-Host "Registry Path: $baseKey exists.`n"
# Check NoWarningNoElevationOnInstall
try {
$noWarningValue = Get-ItemProperty -Path $baseKey -Name $noWarningKey -ErrorAction Stop
if ($noWarningValue.$noWarningKey -eq 0) {
Write-Host "$noWarningKey = 0 → Not vulnerable (secure)"
} else {
Write-Host "$noWarningKey = $($noWarningValue.$noWarningKey) → Vulnerable setting!"
}
} catch {
Write-Host "$noWarningKey not present → Not vulnerable (default secure)"
}
# Check UpdatePromptSettings
try {
$updatePromptValue = Get-ItemProperty -Path $baseKey -Name $updatePromptKey -ErrorAction Stop
if ($updatePromptValue.$updatePromptKey -eq 0) {
Write-Host "$updatePromptKey = 0 → Not vulnerable (secure)"
} else {
Write-Host "$updatePromptKey = $($updatePromptValue.$updatePromptKey) → Vulnerable setting!"
}
} catch {
Write-Host "$updatePromptKey not present → Not vulnerable (default secure)"
}
} else {
Write-Host "Registry Path: $baseKey not present → Not vulnerable (default secure state)."
}
Write-Host "`n=== Scan Complete ==="
Hi Bradpjaxx,
Thank you for your reply, can you confirm that in order to remediate the vulnerability within your org, you’ve just set:
NoWarningNoElevationOnInstall and UpdatePromptSettings to 0?
Alongside having had a recently patched machine?
We’ve the same keys set across our Win 10/11 devices, however we’re now showing as vulnerable since a Rapid7 modification to the vulnerability checks on 08/05/2025 and we’re now being advised that we should set:
RestrictDriverInstallationToAdministrators to 1 or above, as it now see’s a value of 0 as proof of vulnerability.
Looks like this vulnerability was modified in InsightVM again on 5/26. Wish we had some insight into what was changed…
we also met this same issue this Month.
CVE-2021-34527 came out on some server and workstation this May. Almost all of those proof shows:
1, HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Spooler Start - contains unexpected value 2
2, HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint RestrictDriverInstallationToAdministrators - contains unexpected value 0
3:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint RestrictDriverInstallationToAdministrators - value does exist and is of type REG_DWORD
4: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint RestrictDriverInstallationToAdministrators - contains 0
But actually, according to Microsoft official website: KB5005010: Restricting installation of new printer drivers after applying the July 6, 2021 updates - Microsoft Support. shows what we should do is:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint:
- NoWarningNoElevationOnInstall = 0 (DWORD) or not defined (default setting)
- UpdatePromptSettings = 0 (DWORD) or not defined (default setting)
we checked in those assets, which shows vulnerable, register setting met above two setting already.
don’t know why still shows vulnerable now.
we found Rapid 7 vulnerability database modified CVE-2021-34527 on May 26: Rapid7 Vulnerability Database. but we don’t know what information had been modified on May 26.
Anyone have any idea ?