We're having a strange issue with Symantec Endpoint Protection (SEP) version 12.1 on Windows 7 clients.
When our users try to map a new network printer from our print server (double-click on the printer name when browsing \OurPrintServer ) – the standard driver install process begins as usual but ends with the error message: "Windows cannot connect to the printer. Access is denied."
We have tested on multiple systems with different printer shares using different drivers and even different printer manufacturers. The install of all printer drivers not already present on the client system seems to be being blocked by SEP.
A strange thing is that when we disable SEP, the error still occurs and new printer drivers still fail to install. If we completely remove SEP from the client computer, the printer drivers install successfully and the printer shares map as expected.
To further test, we tried other Windows 7 clients on our domain without SEP and they map the printer correctly installing the drivers as expected.
Has anyone seen a problem like this with SEP 12.x on Windows 7 and if so do you have any suggestions on how to resolve the issue? Such a strange case, even when SEP is disabled it is still somehow blocking these printer driver installs. Only when SEP is completely removed do Windows shared network printer driver installs work correctly.
Best Answer
It looks like recent Symantec definition updates broke something with one of the Host Intrusion Prevention System (HIPS) policies in use on our systems. Thanks for the tip @joeqwerty. The organization seems to want to keep this component installed, so they changed the rule to log instead of block. Here are the details:
After disabing the "Prevent modification of system files (HIPS) [AC14]" policy, client printer mapping and printer driver installs worked correctly. Here are some related screenshots as a visual aid:
The best solution would probably be to exclude the IPS component from all Symantec Endpoint Protection (SEP) client installs. If your organization prefers to keep the HIPS installed, then you must wrangle with botched policies like this one.