Not sure it is a SEP problem yet. Still doing the analysis.
We are running a pilot of SEP 12.1 RU1 MP1, upgrading from 12.1 RU1, using the SEPM to do the upgrade. Some of the people are reporting that they are prompted to install printer drivers after the SEP upgrade. All of the reported printers appear to be networked printers. Doesn't make sense, but I've seen stranger things happen.
We have an App & Device Control policy, but are only using App Control. App Control only blocks some applications and also logs transfers to USB devices.
Intrusion Prevention policies allow our servers.
Once prompted to re-install the drivers, everything works fine.
I know there was an MS security update this month for kernel-mode drivers, but we have a GPO that disables installing kernel-mode drivers. I'm not dismissing the possiblility that this update caused it, but I can't dismiss the SEP upgrade causing it either.
My other problem is that they waited a couple of days to report the problem, and I haven't been able to re-create it yet.
There is nothing about printers in the Windows event logs, and nothing in the SEP logs about blocking/deleting printer drivers.
Has anyone ever seen anything like this?