Disable Print Spooler

Disable Print Spooler service on DCs and all servers that do not perform Print services.

Due to attacks such as PrintNightmare and PrinterBug/SpoolSample it's a good idea to limit attack surface on Domain Controllers. Part of the attack surface reduction process is disabling unnecessary services like the Print Spooler on servers that don’t print or host printers.

You could disable manually on each server but it's better to do it with Group Policy.

1. Link a new GPO to the Domain Controllers container named Disable Print Spooler - DC.
2. Right click the new GPO & Edit.
3. Expand Computer Configuration > Policies > Windows Settings > Security Settings > System Services then click on Print Spooler on the right pane and Enable.
4. Allow time for the new GPO to propagate and apply. Then check DCs to make sure the Spooler service is disabled.