Printer Deployment using MEM/SCCM - Detection method Logic - I need help

Question

I am struggling with the logic needed to get Network Printers installed via SCCM with the latest patching requiring Admin Credentials.

After reading this: (https://support.microsoft.com/en-us/topic/kb5005652-manage-new-point-and-print-default-driver-installation-behavior-cve-2021-34481-873642bf-2634-49c5-a23b-6d8e9a302872) I came up with a plan to run three Deployments in one:

1. Run as Admin - Add reg key from article to allow non-admin printer installs using a powershell script with the detection method checking for the entry.
2. Run as User - Run a PowerShell script - Add-Printer -ConnectionName "\SERVER\Printer" with the detection method being Get-Printer -Name "\SERVER\Printer"
3. Run as Admin - Remove the reg key added in Step 1.

Step 3 is where it has been tricky. It is essentially undoing the first step. This results in the Application thinking it is installed before it is even run. I thought maybe add a reg entry or a file and while that works, it is messy. If the printer is uninstalled, that file or reg entry remains and will not rerun the script. I was looking for a universal registry entry or file that gets created when the printer is added, but that has proven difficult. Since the printer needs to be installed as a User, the get-printer command will not result in showing the printer is installed.

I tried the following script for detection, but it will not run:

`# Look For Registry Values that show East Copy Room Printer Installed
New-PSDrive -Name HK_USERS -PSProvider Registry -Root HKEY_USERS | Out-Null
$RegUserValues = (Get-ChildItem REGISTRY::HKEY_USERS | Select-Object -ExpandProperty name)
Foreach ($item in $RegUserValues)
{

    $Result = (Get-ItemProperty "HK_USERS:\$item\Printers\Connections\*" -ErrorAction SilentlyContinue | Select-Object PSChildName)
    If ($Result -ne $null)    # ",,SERVER,EastCopyRoom1")
        {
        Write-Output "Success!!"
        break
        }
    else 
        {}

    }

Remove-PSDrive -Name * -Force`

EDIT: To clarify, by not run I mean that I get an error in the AppDiscovery.log that shows Script Execution returned error message: Get-ChildItem: Requested Access is not allowed.....PermissionDenied (HKEY_USERS...SecurityException

I can run the script as Admin on my laptop and it results in "Success!!" when I have the printer installed for my user and blank when then printer is not installed for my user.

Anyone have any thoughts on a different detection method here? Looking for a file or reg entry that get generated when a network connection printer is installed and gets removed when the printer is removed.

Answer 1

So I deployed this through SCCM as a package/ program and it does work as intended. I deploy the first powershell script as an admin to add the required gpo to allow printer adds. I then run the second powershell script (with a requirement of having the first script run) as the user and the printers install as requested. The final script is run as an admin (with the second script as a requirement) and removes the reg key that allows the printer installs.

I attempted to build this using the application method, but am still having an issue with the first and last scripts basically cancelling each other out. The secure setting has the reg key set to 0 which is a requirement for the second script to run. the last script changes the same key to 1 to secure the endpoint. However since 0 is required for script 2, the setting changes back and forth endlessly. I only deploy the last script with 2 as a requirement which has 1 as a requirement. I'm not seeing a way around this. Can anyone prove me wrong? I don't think what I want to do is possible. I see no logical way to temporarily change the reg key needed to 0 add the printer and then change back to 1. Anyone?

Answer 2

As much as I love ConfigMgr, I prefer GPP for printer deployment... Any reason it has to be done by CM?

Answer 3

Ugh. Still messy . Now after waiting the weekend, the AppDiscovery.log no longer shows the error. I have to run the job twice before everything removes itself. Not good enough. Back to the drawing board. Seeing as Step 1 and Step 3 have opposite detection methods, this will be a bit more challenging than I had hoped if I want it to be secure.

Answer 4

Hi,

Firstly, if we use custom script detection methods, please check below table for the logic that the configuration manager determines if an application is installed.

Create applications in Configuration Manager
https://learn.microsoft.com/en-us/mem/configmgr/apps/deploy-use/create-applications

Secondly, for the script you shared, it seems the break is not necessary (Please correct me if I am wrong since I'm unable to touch the real environment)

foreach enumerates all the child keys, if break is used, only the first key, that is HKEY_USERS.DEFAULT in my test, is executed.

test script (just show how it works) for your information

# Look For Registry Values that show East Copy Room Printer Installed  
New-PSDrive -Name HK_USERS -PSProvider Registry -Root HKEY_USERS | Out-Null  
$RegUserValues = (Get-ChildItem REGISTRY::HKEY_USERS | Select-Object -ExpandProperty name)   
Foreach ($item in $RegUserValues)   
{   
   "=====   " + $item + "   ====="  
   $reg_path = "HK_USERS:\" + $item + "\Printers\ConvertUserDevModesCount"  
   $Result = Get-ItemProperty -path $reg_path -ErrorAction SilentlyContinue  
   If ($Result -ne $null) # ",,SERVER,EastCopyRoom1"  
		{  
			$Result  
			Write-Output "Success!!"  
			#break  
		}  
   else  
		{  
		}  
}  
Remove-PSDrive -Name HK_USERS -Force  
  

screenshots from lab test

registry hive

script result w/o break

script result w/ break

Alex
If the response is helpful, please click "Accept Answer" and upvote it.

Answer 5

Maybe this can help. I set it up using Intune, but you can replicate it in ConfigMgr. intune-configure-printers-for-non.html