Maybe this can help. I set it up using Intune, but you can replicate it in ConfigMgr. intune-configure-printers-for-non.html
Printer Deployment using MEM/SCCM - Detection method Logic - I need help
I am struggling with the logic needed to get Network Printers installed via SCCM with the latest patching requiring Admin Credentials.
After reading this: (https://support.microsoft.com/en-us/topic/kb5005652-manage-new-point-and-print-default-driver-installation-behavior-cve-2021-34481-873642bf-2634-49c5-a23b-6d8e9a302872) I came up with a plan to run three Deployments in one:
- Run as Admin - Add reg key from article to allow non-admin printer installs using a powershell script with the detection method checking for the entry.
- Run as User - Run a PowerShell script - Add-Printer -ConnectionName "\SERVER\Printer" with the detection method being Get-Printer -Name "\SERVER\Printer"
- Run as Admin - Remove the reg key added in Step 1.
Step 3 is where it has been tricky. It is essentially undoing the first step. This results in the Application thinking it is installed before it is even run. I thought maybe add a reg entry or a file and while that works, it is messy. If the printer is uninstalled, that file or reg entry remains and will not rerun the script. I was looking for a universal registry entry or file that gets created when the printer is added, but that has proven difficult. Since the printer needs to be installed as a User, the get-printer command will not result in showing the printer is installed.
I tried the following script for detection, but it will not run:
`# Look For Registry Values that show East Copy Room Printer Installed
New-PSDrive -Name HK_USERS -PSProvider Registry -Root HKEY_USERS | Out-Null
$RegUserValues = (Get-ChildItem REGISTRY::HKEY_USERS | Select-Object -ExpandProperty name)
Foreach ($item in $RegUserValues)
{
$Result = (Get-ItemProperty "HK_USERS:\$item\Printers\Connections\*" -ErrorAction SilentlyContinue | Select-Object PSChildName)
If ($Result -ne $null) # ",,SERVER,EastCopyRoom1")
{
Write-Output "Success!!"
break
}
else
{}
}
Remove-PSDrive -Name * -Force`
EDIT: To clarify, by not run I mean that I get an error in the AppDiscovery.log that shows Script Execution returned error message: Get-ChildItem: Requested Access is not allowed.....PermissionDenied (HKEY_USERS...SecurityException
I can run the script as Admin on my laptop and it results in "Success!!" when I have the printer installed for my user and blank when then printer is not installed for my user.
Anyone have any thoughts on a different detection method here? Looking for a file or reg entry that get generated when a network connection printer is installed and gets removed when the printer is removed.
6 answers
Sort by: Most helpful
-
-
AlexZhu-MSFT 5,551 Reputation points Microsoft Vendor
2021-10-04T05:47:15.47+00:00 Hi,
Firstly, if we use custom script detection methods, please check below table for the logic that the configuration manager determines if an application is installed.
Create applications in Configuration Manager
https://learn.microsoft.com/en-us/mem/configmgr/apps/deploy-use/create-applicationsSecondly, for the script you shared, it seems the break is not necessary (Please correct me if I am wrong since I'm unable to touch the real environment)
foreach enumerates all the child keys, if break is used, only the first key, that is HKEY_USERS.DEFAULT in my test, is executed.
test script (just show how it works) for your information
# Look For Registry Values that show East Copy Room Printer Installed New-PSDrive -Name HK_USERS -PSProvider Registry -Root HKEY_USERS | Out-Null $RegUserValues = (Get-ChildItem REGISTRY::HKEY_USERS | Select-Object -ExpandProperty name) Foreach ($item in $RegUserValues) { "===== " + $item + " =====" $reg_path = "HK_USERS:\" + $item + "\Printers\ConvertUserDevModesCount" $Result = Get-ItemProperty -path $reg_path -ErrorAction SilentlyContinue If ($Result -ne $null) # ",,SERVER,EastCopyRoom1" { $Result Write-Output "Success!!" #break } else { } } Remove-PSDrive -Name HK_USERS -Force
screenshots from lab test
registry hive
script result w/o break
script result w/ break
Alex
If the response is helpful, please click "Accept Answer" and upvote it. -
Garth 5,801 Reputation points
2021-10-02T00:07:53.67+00:00 Why have a detection method at all? Why did you need to rerun the script if the printer is remove? What is you sla for printer reinstalls?
I have ideas but it needs 3rd party tools.
-
Matt Dillon 1,211 Reputation points
2021-10-04T14:18:26.237+00:00 Ugh. Still messy . Now after waiting the weekend, the AppDiscovery.log no longer shows the error. I have to run the job twice before everything removes itself. Not good enough. Back to the drawing board. Seeing as Step 1 and Step 3 have opposite detection methods, this will be a bit more challenging than I had hoped if I want it to be secure.
-
Eirik Hamer 81 Reputation points
2021-10-07T15:23:20.95+00:00 As much as I love ConfigMgr, I prefer GPP for printer deployment... Any reason it has to be done by CM?