"Do you trust this printer"
30 augustus, 2016 at 9:46 PM
rewrote http://blog.arkwright.com.au/2016/07/issues-updating-print-drivers-kb3170455.html and https://community.usa.canon.com/t5/Office-Printers/Package-Aware-Print-Drivers/m-p/182579 to solution for our company.
Recently we upgraded our clients from x86 to x64 windows 7 and when users installed printers on x86
and login into x64 there where no print drivers where installed.
Normal behavior would be that at login Windows checks the current user profile print settings
and install the printers and drivers automatic from the netbiosname\printserver
Now whe had the problem that Users suddenly had issues printing, where the user print for instance in Microsoft Word,
the printer in Word would say "Driver Update Required".
When a user would go to right-click on the printer and click on "Update Driver",
they would get essentially a UAC prompt asking whether they trust that particular printer:
When they click Install Driver, it looks like it's installing and then it just falls back to the same
message: Do you trust this Printer.
It looks like there's an endless loop where users can't print because of the driver update requirement,
but they can't install the driver either.
These printers are deployed through Print Management and are deployed via GPO.
There are Point and Print restriction policies in place as well to remove any warnings or
UAC prompts for installing new drivers, or updating drivers:
In theory, this should mean that there's no warnings and the drivers should just update.
I've had a look on the workstations and they're applying the policy correctly and the changes are there,
so it's not an issue with applying the actual GPO.
With this in mind though, the warnings are still showing up and the drivers can't be updated.
There is also Point and Print restriction policies for the user configuration,
but the the warnings are still showing up and the drivers can't be updated.
When running the troubleshooter, it asks whether you want to install the updates with elevated privileges.
When doing this, it works fine. Also when we disabled UAC the user can update the driver.
But we want to install the driver automatically and not have users to update them manually
Part of the problem/solution.
There was a Windows Security Update recently released which targeted the security of printing.
Essentially what this update does is require drivers to meet certain criteria before they can be used.
The criteria is the following:
- Package aware
- Digitally signed
- Catalogue print drivers
Apparently the official drivers we had downloaded from the Canon website did not meet this criteria.
Blogs where saying: Uninstalling this update has resolved the issue for all users.
Updates to uninstall:
Windows 10 - 1511
KB3172985
Windows 10
KB3163912
Windows 8.1 and older
KB3170455
But uninstall did not do the job for our company.
There's currently three options to get around this:
- Download another driver that meets the criteria
- Remove the Windows Security Update from all servers and workstations
- Force the printdriver on the printserver to be Package aware
1) Canon didn't provide a driver that meets the criteria yet (probably reissue driver in September/October)
2) Remove didn't work for us and also has a vulnerability.
http://blog.vectranetworks.com/blog/microsoft-windows-printer-wateringhole-attack
3) Workaround solution for us (until canon provide better drivers) is to make the print driver Package aware withh a registy Tweak
If you have trouble deploying printers after applying critical updates according to MS16-087 (KB3170455) try this tweak:
Edit the register on your print server. If you change the value of the key PrinterDriverAttributes under HKLM\System\CurrentControlSet\Control\Print\Enviroments\Windowsx64\Drivers\...\Driver name\ and restart the print server, you are able to make Windows treat the driver as packaged, and it will install unattended with gpo. The hex number has to be odd, i.e. 41
Restart print spooler service:
According to MS the 1 flag for PrinterDriverAttributes stands for PRINTER_DRIVER_PACKAGE_AWARE. This will treat the driver as package aware, which means a CAB package will be created, including the inf and the catalog. The package will be installed through setupapi.dll when installing the driver, validating that the catalog is trusted, and that hashes for all files are included in the catalog.
Now Refresh or restart print manager on the print server and False Packages are now true.
The Package is now trusted and will be installed automatically at login whitout UAC mesages or update driver.
Regards,
Mark Driessen.
Labels:
Categorie: ICT
Commentaar
Laat een reactie achter