These printers are deployed through Print Management and are deployed via GPO. There are Point and Print restriction policies in place as well to remove any warnings or UAC prompts for installing new drivers, or updating drivers:
In theory, this should mean that there's no warnings and the drivers should just update. I've had a look on the workstations and they're applying the policy correctly and the changes are there, so it's not an issue with applying the actual GPO. With this in mind though, the warnings are still showing up and the drivers can't be updated.
When running the troubleshooter, it asks whether you want to install the updates with elevated privileges. When doing this, it works fine. After a lot of troubleshooting, this ticket was actually escalated to Microsoft support to look into this.
They confirmed the following:
There was a Windows Security Update recently released which targeted the security of printing. This was KB3170455 and this was the culprit! Essentially what this update does is require drivers to meet certain criteria before they can be used. The criteria is the following:
- Package aware
- Digitally signed
- Catalogue print drivers
Apparently the official drivers we had downloaded from the Canon website did not meet this criteria. Uninstalling this update has resolved the issue for all users.
At the time of writing this blog, there is no official word from Microsoft acknowledging the issue caused by their security update other than what the support technician has told me, but they have confirmed that since the update, there have been a large number of support calls raised to their help-desk.
There's currently only two options to get around this:
- Download another driver that meets the criteria
- Remove the Windows Security Update from all servers and workstations
Note: if you are a small enough company, you can work around this by installing the driver update with elevated privileges.
Yup, just ran into this same crap. Out of 45 drivers on the print server only 22 comply with the requirements so yeah. Too bad the point and print restriction of only allow to machines in your forest doesn't allow you to bypass this, or even the named list of print servers if they want to get picky.
ReplyDeleteMicrosoft claim this is a security update. I guess it's very secure stopping all printers from working...
ReplyDeleteThis is why the security update was necessary:
Deletehttp://blog.vectranetworks.com/blog/microsoft-windows-printer-wateringhole-attack
So by pulling the patch you are leaving your network vulnerable to this attack.
I opened a case with Microsoft to see if there is a workaround. We have MFPs from Xerox that users were not able to install. I have a case open with Xerox too to see if they have drivers that meet the criteria.
ReplyDeleteThe work around is to remove the update. That's the recommendation from Microsoft when I opened a case with them. The only other option is to get new drivers which meet the criteria.
DeleteIf you've got WSUS, just revoke the update.
I've noted a slow down in printing on printserver with HP Universal Print Driver 5.9...
DeleteYes we did remove the update, we use patching filters, so luckily we only hit 10% of population.
Deletehttps://community.usa.canon.com/t5/Office-Printers/Package-Aware-Print-Drivers/m-p/182579
ReplyDeleteIf you have trouble deploying printers after applying critical updates according to MS16-087 (KB3170455) try this tweak: Edit the register on your print server. If you change the value of the key PrinterDriverAttributes under HKLM\System\CurrentControlSet\Control\Print\Enviroments\Windowsx64\Drivers\...\Driver name\ and restart the print server, you are able to make Windows treat the driver as packaged, and it will install unattended with gpo. The hex number has to be odd, i.e. 41
Restart server .
According to MS the 1 flag for PrinterDriverAttributes stands for PRINTER_DRIVER_PACKAGE_AWARE. This will treat the driver as package aware, which means a CAB package will be created, including the inf and the catalog. The package will be installed through setupapi.dll when installing the driver, validating that the catalog is trusted, and that hashes for all files are included in the catalog.
This comment has been removed by the author.
ReplyDeleteHi Adam, I removed above Microsoft patch from print server and workstation, still above alert is coming, don't want to update driver in server as universal driver is available not the original driver for printer from Ricoh site. Any help would be appreciated.
ReplyDeleteHave you got the appropriate Point and Print Restrictions in your GPO?
Deletewe configured the point and print restriction in both user and computer configuration in group policy but still will get UAC prompt to trust the printer. click install will install the printer without having to enter admin credentials.
ReplyDeleteany way to not even pop up the UAC prompt to trust the printer?
my group policy configuration is as such:
users can only point and print to these server: disabled
users can only point and print to machines in their forest: enabled
when installing drivers for a new connection: do not show warning or elevation prompt
when updating drivers for an existing connection: do not show warning or elevation prompt