PaperCut Print Deploy 'installdrv' error with Microsoft Authenticode-signed printer drivers

PaperCut Print Deploy 'installdrv' error with Microsoft Authenticode-signed printer drivers
Photo by engin akyurt / Unsplash

Introduction

When using PaperCut Print Deploy, you have different ways to prepare the print queues your clients will automatically receive.

These vary depending on if and when yes, which, PaperCut products you use in tandem with Print Deploy:

  • Print Deploy on its own
  1. Import print queues by cloning printer drivers
  1. Import print queues by cloning printer drivers
    Same as above

  1. Import BYOD-friendly print queues

In this error report we will only look at Import print queues by cloning printer drivers since using Import BYOD-friendly print queues utilizes the PaperCut Global PostScript driver which is not impacted.

As the name implies, Import print queues by cloning printer drivers takes a printer driver that was prepared on a reference computer, packages it so that Print Deploy can understand it and uploads the result to the PD server.


Problem

The actual problem starts after you captured the printer(s) from the reference computer you carefully prepared earlier and now want to deploy them to your users. You defined the Zone settings the way you want and also already installed the Print Deploy software clients on your devices.

But the printer(s) don't want to install, all Print Deploy clients greet you with a Failed notice.

Then you dig deeper into the PD client logs (Hint: They are at C:\Program Files\PaperCut Print Deploy Client\data\logs\pc-print-deploy-client.log) and see this error message:

pc-print-deploy-client.exe: STDOUT|ERR Failed to install printer FindMe (Mobility): installdrv command failed: unknown error: exit status 3. output: pc-printer-updater version 1.0.0.768-5576552276aa36ebc293948640295b41e56726e8

pc-print-deploy-client.exe: STDOUT|Input arguments for installdrv;

pc-print-deploy-client.exe: STDOUT|	Driver Name: Kyocera TASKalfa 5054ci KX

pc-print-deploy-client.exe: STDOUT|	Driver File: C:\Windows\TEMP\pd-client-work.2195754342\oemsetup.inf_amd64_21f4e2a7b7e3f5ca\oemsetup.inf

pc-print-deploy-client.exe: STDOUT|	Connection Type: mobilityprint

pc-print-deploy-client.exe: STDOUT|Installing driver 'Kyocera TASKalfa 5054ci KX'...

pc-print-deploy-client.exe: STDOUT|Error installing driver. Error: failed to install. Possibilities are, invalid driver certificate or wrong architecture

pc-print-deploy-client.exe: STDOUT|Command installdrv failed. Error: Driver installation failed.

pc-print-deploy-client.exe: STDOUT| {"src":"pdservice.go:716"}

(Your error messages will vary from these since the printer type, printer name, driver name and connection type (Mobility Print, Print server or direct) can / will differ)

Before these errors, all went well:

pc-print-deploy-client.exe: STDOUT|SUP Successfully downloaded printer driver oemsetup.inf_amd64_21f4e2a7b7e3f5ca.zip to C:\Windows\TEMP\pd-client-	work.2195754342\oemsetup.inf_amd64_21f4e2a7b7e3f5ca.zip from 			/deploy/drivers/oemsetup.inf_amd64_21f4e2a7b7e3f5ca.zip {"src":"pdservice.go:788"}

pc-print-deploy-client.exe: STDOUT|SUP Extracted C:\Windows\TEMP\pd-client-work.2195754342\oemsetup.inf_amd64_21f4e2a7b7e3f5ca.zip to C:\Windows\TEMP\pd-client-work.2195754342\oemsetup.inf_amd64_21f4e2a7b7e3f5ca {"src":"pdservice.go:802"}

pc-print-deploy-client.exe: STDOUT|DEV oemsetup.inf_amd64_21f4e2a7b7e3f5ca.zip doesn't contain catalog {"src":"pdservice.go:815"}

pc-print-deploy-client.exe: STDOUT|DEV RunCommand: Executing command: < "C:\Program Files\PaperCut Print Deploy Client\v2022-06-16-1511\pc-printer-updater" installdrv -d "Kyocera TASKalfa 5054ci KX" -f C:\Windows\TEMP\pd-client-work.2195754342\oemsetup.inf_amd64_21f4e2a7b7e3f5ca\oemsetup.inf -t mobilityprint > {"src":"printerinstaller.go:224"}

What happened?

