I'm not sure whether or not this forum is the right place to post an enterprise-level question.  But here's my problem:

I work for a large public school district.  We have a number of HP laser-printers installed in various labs and classrooms around the district.  These printers are connected to our network, and are shared via our print-server, PS1, which runs Windows Server 2012 R2.  Until recently, we had no problem installing, sharing, and using these printers in this method.  I mean, basically, we would use Print Management on PS1 to create a TCP/IP port, then install the HP drivers for the desired printer, and then create the shared printer.  It's fairly straightforward.

However, at some point over the past 3-4 months, things stopped working.  We can still install HP printers on PS1 as before -- but on a client PC (Win7 Pro x64), when we navigate to PS1 and doubleclick the printer-driver to install it, we get a message which states:

"A policy is in effect on your computer which prevents you from connecting to this print queue.  Please contact your system administrator."

This would seem to indicate a problem within Group Policy.  But the thing is, we hadn't made any changes in Group Policy prior to experiencing this issue.  (We have made some changes AS A RESULT of seeing this error, in an attempt to fix it, but to no avail.)  

This problem seems to affect ALL HP printers which are not using the Universal Print Driver.  We have discovered that, for whatever reason, the UPD for PCL6 printing, v5.7.0, works fine.  However, not all HP printers are compatible with that driver.   For those printers, we lack a workaround.  We have not experienced this problem with other printers shared through our print-server -- such as our 30 Sharp-brand printer/copiers, or our 15 or so Brother printers.  Those all continue to work fine.

It might only be 64-bit clients who are affected.  However, as computing has shifted firmly into the 64-bit paradigm, we have few 32-bit workstations left on our network with which we can test.  And anyway, it wouldn't matter if it DOES work on 32-bit clients, because the entire world of computing is now firmly 64-bit.  We need these drivers to work under a 64-bit paradigm.

Obviously, I have doublechecked to ensure that I'm downloading the correct drivers from HP.  In the event that a printer isn't compatible with the Universal Print Driver, I download the Win7 x64 driver.  Obviously I don't want the full-installer, so I try to download a barebones driver, if one is available.  If it doesn't self-extract, I extract it using 7zip.  I then copy them onto a "drivers" directory on the print-server.  Then I open Print-Management on the server, create my port if one doesn't already exist, and then right-click Drivers and choose "install."  When prompted to select a driver to install, I choose "Have Disk," and browse to the directory where the driver exists.  Once the driver-installation finishes, I right-click Printers and choose "Add Printer," and then I select the driver I just installed when prompted.

I then go to a client machine, browse to \\PS1 (the server), and select the name of the printer I wanna install from the list of all the printers on PS1.  That's when I get the error described above.  I get this error regardless of the level of permissions my account has.  I get it when I log-in using my District Enterprise Admin credentials.

In the event-logs on the client machine (Microsoft/Windows/PrintService/Admin), I get the following message after one of these failed driver-install attempts:

Description:

The print spooler failed to import the printer driver that was downloaded from \\ps1\print$\x64\PCC\ntprint.inf_amd64_a7ac65d1b7714fb1.cab into the driver store for driver HP Color LaserJet Pro MFP M177 PCLmS. Error code= 800f024b. This can occur if there is a problem with the driver or the digital signature of the driver.

The printer which generated this message was a Color LaserJet Pro M177, but we've experienced  this message with other HP printer-models as well, including the LaserJet P3015.

More tellingly, in the client-PC's installation-log (c:\windows\inf\setupapi.dev.log), every attempt to install one of these "broken" HP drivers generates the following output:

From c:\windows\inf\setupapi.dev.log:

Failed to verify file 'UNIRES.DLL' against catalog. Catalog = ntprint.cat, Error = 0xE000024B

!!!  sto: Catalog did not contain file hash. File is likely corrupt or a victim of tampering.

!!!  sto: Driver package appears to be tampered. Filename = C:\Windows\System32\DriverStore\Temp\{61572abe-df8e-19bb-2d9b-d057c6484c6d}\ntprint.inf, Error = 0x800F024B

!!!  sto: Driver package appears to be tampered, and it will not be installed.

!!!  ndv: Driver package failed signature validation. Error = 0xE000024B

     sto: {DRIVERSTORE_IMPORT_NOTIFY_VALIDATE exit(0xe000024b)} 10:57:24.124

!!!  sto: Driver package failed signature verification. Error = 0xE000024B

!!!  sto: Failed to import driver package into Driver Store. Error = 0xE000024B

     sto: {Stage Driver Package: exit(0xe000024b)} 10:57:24.124

This is the only failure or error which appears in the setupapi.dev.log, so it would stand to reason that this is the actual culprit -- Windows is not allowing the driver-installation because it can't verify the digital signature of UNIRES.DLL, which further investigatoin reveals to be one of the files contained within hpcm177_64.cab.

So.  HP.  Does this mean that you're shipping drivers which have been incorrectly-signed?  Or perhaps you're wrapping Unires.dll into these drivers AFTER signing them?  Or is it possible that the problem is some kind of configuration issue on our side?  Or is this question beyond the scope of this HP forum?  If that's the case, please direct me to where I might pose this question to a more receptive ear?