Posted on October 7, 2016 · Posted in Windows 10, Windows 7, Windows Server 2008 R2

Unable to Install Print Driver after KB3170455

We have found an unpleasant problem with one of Microsoft security updates released in July. We mean KB3170455 released on July, 12, 2016. After the installation of this update, the problem of network printer connection may appear in the domain.

The problem has manifested itself as follows: when trying to install (connect) a printer from the Print Server (running Windows Server 2008 R2) on the domain clients (Windows 10, Windows 7), the following error appears:

A policy is in effect on your computer which prevents you from connecting to this print queue.

Connect to Printer

A policy is in effect on your computer which prevents you from connecting to this print queue. Please contact your system administrator.

With some printer models, another warning appeared when trying to connect a network printer:

Do you trust this printer?

Windows needs to download and install a software driver from \\PrintServer_Name computer to print to Printer_Name. Proceed only if you trust the \\PrintServer_Name and the network

Do you trust this printer? Windows needs to download and install a software driver from \\PrintServer_Name computer to print to Printer_Name

When clicking Install driver, the UAC window appears prompting to enter the administrator login and password. Although, earlier users could easily connect these printer (the policy that allows common users to install printer drivers without the administrative privileges).

Having compared the installed updates on the problem computers, we have found that the issue appears on the computers having the KB3170455 (MS16-087: Description of the security update for Windows print spooler components: July 12, 2016) update installed. Indeed, after this update is deleted, printers are connected correctly.

wusa.exe /uninstall /kb:3170455 /quiet /norestart

Note. All ways to uninstall updates in Windows correctly

But there is nothing wrong with the update, since it fixes a certain critical vulnerability in Windows print spooler. The update also suggests showing a warning if a user tries to install untrusted or unsigned printer drivers. In Windows 10, this update is integrated into the cumulative update that couldn’t be rolled back. So you won’t be able to solve the problem by simply uninstalling the update.

The article https://support.microsoft.com/en-us/kb/3170005 specifies the criteria the printer drivers have to match to be correctly installed on the clients:

  1. The driver has to be trusted (signed with the trusted digital signature)
  2. The driver has to package-aware (Package-aware print drivers). Non-package-aware v3 printer drivers won’t be able to be installed in Point and Print Restrictions mode

So Microsoft recommends:

  1. To substitute the drivers on Print Servers for package-aware ones (Package-aware V3). You can find out whether the driver is package-aware using Print Manager. Open the Drivers section, if the driver is package-aware it will have the True status in the Packaged column. packaged printer driverYou will only have to enable Point and Print Restrictions policies (in Computer Configuration > Policies > Admin Templates > Printers and User Configuration > Policies > Admin Templates > Control Panel > Printers) and check Do not show warning or elevation prompt. In addition, specify the FQDN names of trusted Print Servers.
  2. If the drivers are obsolete and could not be updated, it is recommended to preinstall them on the client PCs. In this case, there will be no problems with printer connections.

Note. There is a little trick for Canon, Sharp, Konica Minolta printers that makes a system think that the driver is package-aware. To do it, open the HKLM\System\CurrentControlSet\Control\Print\Enviroments\Windowsx64\Drivers\…\Driver name\ branch of the registry on the Print Server and change the value of  PrinterDriverAttributes key for the specific driver by adding 1 to the current value. In my case, the attribute value has been equal to 5, and I have changed it to 6. The same has to be done for the driver attribute in HKLM\System\CurrentControlSet\Control\Print\Enviroments\Windowsx NT x86\Drivers…\Driver name\. After the restart, Canon network printers start to connect without any warnings.

Previous:
Next:
Related Articles