GPP Printer Deployment Fails with 0x80070bcb After KB3170455 (MS16-087)

Indicators

• Event Viewer > Applications and Services Logs > Microsoft > Windows > Group Policy > Operational shows error 0x80070bcb referencing the GPP printer preference item
• GPP printer preference item fails to apply with error code 0x80070bcb after gpupdate /force and reboot
• Printer does not appear in Devices and Printers after policy application
• Manual Add Printer via Control Panel succeeds using the same print server and driver
• Deploying the same printer via Computer Configuration > Windows Settings > Deployed Printers succeeds, confirming the driver itself is accessible
• Enabling, disabling, or reconfiguring Point and Print Restriction GPO policy has no effect on the error
• KB3170455 confirmed present on affected clients via 'wmic qfe list | findstr 3170455'

Likely causes

• KB3170455 (MS16-087) enforces a security restriction that blocks silent installation of non-packaged, unsigned printer drivers via the Point and Print mechanism
• GPP printer preference deployment relies on silent driver installation, which is precisely the vector blocked by MS16-087
• Printer manufacturer provides only legacy, unsigned, non-packaged drivers incompatible with the post-KB3170455 security requirement
• Point and Print Restrictions GPO policy controls prompt behaviour but does not override the kernel-level driver signing enforcement introduced by KB3170455

Diagnostic steps

1. On the affected client, open Event Viewer and navigate to Applications and Services Logs > Microsoft > Windows > Group Policy > Operational. Filter for errors and look for event entries referencing error code 0x80070bcb associated with the printer preference item.
2. Run 'gpupdate /force' from both an elevated administrator command prompt and a standard user command prompt on the affected client, then reboot and recheck the printer list in Devices and Printers.
3. Run 'gpresult /H C:\Temp\result.html' on the client as the affected user and review the HTML report to confirm whether the Point and Print Restrictions policy is being received and applied as intended.
4. Verify whether KB3170455 is installed on the client by running: 'wmic qfe list | findstr 3170455' in an elevated command prompt, or by checking Settings > Update & Security > View Update History.
5. Attempt to manually add the printer via Control Panel > Devices and Printers > Add a Printer pointing to the print server share. If this succeeds, the driver is valid and the issue is specific to the GPP silent installation path.
6. Inspect the printer driver package on the print server (typically under C:\Windows\System32\spool\drivers) to determine whether the driver is INF-based and digitally signed. Consult the manufacturer's website or driver documentation for packaging and signing status.
7. Test deploying the same printer via Computer Configuration > Windows Settings > Deployed Printers to confirm whether this alternative method succeeds, isolating the issue to the GPP preference deployment path rather than the driver or network share.

Resolution path

• Confirm KB3170455 is installed on the affected Windows 10 clients: run 'wmic qfe list | findstr 3170455' in an elevated command prompt.
• Contact the printer manufacturer to determine whether a packaged, digitally signed INF-based driver is available for the affected printer model.
• If a packaged and signed driver is available, update the driver on the print server via Print Management Console, then re-test the GPP printer preference deployment on a client.
• If no packaged driver is available and GPP deployment is non-negotiable, evaluate using a third-party print management solution (e.g., PrinterLogic, UniFlow) that can handle driver distribution outside the Point and Print path.
• As an interim workaround, redeploy the printer via Computer Configuration > Windows Settings > Deployed Printers, accepting the loss of GPP-specific targeting and filtering features.
• As an absolute last resort only and with documented management approval, uninstall KB3170455 on affected clients. This restores silent driver installation but reintroduces a known, publicly disclosed print spooler vulnerability and must be treated as a temporary measure with a firm remediation deadline.

Prevention

• Before planning any GPP-based printer deployment, verify that all required printer drivers are packaged (INF-based) and digitally signed to ensure compatibility with Point and Print security enforcement.
• Maintain an inventory of printer models in use, including the packaging and signing status of their drivers, to proactively identify incompatibilities before security patches are deployed.
• Review Microsoft security bulletins and patch notes that affect Print Spooler and Point and Print behaviour as part of the monthly patch evaluation process before production rollout.
• Test printer GPP deployments in a staging environment immediately after applying cumulative Windows updates, including any updates referencing Print Spooler or Point and Print.
• Engage printer manufacturers proactively to request packaged and signed driver releases when only legacy unsigned drivers are available, particularly for printers with long deployment lifecycles.
• Document the deployment method used for each printer (GPP, Deployed Printers, manual, third-party) so that compatibility impact from future security patches can be assessed quickly.

Tools

• Event Viewer (eventvwr.msc)
• gpupdate /force
• gpresult /H result.html
• wmic qfe list
• Group Policy Management Console (gpmc.msc)
• Control Panel > Devices and Printers (Add Printer wizard)
• Print Management Console (printmanagement.msc)

References

• Microsoft Security Bulletin MS16-087 – Security Update for Windows Print Spooler Components
• Driver installation not working when deploying printers via GPP (ServerFault)