02 January 2018

Issues Updating Print Drivers | KB3170455

Recently a client of mine updated their print drivers on the Print Server (through Print Managemnet).  Users suddenly had issues printing, where Word would say "Driver Update Required".  When a user would go to right-click on the printer and click on "Update Driver", they would get essentially a UAC prompt asking whether they trust that particular printer:


When they click Install Driver, it looks like it's installing and then it just falls back to the same message.  It looks like there's an endless loop where users can't print because of the driver update requirement, but they can't install the driver either.

These printers are deployed through Print Management and are deployed via GPO.  There are Point and Print restriction policies in place as well to remove any warnings or UAC prompts for installing new drivers, or updating drivers:


In theory, this should mean that there's no warnings and the drivers should just update.  I've had a look on the workstations and they're applying the policy correctly and the changes are there, so it's not an issue with applying the actual GPO.  With this in mind though, the warnings are still showing up and the drivers can't be updated.

When running the troubleshooter, it asks whether you want to install the updates with elevated privileges.  When doing this, it works fine.  After a lot of troubleshooting, this ticket was actually escalated to Microsoft support to look into this.  

They confirmed the following:

There was a Windows Security Update recently released which targeted the security of printing.  This was KB3170455 and this was the culprit!  Essentially what this update does is require drivers to meet certain criteria before they can be used.  The criteria is the following:
  • Package aware
  • Digitally signed
  • Catalogue print drivers

Apparently the official drivers we had downloaded from the Canon website did not meet this criteria.  Uninstalling this update has resolved the issue for all users.  

At the time of writing this blog, there is no official word from Microsoft acknowledging the issue caused by their security update other than what the support technician has told me, but they have confirmed that since the update, there have been a large number of support calls raised to their help-desk.


There's currently only two options to get around this:

  1. Download another driver that meets the criteria
  2. Remove the Windows Security Update from all servers and workstations
Note: if you are a small enough company, you can work around this by installing the driver update with elevated privileges.

12 comments:

  1. Yup, just ran into this same crap. Out of 45 drivers on the print server only 22 comply with the requirements so yeah. Too bad the point and print restriction of only allow to machines in your forest doesn't allow you to bypass this, or even the named list of print servers if they want to get picky.

    ReplyDelete
  2. Microsoft claim this is a security update. I guess it's very secure stopping all printers from working...

    ReplyDelete
    Replies
    1. This is why the security update was necessary:

      http://blog.vectranetworks.com/blog/microsoft-windows-printer-wateringhole-attack

      So by pulling the patch you are leaving your network vulnerable to this attack.

      Delete
  3. I opened a case with Microsoft to see if there is a workaround. We have MFPs from Xerox that users were not able to install. I have a case open with Xerox too to see if they have drivers that meet the criteria.

    ReplyDelete
    Replies
    1. The work around is to remove the update. That's the recommendation from Microsoft when I opened a case with them. The only other option is to get new drivers which meet the criteria.

      If you've got WSUS, just revoke the update.

      Delete
    2. I've noted a slow down in printing on printserver with HP Universal Print Driver 5.9...

      Delete
    3. Yes we did remove the update, we use patching filters, so luckily we only hit 10% of population.

      Delete
  4. https://community.usa.canon.com/t5/Office-Printers/Package-Aware-Print-Drivers/m-p/182579

    If you have trouble deploying printers after applying critical updates according to MS16-087 (KB3170455) try this tweak: Edit the register on your print server. If you change the value of the key PrinterDriverAttributes under HKLM\System\CurrentControlSet\Control\Print\Enviroments\Windowsx64\Drivers\...\Driver name\ and restart the print server, you are able to make Windows treat the driver as packaged, and it will install unattended with gpo. The hex number has to be odd, i.e. 41
    Restart server .
    According to MS the 1 flag for PrinterDriverAttributes stands for PRINTER_DRIVER_PACKAGE_AWARE. This will treat the driver as package aware, which means a CAB package will be created, including the inf and the catalog. The package will be installed through setupapi.dll when installing the driver, validating that the catalog is trusted, and that hashes for all files are included in the catalog.

    ReplyDelete
  5. This comment has been removed by the author.

    ReplyDelete
  6. Hi Adam, I removed above Microsoft patch from print server and workstation, still above alert is coming, don't want to update driver in server as universal driver is available not the original driver for printer from Ricoh site. Any help would be appreciated.

    ReplyDelete
    Replies
    1. Have you got the appropriate Point and Print Restrictions in your GPO?

      Delete
  7. we configured the point and print restriction in both user and computer configuration in group policy but still will get UAC prompt to trust the printer. click install will install the printer without having to enter admin credentials.

    any way to not even pop up the UAC prompt to trust the printer?

    my group policy configuration is as such:

    users can only point and print to these server: disabled
    users can only point and print to machines in their forest: enabled
    when installing drivers for a new connection: do not show warning or elevation prompt
    when updating drivers for an existing connection: do not show warning or elevation prompt

    ReplyDelete