Printer Deployment Issues with GPP and MS16-087

Tweet about this on TwitterShare on FacebookShare on LinkedInShare on Google+Email this to someone

Last week a teammate and I ran into an issue deploying an older Sharp printer through group policy preferences. Almost everything we tried resulted in failure, with the Event ID 4098 (“The specified printer was not found on the system and needs to be downloaded”). After double-checking that we had both 32- and 64-bit versions of the driver on the print server, we began to dig a little deeper.

We found that we could connect to the printer manually but would then be prompted for credentials to install the drivers. After a while we realized that both drivers were showing a value of “false” under the ‘packaged’ column in print management.

A little bit of research revealed that after the MS16-087 update, drivers that are not package-aware will always prompt for install. According to the Microsoft security update information, network administrators should either update the affected driver and obtain a package-aware driver or, for drivers that cannot be updated, preinstall the driver on client machines. In our case, the drivers we were working with did not have a package-aware update so we were stuck with the older drivers.

We found that the best way around this is to modify the affected drivers in the registry. There is a DWORD called “PrinterDriverAttributes,” which specifies if the driver is package-aware or not.

This can be found in the following location for 64 bit drivers:

HKLM\System\CurrentControlSet\Control\Print\Environments\Windows x64\Drivers\…\Driver Name\PrinterDriverAttributes

And the following location for 32 bit drivers:

HKLM\System\CurrentControlSet\Control\Print\Environments\Windows NT x86\Drivers\…\Driver Name\PrinterDriverAttributes

Changing the DWORD value from 0 to 1 and then rebooting the print server will cause the driver to show up as Packaged in Print Management. After this change, deploying older non-package-aware versions of print drivers through group policy preferences will begin to work as expected.

If you have older Sharp, Canon, or Konica printers and are running into this issue following the steps above could help alleviate a lot of headaches.

Below is the link from Microsoft regarding the Security Update.

https://support.microsoft.com/en-us/help/3170005/ms16-087-security-update-for-windows-print-spooler-components-july-12,