cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Package-Aware Print Drivers?

itangir
Apprentice

So the recent print server vulnerability caused Microsoft to patch up Point and Print. Now package-unaware V3 drivers do not play nice with Group Policy.

 

A lot of the network printers on our print server already have packaged drivers and aren't affected. All of our Canon drivers do not, however, and this means we need to go to each user and put in administrator credentials in order for them to make a (new) printer connection to our Canon imageRunners...

 

Even the latest UFRII drivers for our models appear to still be unpackaged...

 

Does Canon offer package-aware V3 drivers? If not, do they plan to offer them? We'd like to know what Canon's doing about this so we can take the appropriate steps.

18 REPLIES 18

While waiting for the new driver , the solution lies in my post. Tweak Windows into treating any driver as Packaged by editing the registry.

grei_70
Apprentice

By the power of a tweak, thou shall pass the dreaded MS16-087 and letters will be put on paper once again.
You need to register at your local servant that does all your writing. See if he is current in control of his enviroment - there might be an attribute in need of a change. The attribute shall be in form of 16 and Douglas Adams was almost right, he miss it by an inch and odd the answer should be.

Enough rubbish:
If you have trouble deploying printers after applying critical updates according to MS16-087 (KB3170455) try this tweak: Edit the register on your print server. If you change the value of the key PrinterDriverAttributes under HKLM\System\CurrentControlSet\Control\Print\Enviroments\Windowsx64\Drivers\...\Driver name\ and restart the print server, you are able to make Windows treat the driver as packaged, and it will install unattended with gpo. The hex number has to be odd, i.e. 41
Restart server .

According to MS the 1 flag for PrinterDriverAttributes stands for PRINTER_DRIVER_PACKAGE_AWARE. This will treat the driver as package aware, which means a CAB package will be created, including the inf and the catalog. The package will be installed through setupapi.dll when installing the driver, validating that the catalog is trusted, and that hashes for all files are included in the catalog.

BTW: To keep the original settings for the printer driver and only make it Pakage aware you shold add 1 to the original value of PrinterDriverAttributes. In my print enviroment the original attribute had the value 4, so I changed it to 5 and that made it Pakage aware. Different versions of the driver (and different vendors) might need other values. 

I made this registry change, and now I'm getting a connect to printer error. A policy is in effect on your computer which prevents you from connecting to this print queue. Please contact your system administrator. grei_70 have you seen this error?

I just tried

https://msdn.microsoft.com/windows/hardware/drivers/print/package-aware-print-drivers-that-do-not-sh...

 

In a nutshell:

Go to the printers inf-File an add a section

[PrinterPackageInstallation.x86]
PackageAware=TRUE

 

or (for 64bit driver)

[PrinterPackageInstallation.amd64]
PackageAware=TRUE

 

and import the driver.

You will get a lot of warnings but ignore them all.

Install your printer and deploy it with gpo like allways and have fun with it!

 

Canon's USA site still does not have Packaged drivers.  I was able to find a packaged PCL6 driver (version 21.85) on the Canon's EU site, but it did not work on my C5240 or 6255.  It worked on 4225.

 

I had success on Canon's Asia site. They have a UFR II V30 packaged driver that worked on all the above machines.  It took me 3 hours to sort this out, so I hope this reaches someone in need.

 

http://support-asia.canon-asia.com/

UFRII_Driver_V3000_W64_ukEN_12.exe

 

 

 

frank_net
Apprentice

Hi grei_70,

I had not seen your post yesterday when sending mine, I think we were writing at the same time!
Indeed, your tweak works perfectly. All printers is "Package" now

Printmanagement-msc-fix.jpg

The deployment also works by GPO
Thank

Above doesnt seem to work on Uniflow Universal PcIXL Driver  v 5.3.5.529 on Windows 10

Have changed the registry setting, restarted printer server and the driver is now listed as packaged

Have set the GPO, Point and Print Restrictions to disabled on the comptuer and user object

But same GPO error (0x80070bcb), also if i select the printer manually from print server i get UAC prompted, so it doesnt seem that it cares about the GPO settings...

 

//Tatsumi

 

EDIT I suspect that the issue with the Uniflow driver is that it's not signed

As a workaround, i can install the uniflow client msi package with the driver included, that way i get the printer deployed
Avatar
Announcements