Blog Post

Windows IT Pro Blog
6 MIN READ

Known Issue Rollback: Helping you keep Windows devices protected and productive

Eric_Vernon's avatar
Eric_Vernon
Icon for Microsoft rankMicrosoft
Mar 02, 2021
Today I'm sharing details about Known Issue Rollback (KIR), a new capability that can quickly return an impacted device back to productive use if an issue arises during a Windows update. In this blog...
Updated Mar 26, 2021
Version 5.0
servicing and updates
jonkloske's avatar
jonkloske
Copper Contributor
Nov 18, 2021

Just to add my 2c worth to Mike Pisano's reports, we run a windows 10 (mix of LTSB, LTSC, and CB - mostly the latter) fleet of approximately 4,000 desktops/laptops with Kerberos authentication/login, and the October update KB5006670 broke 100% of printing for our approximately 10,000 users.

 

Initial symptoms were that any attempts to print or bring up print properties (or start any app that queries printer lists on startup) would cause the print dialogue or app to just lock up. You could restart the local print spooler service (which would cause any attempted print operations to fail) but would at least un-stick the app. Restarting the server side print spooler would allow a single job through sometimes, but then further attempts would fail with the same "not responding" behaviour.

 

After a bunch of investigation, we determined that setting this GPO on the print server resolved that part of the issue:

 

[Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options]

"Network security: Restrict NTLM: Incoming NTLM traffic" = "Deny all accounts"

 

Unfortunately, whilst this allowed people with existing printers to recommence printing, we quickly discovered that users attempting to add a new printer (specifically, a printer that uses a different driver to the ones they already had installed, or some models of printers like Brother or Canon UFR II drivers) were met with a prompt to elevate to install the driver from the print server, and once you did this you immediately got an error.

 

The operation failed with error 0x0000007c

 

We noticed that for most recent Windows 10 Current Branch installs, we could get everything except for the HP printers working by pre-installing the drivers from the print server manually, using twelve variants of the following (one for each printer driver):

 

pnputil -i -a "\\print.xxxxxxxxxxxxxx\drivers\Konica Minolta\bizhub C558\PS\11.2.0.0\x64\IT5PSWinx64_11200EN\KOAXPA__.INF"
Add-PrinterDriver -Name "KONICA MINOLTA C658SeriesPS"

 

This did not appear to work for LTSC or LTSB users though. And obviously, doesn't work for HP printers - though the error we got there I think was a slightly different one: in powershell, attempts to add the HP printers threw error 3019 (0xBCB) - ERROR_PRINTER_DRIVER_DOWNLOAD_NEEDED, though I can't remember what the error code was when trying to map it normally. It was different to that.

 

In any event, we tried GPOs that effectively set the following registry entries:

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint]
"RestrictDriverInstallationToAdministrators"=dword:00000000
"Restricted"=dword:00000001
"TrustedServers"=dword:00000001
"ServerList"="print.xxxxxxxxxxxxxx;pxxxx.xxxxxxxxxxxx"
"InForest"=dword:00000001
"NoWarningNoElevationOnInstall"=dword:00000001
"UpdatePromptSettings"=dword:00000002
 
On its own, this only worked for HP plotters and Konica-Minolta printers (the Brother printers actually threw an error about Kernel-mode NT 4.0 drivers being blocked by policy which... is not correct). But combined with the driver preload, allowed 100% of printers to install, and print.
 
HOWEVER, the printers were only added with the stub printer driver - so all the property sheets and settings usually available from the manufacturer's driver are missing and there's just an extremely limited printer settings dialogue instead. Additionally, some people found this settings dialogue was not correctly creating duplex jobs or sending metadata required for printing like the username etc.
 
This also doesn't work reliably for LTSC or LTSB, as before - many of these people are stuck with various combinations and hacks of the above.
 
We've tried the feature known-issue rollback thing on hosts, and have had mixed results with it - it works on some, but not others. And obviously we're missing registry keys for a lot of the versions like LTSB and LTSC, or they don't work. We tried the Get-ScheduledTask -TaskName "ReconcileFeatures" | Start-ScheduledTask  trick as well, and that didn't help. I also noticed the last three octets in the feature disable thing were the same, so I tried all 256 variations on the first octet and also didn't help on these small subset of hosts.
 
And... that's we are a month and a half later. We're really hoping the December update hinted at that is supposed to help with this does, because if it doesn't, we're looking at rather massive and expensive changes to an extremely large and complex infrastructure just to get printing working.