Microsoft Authenticode happened. Print Deploy even speculates about it: Possibilities are, invalid driver certificate or wrong architecture. And because you are a meticulous IT admin (right?), you selected the right driver architecture (x86, amd64, arm64) during the preparation of the reference computer (right??) and we can exclude the possibility of a wrong architecture from our troubleshooting steps (yes, right!). If you are not sure (*wink*), you can always go back, check and see if that is the cause of the error.

You can read more about Authenticode here, but the TL;DR is, it's one of many code-signing technologies that Microsoft developed and put into Windows in the past. And unfortunately, some printer manufacturers still use it to digitally sign their drivers.

Kyocera Document Solutions is one of them. Not all drivers that Kyocera distributes are signed with Authenticode (Thank God!), but some are.

In this example, the problem driver is 8.0.3028 which gets packaged as KX Printer Driver for TASKalfa 7054ci, TASKalfa 6054ci, TASKalfa 5054ci and TASKalfa 4054ci machines, among others.

TASKalfa 3554ci and TASKalfa 2554ci, even though they are mentioned in the installer, already received the newer 8.2.0623 which solved the error.

So now that we know what the cause is, how could we have known about it beforehand and how do we fix it?

First up, during the preparation of the reference computer, you had to install the Kyocera driver (or any other printer driver you need that incidentally has an Authenticode-signed driver, I will stick with Kyocera as my example) and during that install, Windows has prompted you for permission to install that driver, like this:

Windows even tells you the reason it asks in the first place if you deny with Don't install:

Here we see the culprit, Authenticode.

You must have seen the first dialogue from Windows Security numerous times in the past because there are many (too many!) manufacturers that sign their drivers with untrusted code certificates, but usually, we would just click Install and be on our way, right?

That unfortunately doesn't work with Print Deploy because everything happens unattended [A/N: without (possible) user interaction] and PD doesn't have permission to install an untrusted driver.

It is possible to check for Authenticode-signed drivers one step before clicking Finish in the Add Printer Driver Wizard.

When selecting the correct one from the list of available drivers, you can see in the bottom left which signature was used to sign the driver:

A "correctly" signed driver looks like this:

So we could assume that just using a correctly signed driver fixes the problem?

Yes, it does, but what do you do if no correctly signed driver exists?

In the first Add Printer Driver Wizard I purposefully selected the Kyocera TASKalfa 5054ci KX driver because this model only has the Authenticode-signed variant with the version 8.0.3028 available, the newer 8.2.0623 variant doesn't exist for it (yet):

[A/N: I think it's funny that older hardware (the fourth number in 5054 names the generation of printer, so 5053 is older than 5054) receives newer drivers first :) ]


Solution

As we established three paragraphs before, using a driver with a trusted signing certificate solves the Print Deploy error. But if no trusted driver exists (yet), what can you do?

In my example, the smaller printer TASKalfa 3554ci (it prints slower [35 ppm instead of 50 ppm for the 5054ci] but essentially has access to the same finishing and add-on options as the bigger TASKalfa 5054ci) already has the newer 8.2.0623 driver which doesn't use the untrusted Authenticode, so I can use that to deploy my printers with Print Deploy.

What I am saying with this is, don't fixate yourself on the exact model number of the driver so printer(s) and driver(s) model match. Expand your horizon and try a higher or lower model with the same available features (most of the time only finishing options are relevant here) to see if it helps.

Throughout the whole article I focused on Kyocera but if other manufacturer also use Authenticode, this solution, as in, trying a higher or lower model driver which is not signed with the Authenticode certificate chain, should also work.


Conclusion

And here we have it, an error with no (at least in the beginning) immediately available solution, but can now be solved with relative ease.

Did you encounter this error in the past while deploying printers with PaperCut Print Deploy? What's your PaperCut or Print Deploy war story?

Let me know in the comments!


💡
Our content is reader-supported. This means if you click on some of our links, then we may earn a commission.
You don't pay any extra for the usage of these links.
Thank you for supporting the author and this blog!