Change in Microsoft Windows certificates after January 30, 2016
causes issues for Windows 2008 R2 and Windows 7 systems
upgrading to the latest CIC release/patch
Description:
A change in Microsoft certificates after January 30, 2016 affects Windows 2008 R2 and Windows 7 systems running Interactive Intelligence products that use the QoS driver, causing certificate errors after product installation and again upon system reboots, as well as Windows Security messages. This issue affects customers upgrading Windows 2008 R2 and Windows 7 systems to CIC 2016 R2 or later, CIC 2016 R1 Patch7 or later, CIC 2015 R4 Patch13 or later, or CIC 2015 R3 Patch19 or later.
Installs that include the QoS driver.
Filename Product
ASRServerNuanceRecognizer Nuance Recognizer ASR Server ICServer Interaction Center Server
ICUserApps_32bit ICUserApps_64bit
IC User Applications (32-bit) and (64-bit) Interaction Screen Recorder Capture Client Interaction SIP Bridge
SIP Softphone
IRRemoteContentService Interaction Recorder Remote Content Service MediaServer Interaction Media Server
MediaStreamingServer_64 Interaction Media Streaming Server MrcpASRServer MRCP ASR Server
ProcessAutomationServerv2 Interaction Process Automation Server (off-server) SessionManager IC Session Manager (off-server)
SIPProxy Interaction SIP Proxy StatusAggregator IC Status Aggregator
Solution:
Install Microsoft KB articles
KB3033929
(support for SHA256 certificates)
and
KB2921916
(hotfix to avoid the Windows Security “Would you like to install this
device software?” dialog) on Windows 2008 R2 and Windows 7 machines running
products that use the QoS driver before the CIC upgrade. (The KBs are also available on
the CIC .iso downloads.) Both KBs are described below. Included in the description are
symptoms that can be used to determine if the KB is missing from the system.
In scenarios using a Group Policy Object or IUpdate for deployment, both KB3033929
(support for SHA256 certificates) and KB2921916 (hotfix to avoid the Windows Security
“Would you like to install this device software?” dialog) are required if the Interactive
Intelligence QoS driver needs to be installed.
KB3033929
KB3033929 is needed because neither Windows 7 nor Windows 2008R2 support SHA256
certificates and Microsoft now requires that SHA256 certificates be used. When
KB3033929 is missing from the system
and the QoS driver is installed
the System Event
Log will show certificate errors after the product installation and again upon system
reboots. This is because the driver is evaluated against the certificate each time the
service starts.
If the KB3033929 is missing, as soon as the install is ran, the end user will see the
following:
Installing KB3033929 before doing the product install will avoid the driver loading error.
However, KB3033929 can be installed after the product installation and the driver will
load properly.
KB3033929
must
be installed for the QoS driver to load and operate
properly.
KB2921916
KB2921916 is needed because the operating system does not recognize that the
SHA256 certificate is installed in the Trusted Publisher store and so pops a Windows
Security dialog asking the user for permission to install the driver. Without the hotfix
applied, the user will see this Dialog when installing the driver:
Clicking "Install" will allow the driver to install correctly.
Verify the status of the QoS Driver
Running “driverquery /v /fo csv > drvlist.csv” from the command line can be used to
verify that the Interactive Intelligence QoS driver is loaded and running.
Installation Scenarios
These scenarios assume a Windows 7 or Windows 2008R2 system and a product that needs the Interactive Intelligence QoS driver installed.
KB3033929 and KB2921916 both missing
In this scenario, neither KB is installed so SHA256 support is missing from the computer and the fix to read the
SHA256 certificate in the Trusted Publisher list is also missing.
UI mode
The install will prompt the user with the Windows Security prompt during the install (because KB2921916 is missing):
Clicking “Install” will install the QoS driver. Clicking “Always trust software from Interactive Intelligence” will not prevent this dialog in the future.
After the install completes, a “Program Compatibility Assistant” dialog will display (because KB3033929 is missing). This dialog informs the user that the driver is unsigned and this is because the system does not recognize the SHA256 certificate:
In the System Event Log, an Event ID 7000 error-level message will be seen immediately after the installation (because KB3033929 is missing):
When the system is restarted, an Event ID 7000 error-level message will be seen in the System Event Log (because KB3033929 is missing):
The driver should be visible when viewing the network adapter’s properties:
Running “driverquery /v” from the command line can also be used to verify that the Interactive Intelligence
QoS driver is loaded and running.
Silent Mode
The user will see no dialogs and the installation should complete without hanging.
