cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Windows Universal Print and HP Universal Print NOT working as expected.

RonS_
Copper Contributor

‎Apr 12 2024 06:22 AM

‎Apr 12 2024 06:22 AM

Windows Universal Print and HP Universal Print NOT working as expected.

Informed our client that HP printers were compatible with WUP as long as the vendor's product was certified by the vendor as 'supported'.  Client purchased a printer which was installed on-site, and we followed HP's documentation (which is lacking in detail BTW).  Had to engage HP when we could not get the HP Universal Print app set up.  We have finally got that installed (also requires HP Command Center), and got the app registered in Entra.  Printer did not appear automatically in Entra/Azure at first, but now does.  Set up WUP printer share and added user.  Test user could add the printer to their device but print job never materializes.  Jobs just disappeared into the ether.  Upon investigation by our team and HP, the 'issue' appears to be with the device and Azure/Entra CA policy:  

AADSTS50097 DeviceAuthenticationRequired - Device authentication is required.

HP 'admits' that there seems to be a 'known' issue, but this is not documented that we can find.  

From the Microsoft side this error is generated based on the document below - but this is a PRINTER not a Windows or Mobile Device, although HP states the 'OS' of the printer is loosely based on Android??  

Device authentication errors - Microsoft Authentication Library for .NET | Microsoft Learn

Looking for some assistance on this.  Is it actually possible that we are the first ever on the planet to encounter this problem while setting up WUP for the client print environment?  Highly doubtful.

NOTE - there are no issues per our FW teams or Network that we are 'blocking' any port/IP/URL.  As this is WUP, it is expected that traffic traverses the internet, and that is not blocked.  I noted a much earlier post (2020?) around the same challenge - printer jobs just vanish, never print.  HP suggested that the problem is with Intune (what???).  Also note that setting up the Entra/Azure app reg requires a GA (yep, we had that) and the GA grant access (we did that).  Is it possible to NOT require the CA policy to apply to THIS particular app (HP Universal Print app)?  Someone on Git suggested this or updating the vendor app to the latest MSAL version.

199 Views
1 Like
4 Replies
Reply
4 Replies
Saurabh_Bansal

‎Apr 18 2024 01:11 PM

‎Apr 18 2024 01:11 PM

Re: Windows Universal Print and HP Universal Print NOT working as expected.

@RonS_ - first of all sorry to hear that you are facing this issue.

 

When you print the job - can you see it in Universal Print portal (under the Jobs view of the printer)? What status does it have there?

 

Once the job is in Pending state, printer (or in this case the app on HP printer) will download the job and process it on the printer. Later it will post the status of job back in Universal Print.

 

From what I am reading below - job has reached Universal Print. There is some issue happening on the printer (or app) itself and reading the error gives me an impression that login to the app is failing. 

 

Are you using Conditional Access? If yes - then login on the app WILL NOT work. This is because HP printers are running and "unknown" version of Android which is not monitored by Intune. With CA policies, user login from such "unknown" OS is blocked. This is a security feature of Entra Id and I am hoping you can understand why CA is blocking the login.

 

You may want to work with your security admin to relax the CA policy on this device or work with HP to see if they can provide a mitigation.

0 Likes
Reply
RonS_

‎Apr 18 2024 07:42 PM - edited ‎Apr 18 2024 07:46 PM

‎Apr 18 2024 07:42 PM - edited ‎Apr 18 2024 07:46 PM

Re: Windows Universal Print and HP Universal Print NOT working as expected.

Saurabh -
No need to say 'sorry'. We have been working with HP, and HP informed that they are aware of 'issues' using HP Workpath. The 'integration' with MUP is apparently 'not' exactly 'native'. You should know that we have set the app (HUP) to be excluded from the CA policy, but that does not resolve the issue of printing. Had an issue with Admin granting 'consent' to the app, but that was finally successful after multiple attempts. (odd issue) So again - the jobs are NOT going to the print share or printer and do not show in the printers job list, they only error out on the sending device (Win 11 computer). We did not open a case with MSFT as we believe per your documentation that the UEM vendor is really responsible for knowing how to get their printer and application to work/integrate with MUP. That said, any suggestions are welcome.

One more thing - you are correct on the 'known' issue with the 'unknown'/vendor modified flavor of Android used by HP print OS and that brings up the question of device authentication.  Is MSFT suggesting that if the printer OS was 'capable' of registering in Intune that this issue might be negated?

0 Likes
Reply
Saurabh_Bansal

‎Apr 18 2024 10:13 PM

‎Apr 18 2024 10:13 PM

Re: Windows Universal Print and HP Universal Print NOT working as expected.

@RonS_ There are two issues with CA on printer device:

  1. Registering a printer - This can be mitigated by updating the CA policy to "exclude" the Universal Print app and the app that registers the printer.
  2. Log-in on HP Workpath app - I am not a Entra login or CA expert so not 100% sure :sad:. However, as far as I understand it not just the app that is blocking login but the device on which app is running since device is recognized as not compliant. 

I will try to see if there is a way to somehow exclude this device - but keep in mind that's something a security expert/admin may not like :) 

0 Likes
Reply
Kyle Marsh

‎Apr 19 2024 01:38 PM

‎Apr 19 2024 01:38 PM

Re: Windows Universal Print and HP Universal Print NOT working as expected.

@RonS_ Which app are you excluding from the CA policy? CA policies apply to resources, not apps. You will need to exclude the resource from the policy. 

0 Likes
Reply