Change in Microsoft Windows certificates after January 30, 2016 causes issues for Windows 2008 R2 and Windows 7 systems upgrading to the latest CIC release/patch Description: A change in Microsoft certificates after January 30, 2016 affects Windows 2008 R2 and Windows 7 systems running Interactive Intelligence products that use the QoS driver, causing certificate errors after product installation and again upon system reboots, as well as Windows Security messages. This issue affects customers upgrading Windows 2008 R2 and Windows 7 systems to CIC 2016 R2 or later, CIC 2016 R1 Patch7 or later, CIC 2015 R4 Patch13 or later, or CIC 2015 R3 Patch19 or later. Installs that include the QoS driver. Filename Product ASRServerNuanceRecognizer Nuance Recognizer ASR Server ICServer ICUserApps_32bit ICUserApps_64bit IRRemoteContentService MediaServer MediaStreamingServer_64 MrcpASRServer Interaction Center Server IC User Applications (32-bit) and (64-bit) Interaction Screen Recorder Capture Client Interaction SIP Bridge SIP Softphone Interaction Recorder Remote Content Service Interaction Media Server Interaction Media Streaming Server MRCP ASR Server ProcessAutomationServerv2 Interaction Process Automation Server (off-server) SessionManager SIPProxy StatusAggregator Solution: IC Session Manager (off-server) Interaction SIP Proxy IC Status Aggregator Install Microsoft KB articles KB3033929 (support for SHA256 certificates) and KB2921916 (hotfix to avoid the Windows Security Would you like to install this device software? dialog) on Windows 2008 R2 and Windows 7 machines running products that use the QoS driver before the CIC upgrade. (The KBs are also available on the CIC.iso downloads.) Both KBs are described below. Included in the description are symptoms that can be used to determine if the KB is missing from the system. In scenarios using a Group Policy Object or IUpdate for deployment, both KB3033929 (support for SHA256 certificates) and KB2921916 (hotfix to avoid the Windows Security Would you like to install this device software? dialog) are required if the Interactive Intelligence QoS driver needs to be installed. Why are they needed?
KB3033929 KB3033929 is needed because neither Windows 7 nor Windows 2008R2 support SHA256 certificates and Microsoft now requires that SHA256 certificates be used. When KB3033929 is missing from the system and the QoS driver is installed the System Event Log will show certificate errors after the product installation and again upon system reboots. This is because the driver is evaluated against the certificate each time the service starts.
If the KB3033929 is missing, as soon as the install is ran, the end user will see the following: Installing KB3033929 before doing the product install will avoid the driver loading error. However, KB3033929 can be installed after the product installation and the driver will load properly. KB3033929 must be installed for the QoS driver to load and operate properly.
KB2921916 KB2921916 is needed because the operating system does not recognize that the SHA256 certificate is installed in the Trusted Publisher store and so pops a Windows Security dialog asking the user for permission to install the driver. Without the hotfix applied, the user will see this Dialog when installing the driver: Clicking "Install" will allow the driver to install correctly. Verify the status of the QoS Driver Running driverquery /v /fo csv > drvlist.csv from the command line can be used to verify that the Interactive Intelligence QoS driver is loaded and running.
Installation Scenarios These scenarios assume a Windows 7 or Windows 2008R2 system and a product that needs the Interactive Intelligence QoS driver installed. KB3033929 and KB2921916 both missing In this scenario, neither KB is installed so SHA256 support is missing from the computer and the fix to read the SHA256 certificate in the Trusted Publisher list is also missing. UI mode The install will prompt the user with the Windows Security prompt during the install (because KB2921916 is missing): Clicking Install will install the QoS driver. Clicking Always trust software from Interactive Intelligence will not prevent this dialog in the future. After the install completes, a Program Compatibility Assistant dialog will display (because KB3033929 is missing). This dialog informs the user that the driver is unsigned and this is because the system does not recognize the SHA256 certificate:
In the System Event Log, an Event ID 7000 error-level message will be seen immediately after the installation (because KB3033929 is missing): When the system is restarted, an Event ID 7000 error-level message will be seen in the System Event Log (because KB3033929 is missing):
The driver should be visible when viewing the network adapter s properties: Running driverquery /v from the command line can also be used to verify that the Interactive Intelligence QoS driver is loaded and running. Silent Mode The user will see no dialogs and the installation should complete without hanging. The QoS driver will not be installed because Windows Installer will disallow the driver installation. No System Event Log entries will be seen because the driver is not installed and so the system will not try to load it. Interactive Intelligence QoS will not be found in the network adapter s properties. In a silent install, the user is not presented with the Windows Security dialog and so cannot approve the driver installation. Windows Installer defaults to disallow the driver installation in silent mode and the QoS driver is not installed. The product installation will continue and not hang, however. The result is that the product will be installed on the machine but the QoS driver will not be properly installed. If KB2921916 is missing and a silent installation is performed (and the QoS driver is needed by the product or feature being installed), the driver will not be installed. To remedy this situation, there are two options: 1. Perform a repair install of the product from Programs and Features. The repair install will pop the Windows Security dialog and Install should be selected to allow the driver to install. OR 2. Uninstall the product, install KB2921916 and then deploy the product silently again.