The QoS driver will not be installed because Windows Installer will disallow the driver installation. No System Event Log entries will be seen because the driver is not installed and so the system will not try to load it.
“Interactive Intelligence QoS” will not be found in the network adapter’s properties.
In a silent install, the user is not presented with the Windows Security dialog and so cannot approve the driver installation. Windows Installer defaults to disallow the driver installation in silent mode and the QoS driver is not
installed. The product installation will continue and not hang, however. The result is that the product will be installed on the machine but the QoS driver will not be properly installed.
If KB2921916 is missing and a silent installation is performed (and the QoS driver is needed by the product or feature being installed), the driver will not be installed.
To remedy this situation, there are two options:
1. Perform a repair install of the product from “Programs and Features”. The repair install will pop the Windows Security dialog and “Install” should be selected to allow the driver to install.
OR
KB3033929 installed and KB2921916 is missing
In this scenario, KB3033929 is installed so the operating system supports SHA256 certificates. However, the fix
to read the SHA256 certificate in the Trusted Publisher list is missing.
UI Mode
The install will prompt the user with the Windows Security prompt during the install (because KB2921916 is missing):
Clicking “Install” will install the QoS driver. Clicking “Always trust software from Interactive Intelligence” will not prevent this dialog in the future.
The “Program Compatibility Assistant” dialog will not display and no System Event Log errors will be seen because SHA256 support was added with the installation of
KB3033929.
The driver should be visible when viewing the network adapter’s properties:
Running “driverquery /v” from the command line can also be used to verify that the Interactive Intelligence
QoS driver is loaded and running.
Silent Mode
The user will see no dialogs and the installation should complete without hanging.
The QoS driver will not be installed because Windows Installer will disallow the driver installation. No System Event Log entries will be seen because the driver is not installed and so the system will not try to load it.
“Interactive Intelligence QoS” will not be found in the network adapter’s properties.
In a silent install, the user is not presented with the Windows Security dialog and so cannot approve the driver installation. Windows Installer defaults to disallow the driver installation in silent mode and the QoS driver is not
installed. The product installation will continue and not hang, however. The result is that the product will be installed on the machine but the QoS driver will not be properly installed.
If KB2921916 is missing and a silent installation is performed (and the QoS driver is needed by the product or feature being installed), the driver will not be installed.
To remedy this situation, there are two options:
1. Perform a repair install of the product from “Programs and Features”. The repair install will pop the Windows Security dialog and “Install” should be selected to allow the driver to install.
OR
KB3033929 is missing and KB2921916 is installed
In this scenario, KB3033929 is missing so the operating system does not support SHA256 certificates.
However, the fix to read the SHA256 certificate in the Trusted Publisher list is installed.
UI Mode
The installation will complete without displaying the Windows Security prompt.
After the install completes, a “Program Compatibility Assistant” dialog will display (because KB3033929 is missing). This dialog informs the user that the driver is unsigned and this is because the system does not recognize the SHA256 certificate:
In the System Event Log, an Event ID 7000 error-level message will be seen immediately after the installation (because KB3033929 is missing):
When the system is restarted, an Event ID 7000 error-level message will be seen in the System Event Log (because KB3033929 is missing):
The driver should be visible when viewing the network adapter’s properties:
Running “driverquery /v” from the command line can also be used to verify that the Interactive Intelligence
QoS driver is loaded and running.
Silent Mode
The user will see no dialogs and the installation should complete without hanging. The QoS driver will be installed.
No System Event Log entries will be seen because the driver is not installed and so the system will not try to load it. In the System Event Log, an Event ID 7000 error-level message will be seen immediately after the installation (because KB3033929 is missing):
When the system is restarted, an Event ID 7000 error-level message will be seen in the System Event Log (because KB3033929 is missing):
Running “driverquery /v” from the command line can also be used to verify that the Interactive Intelligence
QoS driver is loaded and running.
KB3033929 installed and KB2921916 is installed
In this scenario, both KB3033929 and KB2921916 are installed so the operating will support the SHA256
certificate and recognize that it is installed in the Trusted Publisher store.
UI Mode
The Windows Security dialog will not display during the install and the
“Program Compatibility Assistant”dialog
will not display after the install.
There will be no errors seen in the System Event Log.
The driver should be visible when viewing the network adapter’s properties:
Running “driverquery /v” from the command line can also be used to verify that the Interactive Intelligence
QoS driver is loaded and running.
Silent Mode
The user will see no dialogs and the installation should complete without hanging. The QoS driver will be installed.
