I am struggling with the logic needed to get Network Printers installed via SCCM with the latest patching requiring Admin Credentials.
After reading this: (https://support.microsoft.com/en-us/topic/kb5005652-manage-new-point-and-print-default-driver-installation-behavior-cve-2021-34481-873642bf-2634-49c5-a23b-6d8e9a302872) I came up with a plan to run three Deployments in one:
- Run as Admin - Add reg key from article to allow non-admin printer installs using a powershell script with the detection method checking for the entry.
- Run as User - Run a PowerShell script - Add-Printer -ConnectionName "\SERVER\Printer" with the detection method being Get-Printer -Name "\SERVER\Printer"
- Run as Admin - Remove the reg key added in Step 1.
Step 3 is where it has been tricky. It is essentially undoing the first step. This results in the Application thinking it is installed before it is even run. I thought maybe add a reg entry or a file and while that works, it is messy. If the printer is uninstalled, that file or reg entry remains and will not rerun the script. I was looking for a universal registry entry or file that gets created when the printer is added, but that has proven difficult. Since the printer needs to be installed as a User, the get-printer command will not result in showing the printer is installed.
I tried the following script for detection, but it will not run:
`# Look For Registry Values that show East Copy Room Printer Installed
New-PSDrive -Name HK_USERS -PSProvider Registry -Root HKEY_USERS | Out-Null
$RegUserValues = (Get-ChildItem REGISTRY::HKEY_USERS | Select-Object -ExpandProperty name)
Foreach ($item in $RegUserValues)
{
$Result = (Get-ItemProperty "HK_USERS:\$item\Printers\Connections\*" -ErrorAction SilentlyContinue | Select-Object PSChildName)
If ($Result -ne $null) # ",,SERVER,EastCopyRoom1")
{
Write-Output "Success!!"
break
}
else
{}
}
Remove-PSDrive -Name * -Force`
EDIT: To clarify, by not run I mean that I get an error in the AppDiscovery.log that shows Script Execution returned error message: Get-ChildItem: Requested Access is not allowed.....PermissionDenied (HKEY_USERS...SecurityException
I can run the script as Admin on my laptop and it results in "Success!!" when I have the printer installed for my user and blank when then printer is not installed for my user.
Anyone have any thoughts on a different detection method here? Looking for a file or reg entry that get generated when a network connection printer is installed and gets removed when the printer is removed.