looks like a duck, swims like a duck and quacks like a duck, but maybe isn't a duck?
83 views
Skip to first unread message
Marlon Yu
Jun 15, 2022, 4:52:24 PM6/15/22
to techies-f...@googlegroups.com
A few weeks ago, a colour calibration issue with some new printers required a print driver update on the Papercut/Print server. We're using Papercut's Print Deploy solution to deploy print queues and new drivers to AAD-joined Intune-managed devices. Users started complaining that when the Print Deploy client runs to update the drivers, it comes out with a "This app has been blocked by your administrator" message. But we don't have applocker configured. The only other changes made were configuration profiles preventing students from mapping and disconnecting drives, and preventing access to the command prompt; both of which have since been removed but the issue persists.
So:
- it looks like a duck: non-admin users are unable to add printers
- it swims like a duck: when an admin logs in and the Print Deploy client attempts to install the drivers, we do get a UAC prompt and when we choose YES, it installs the driver fine and any subsequent non-admin user will also be able to finish installing the drivers
- it quacks like a duck: the event viewer on the PC keeps recording Event ID 600 (The print spooler failed to import the printer driver that was downloaded from %1 into the driver store for driver %2. Error code= %3. This can occur if there is a problem with the driver or the digital signature of the driver.)
All these symptoms keep pointing us to the Print Nightmare KBs but we don't have any of it (https://www.papercut.com/kb/Main/PrintNightmareCVE2021#how-do-i-restore-printing-in-my-environment-after-applying-the-patches) in the list of updates applied on the server. So we can't really say it's a duck.
Anyone experienced anything like this before?
Marlon
*** RANGITOTO COLLEGE EMAIL DISCLAIMER ***
The contents of this email and any attachments are confidential and may be legally privileged. If you are not the intended recipient please advise the sender immediately and delete the email and attachments. Any use, dissemination, reproduction or distribution of this email and any attachments by anyone other than the intended recipient is prohibited.
*** RANGITOTO COLLEGE EMAIL DISCLAIMER ***
So:
- it looks like a duck: non-admin users are unable to add printers
- it swims like a duck: when an admin logs in and the Print Deploy client attempts to install the drivers, we do get a UAC prompt and when we choose YES, it installs the driver fine and any subsequent non-admin user will also be able to finish installing the drivers
- it quacks like a duck: the event viewer on the PC keeps recording Event ID 600 (The print spooler failed to import the printer driver that was downloaded from %1 into the driver store for driver %2. Error code= %3. This can occur if there is a problem with the driver or the digital signature of the driver.)
All these symptoms keep pointing us to the Print Nightmare KBs but we don't have any of it (https://www.papercut.com/kb/Main/PrintNightmareCVE2021#how-do-i-restore-printing-in-my-environment-after-applying-the-patches) in the list of updates applied on the server. So we can't really say it's a duck.
Anyone experienced anything like this before?
Marlon
*** RANGITOTO COLLEGE EMAIL DISCLAIMER ***
The contents of this email and any attachments are confidential and may be legally privileged. If you are not the intended recipient please advise the sender immediately and delete the email and attachments. Any use, dissemination, reproduction or distribution of this email and any attachments by anyone other than the intended recipient is prohibited.
*** RANGITOTO COLLEGE EMAIL DISCLAIMER ***
Jesse Evans
Jun 15, 2022, 5:09:24 PM6/15/22
to techies-f...@googlegroups.com
Hi Marlon,
I have not experienced this issue specifically with print drivers, But with the installation of other applications in general which do usually require Administrative privileges.
it's a little 'untidy' but I've found you can use a combination of task scheduler 'Run with Highest Privileges' field and if necessary some powershell to "silently install" the drivers on the device with either NT/System authority OR local administrator privileges. There should be enough in there to run it no matter WHO is signed in and it should not trigger UAC.
There may be another way to achieve this but this is something I have seen used with success in the past.
Regards
Jesse
--
You received this message because you are subscribed to the Google Groups "Techies for schools" group.
To unsubscribe from this group and stop receiving emails from it, send an email to techies-for-sch...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/techies-for-schools/SYXPR01MB13601A5D117DD3A432DB7C4BB8AD9%40SYXPR01MB1360.ausprd01.prod.outlook.com.
Reply all
Reply to author
Forward
0 new messages