We have found an unpleasant problem with one of Microsoft security updates released in July. We mean KB3170455 released on July, 12, 2016. After the installation of this update, the problem of network printer connection may appear in the domain.
The problem has manifested itself as follows: when trying to install (connect) a printer from the Print Server (running Windows Server 2008 R2) on the domain clients (Windows 10, Windows 7), the following error appears:
A policy is in effect on your computer which prevents you from connecting to this print queue. Please contact your system administrator.
With some printer models, another warning appeared when trying to connect a network printer:
Windows needs to download and install a software driver from \\PrintServer_Name computer to print to Printer_Name. Proceed only if you trust the \\PrintServer_Name and the network
When clicking Install driver, the UAC window appears prompting to enter the administrator login and password. Although, earlier users could easily connect these printer (the policy that allows common users to install printer drivers without the administrative privileges).
Having compared the installed updates on the problem computers, we have found that the issue appears on the computers having the KB3170455 (MS16-087: Description of the security update for Windows print spooler components: July 12, 2016) update installed. Indeed, after this update is deleted, printers are connected correctly.
wusa.exe /uninstall /kb:3170455 /quiet /norestart
But there is nothing wrong with the update, since it fixes a certain critical vulnerability in Windows print spooler. The update also suggests showing a warning if a user tries to install untrusted or unsigned printer drivers. In Windows 10, this update is integrated into the cumulative update that couldn’t be rolled back. So you won’t be able to solve the problem by simply uninstalling the update.
The article https://support.microsoft.com/en-us/kb/3170005 specifies the criteria the printer drivers have to match to be correctly installed on the clients:
- The driver has to be trusted (signed with the trusted digital signature)
- The driver has to package-aware (Package-aware print drivers). Non-package-aware v3 printer drivers won’t be able to be installed in Point and Print Restrictions mode
So Microsoft recommends:
- To substitute the drivers on Print Servers for package-aware ones (Package-aware V3). You can find out whether the driver is package-aware using Print Manager. Open the Drivers section, if the driver is package-aware it will have the True status in the Packaged column.
You will only have to enable Point and Print Restrictions policies (in Computer Configuration > Policies > Admin Templates > Printers and User Configuration > Policies > Admin Templates > Control Panel > Printers) and check Do not show warning or elevation prompt. In addition, specify the FQDN names of trusted Print Servers. - If the drivers are obsolete and could not be updated, it is recommended to preinstall them on the client PCs. In this case, there will be no problems with printer connections.
1 comment
Deploy the certificate of the signing publisher to client computers.
Local computer > Trusted publishers > Certificates
This way the driver can be installed because the publisher is trusted when using point and print.