There has been some recent news of a serious zero day named PrintNightmare.
One mitigation is to stop and disable the printer spooler service, especially on Domain Controllers.
There is an existing Fixlet in BES Support site to Stop a Service that could be leveraged to stop the Spooler service.
I have uploaded an Alpha Fixlet to BigFix.me, in case you want a jump start on this one.
(Note - disabling the print spooler service will stop your users from printing…)
*** Update - MS has released some OOB patches last night. HCL Content team is working on your Fixlets ***
*** Update - FIXLETS ARE LIVE for the subset of patches that were released by Microsoft ***
*** Update - MS just released the rest of the Patches - We are working on the Fixlets to match ***
*** Update - All Fixlets are now available ***
For those who still have Windows 2008 or Windows 7, MS released patches for those who are entitled to the MS ESU program. Fixlets for the Windows 2008 and Windows 7 patches are now live the ESU Patching Add on Fixlet sites.
If you are not entitled to the MS ESU patch streams, but still have some Windows 2008 or Windows 7, please consider stopping and disabling the print spooler on these systems, or explore some of the other mitigating controls
Fixlet Release Notes:
There have been reports that the current patches are not closing 100% of the vulnerability.
Microsoft is recommending adding a restriction to PointAndPrint.
Sample Fixlet: https://bigfix.me/fixlet/details/26861
Additional Mitigation from MS to disable non-administrators from adding print drivers
Sample Fixlet: https://bigfix.me/fixlet/details/26862