Hello,
I’m trying to use the “Verify that Startup type of “Print Spooler” service is disabled” fixlet to disable the Print Spooler service but I see the “Take Action” button is grayed out. Why is it so?
Thank you,
Jennifer
Hello,
I’m trying to use the “Verify that Startup type of “Print Spooler” service is disabled” fixlet to disable the Print Spooler service but I see the “Take Action” button is grayed out. Why is it so?
Thank you,
Jennifer
What site this task is under? It depends on what Relevance conditions are used in the task.
Sounds like a Compliance check. Not all compliance checks have remediation actions and that is why the Take Action button is greyed out.
That aside, if you want to stop the service and set the startup type to “disabled” there is a fixlet that was posted by @brolly33 to address the recent PrintNightmare vuln here that will do that for you…
https://bigfix.me/fixlet/details/26860
It’s under the PCI DSS Checklist site that we enabled.
Thank you, it seems odd for it to be grayed out since all the clients on the console are applicable to that check.
I wrote a fixlet to disable the Print Spooler service as a work around
I don’t have the PCI DSS checklists in my console, but if memory serves none of the PCI DSS checklists have remediation capabilities (the action part) like many of the other checklists do (CIS, DISA). Glad you were able to get it sorted out though.
Hi vhenry,
May be it will be useful try below action script and relevance.
Action Script:
wait cmd.exe /C “REG add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Spooler /V Start /t REG_DWORD /d 4” /f
wait cmd.exe /C “net stop Spooler”
Relevance:
name of operating system contains “Win” AND exists running service “Spooler”
Similar to above but with tweaked relevance to account for both service state and startup type:
Action Script:
action uses wow64 redirection {not x64 of operating system}
waithidden cmd /C powershell -ExecutionPolicy Bypass -command "Stop-Service -Name Spooler -Force ; Set-Service -Name Spooler -StartupType Disabled"
Relevance:
windows of operating system AND exists services "spooler" whose (state of it != "Stopped" OR start type of it != "disabled")
MS started to release an out of band patch for Spooler issue
KB5005010
https://support.microsoft.com/en-us/topic/31b91c02-05bc-4ada-a7ea-183b129578a7
Interesting that you prefer the powershell method.
I like sc.exe for this
wait sc.exe stop spooler
wait sc.exe config spooler start= disabled
and to reverse it later:
wait sc.exe config spooler start= auto
wait sc.exe start spooler
tomayto, tomahto?
Oftentimes, it comes down to where my mind was at the time of creation.