This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
I am struggling with the logic needed to get Network Printers installed via SCCM with the latest patching requiring Admin Credentials.
After reading this: (https://support.microsoft.com/en-us/topic/kb5005652-manage-new-point-and-print-default-driver-installation-behavior-cve-2021-34481-873642bf-2634-49c5-a23b-6d8e9a302872) I came up with a plan to run three Deployments in one:
Step 3 is where it has been tricky. It is essentially undoing the first step. This results in the Application thinking it is installed before it is even run. I thought maybe add a reg entry or a file and while that works, it is messy. If the printer is uninstalled, that file or reg entry remains and will not rerun the script. I was looking for a universal registry entry or file that gets created when the printer is added, but that has proven difficult. Since the printer needs to be installed as a User, the get-printer command will not result in showing the printer is installed.
I tried the following script for detection, but it will not run:
`# Look For Registry Values that show East Copy Room Printer Installed
New-PSDrive -Name HK_USERS -PSProvider Registry -Root HKEY_USERS | Out-Null
$RegUserValues = (Get-ChildItem REGISTRY::HKEY_USERS | Select-Object -ExpandProperty name)
Foreach ($item in $RegUserValues)
{
$Result = (Get-ItemProperty "HK_USERS:\$item\Printers\Connections\*" -ErrorAction SilentlyContinue | Select-Object PSChildName)
If ($Result -ne $null) # ",,SERVER,EastCopyRoom1")
{
Write-Output "Success!!"
break
}
else
{}
}
Remove-PSDrive -Name * -Force`
EDIT: To clarify, by not run I mean that I get an error in the AppDiscovery.log that shows Script Execution returned error message: Get-ChildItem: Requested Access is not allowed.....PermissionDenied (HKEY_USERS...SecurityException
I can run the script as Admin on my laptop and it results in "Success!!" when I have the printer installed for my user and blank when then printer is not installed for my user.
Anyone have any thoughts on a different detection method here? Looking for a file or reg entry that get generated when a network connection printer is installed and gets removed when the printer is removed.
Maybe this can help. I set it up using Intune, but you can replicate it in ConfigMgr. intune-configure-printers-for-non.html
Will take a look. Thanks.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(166.4, 66%, 26%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAM%3C/text%3E%3C/svg%3E)
Hi,
Firstly, if we use custom script detection methods, please check below table for the logic that the configuration manager determines if an application is installed.
Create applications in Configuration Manager
https://learn.microsoft.com/en-us/mem/configmgr/apps/deploy-use/create-applications
Secondly, for the script you shared, it seems the break is not necessary (Please correct me if I am wrong since I'm unable to touch the real environment)
foreach enumerates all the child keys, if break is used, only the first key, that is HKEY_USERS.DEFAULT in my test, is executed.
test script (just show how it works) for your information
# Look For Registry Values that show East Copy Room Printer Installed
New-PSDrive -Name HK_USERS -PSProvider Registry -Root HKEY_USERS | Out-Null
$RegUserValues = (Get-ChildItem REGISTRY::HKEY_USERS | Select-Object -ExpandProperty name)
Foreach ($item in $RegUserValues)
{
"===== " + $item + " ====="
$reg_path = "HK_USERS:\" + $item + "\Printers\ConvertUserDevModesCount"
$Result = Get-ItemProperty -path $reg_path -ErrorAction SilentlyContinue
If ($Result -ne $null) # ",,SERVER,EastCopyRoom1"
{
$Result
Write-Output "Success!!"
#break
}
else
{
}
}
Remove-PSDrive -Name HK_USERS -Force
screenshots from lab test
registry hive
script result w/o break
script result w/ break
Alex
If the response is helpful, please click "Accept Answer" and upvote it.
Thanks for the very detailed reply, but the problem I am having is not with the "break" command in the script. The problem is that the $RegUserValues = (Get-ChildItem REGISTRY::HKEY_USERS | Select-Object -ExpandProperty name) will not run. I get this error in the AppDiscovery log file:
***In-line script returned error output: Get-ChildItem : Requested registry access is not allowed.
At C:\WINDOWS\CCM\SystemTemp\5433e0cc-04dc-4aa2-8664-4eda7a23a2ce.ps1:3 char:19
For my environment - the network printer called EastCopyRoom1 will not be installed on the DEFAULT user. I can run my detection script on my test laptop as Administrator and it shows Success when the printer is installed and does not when I remove it from my user.
I guess I was looking for another place to show that the network connection printer is installed that could be easily detected. I love how easy the printer installs using PowerShell and would like to keep that part of my printer deployment, but that final step needs a second detection method other than the reg key has been removed.
Hi,
Thank you very much for the clarification. For the Get-ChildItem : Requested registry access is not allowed error, which user context the script is run under?
If run as administrator or with SYSTEM acount context, the permission is enough. While running with common user (even if the user is administrator), it will will throw the error and we can add -ea silentlycontinue to hide the error message
Alex
If the response is helpful, please click "Accept Answer" and upvote it.
Why have a detection method at all? Why did you need to rerun the script if the printer is remove? What is you sla for printer reinstalls?
I have ideas but it needs 3rd party tools.
Its an Application deployment which requires a Detection method unless you know something I don't know.
If an end user decides to remove the printer after it was installed and I use a manual registry entry as the detection method, unless the registry entry is removed as well, the printer will still show as installed.
Not interested in 3rd Party at this time.
I honestly was just looking for a registry entry or file entry that gets added/removed during install and removal of a printer.
By detection script that scours HKEY_USERS works when I run it as Admin, but fails during the SCCM deployment with a registry access error: In-line script returned error output: Get-ChildItem : Requested registry access is not allowed.
So it is NOT about inventoring them then.
Why not deploy it as a package/program, no detection method needed.
You might need two or three programs to "do it right" but it will work. If you assume three programs, you deploy the last one (remove reg key) to the computers and the prereq (chaining) will install the second (user setting) and first one (setting reg key).
I contemplated using the Package method. I just really like the Application Model, but if I have to get these printers installed, that may be the only real solution. The scripts all work just fine. I'll let you know what I do.
Ugh. Still messy . Now after waiting the weekend, the AppDiscovery.log no longer shows the error. I have to run the job twice before everything removes itself. Not good enough. Back to the drawing board. Seeing as Step 1 and Step 3 have opposite detection methods, this will be a bit more challenging than I had hoped if I want it to be secure.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(25.6, 26%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EEH%3C/text%3E%3C/svg%3E)
As much as I love ConfigMgr, I prefer GPP for printer deployment... Any reason it has to be done by CM?