KB3033929 installed and KB2921916 is missing In this scenario, KB3033929 is installed so the operating system supports SHA256 certificates. However, the fix to read the SHA256 certificate in the Trusted Publisher list is missing. UI Mode The install will prompt the user with the Windows Security prompt during the install (because KB2921916 is missing): Clicking Install will install the QoS driver. Clicking Always trust software from Interactive Intelligence will not prevent this dialog in the future. The Program Compatibility Assistant dialog will not display and no System Event Log errors will be seen because SHA256 support was added with the installation of KB3033929. The driver should be visible when viewing the network adapter s properties: Running driverquery /v from the command line can also be used to verify that the Interactive Intelligence QoS driver is loaded and running.
Silent Mode The user will see no dialogs and the installation should complete without hanging. The QoS driver will not be installed because Windows Installer will disallow the driver installation. No System Event Log entries will be seen because the driver is not installed and so the system will not try to load it. Interactive Intelligence QoS will not be found in the network adapter s properties. In a silent install, the user is not presented with the Windows Security dialog and so cannot approve the driver installation. Windows Installer defaults to disallow the driver installation in silent mode and the QoS driver is not installed. The product installation will continue and not hang, however. The result is that the product will be installed on the machine but the QoS driver will not be properly installed. If KB2921916 is missing and a silent installation is performed (and the QoS driver is needed by the product or feature being installed), the driver will not be installed. To remedy this situation, there are two options: 1. Perform a repair install of the product from Programs and Features. The repair install will pop the Windows Security dialog and Install should be selected to allow the driver to install. OR 2. Uninstall the product, install KB2921916 and then deploy the product silently again.
KB3033929 is missing and KB2921916 is installed In this scenario, KB3033929 is missing so the operating system does not support SHA256 certificates. However, the fix to read the SHA256 certificate in the Trusted Publisher list is installed. UI Mode The installation will complete without displaying the Windows Security prompt. After the install completes, a Program Compatibility Assistant dialog will display (because KB3033929 is missing). This dialog informs the user that the driver is unsigned and this is because the system does not recognize the SHA256 certificate: In the System Event Log, an Event ID 7000 error-level message will be seen immediately after the installation (because KB3033929 is missing):
When the system is restarted, an Event ID 7000 error-level message will be seen in the System Event Log (because KB3033929 is missing): The driver should be visible when viewing the network adapter s properties: Running driverquery /v from the command line can also be used to verify that the Interactive Intelligence QoS driver is loaded and running.
Silent Mode The user will see no dialogs and the installation should complete without hanging. The QoS driver will be installed. No System Event Log entries will be seen because the driver is not installed and so the system will not try to load it. In the System Event Log, an Event ID 7000 error-level message will be seen immediately after the installation (because KB3033929 is missing): When the system is restarted, an Event ID 7000 error-level message will be seen in the System Event Log (because KB3033929 is missing): The driver should be visible when viewing the network adapter s properties:
Running driverquery /v from the command line can also be used to verify that the Interactive Intelligence QoS driver is loaded and running.
KB3033929 installed and KB2921916 is installed In this scenario, both KB3033929 and KB2921916 are installed so the operating will support the SHA256 certificate and recognize that it is installed in the Trusted Publisher store. UI Mode The Windows Security dialog will not display during the install and the Program Compatibility Assistant dialog will not display after the install. There will be no errors seen in the System Event Log. The driver should be visible when viewing the network adapter s properties: Running driverquery /v from the command line can also be used to verify that the Interactive Intelligence QoS driver is loaded and running. Silent Mode The user will see no dialogs and the installation should complete without hanging. The QoS driver will be installed. There will be no errors seen in the System Event Log. The driver should be visible when viewing the network adapter s properties.