question

MattD-7613 avatar image
0 Votes"
MattD-7613 asked EirikHamer answered

Printer Deployment using MEM/SCCM - Detection method Logic - I need help

I am struggling with the logic needed to get Network Printers installed via SCCM with the latest patching requiring Admin Credentials.

After reading this: (https://support.microsoft.com/en-us/topic/kb5005652-manage-new-point-and-print-default-driver-installation-behavior-cve-2021-34481-873642bf-2634-49c5-a23b-6d8e9a302872) I came up with a plan to run three Deployments in one:

  1. Run as Admin - Add reg key from article to allow non-admin printer installs using a powershell script with the detection method checking for the entry.

  2. Run as User - Run a PowerShell script - Add-Printer -ConnectionName "\\SERVER\Printer" with the detection method being Get-Printer -Name "\\SERVER\Printer"

  3. Run as Admin - Remove the reg key added in Step 1.

Step 3 is where it has been tricky. It is essentially undoing the first step. This results in the Application thinking it is installed before it is even run. I thought maybe add a reg entry or a file and while that works, it is messy. If the printer is uninstalled, that file or reg entry remains and will not rerun the script. I was looking for a universal registry entry or file that gets created when the printer is added, but that has proven difficult. Since the printer needs to be installed as a User, the get-printer command will not result in showing the printer is installed.

I tried the following script for detection, but it will not run:

# Look For Registry Values that show East Copy Room Printer Installed New-PSDrive -Name HK_USERS -PSProvider Registry -Root HKEY_USERS | Out-Null $RegUserValues = (Get-ChildItem REGISTRY::HKEY_USERS | Select-Object -ExpandProperty name) Foreach ($item in $RegUserValues) { $Result = (Get-ItemProperty "HK_USERS:\$item\Printers\Connections\*" -ErrorAction SilentlyContinue | Select-Object PSChildName) If ($Result -ne $null) # ",,SERVER,EastCopyRoom1") { Write-Output "Success!!" break } else {} } Remove-PSDrive -Name * -Force

EDIT: To clarify, by not run I mean that I get an error in the AppDiscovery.log that shows Script Execution returned error message: Get-ChildItem: Requested Access is not allowed.....PermissionDenied (HKEY_USERS...SecurityException

I can run the script as Admin on my laptop and it results in "Success!!" when I have the printer installed for my user and blank when then printer is not installed for my user.

Anyone have any thoughts on a different detection method here? Looking for a file or reg entry that get generated when a network connection printer is installed and gets removed when the printer is removed.


mem-cm-generalmem-cm-application
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Garth avatar image
0 Votes"
Garth answered MattD-7613 commented

Why have a detection method at all? Why did you need to rerun the script if the printer is remove? What is you sla for printer reinstalls?

I have ideas but it needs 3rd party tools.

· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Its an Application deployment which requires a Detection method unless you know something I don't know.

If an end user decides to remove the printer after it was installed and I use a manual registry entry as the detection method, unless the registry entry is removed as well, the printer will still show as installed.

Not interested in 3rd Party at this time.

I honestly was just looking for a registry entry or file entry that gets added/removed during install and removal of a printer.

By detection script that scours HKEY_USERS works when I run it as Admin, but fails during the SCCM deployment with a registry access error: In-line script returned error output: Get-ChildItem : Requested registry access is not allowed.

0 Votes 0 ·

So it is NOT about inventoring them then.

Why not deploy it as a package/program, no detection method needed.

You might need two or three programs to "do it right" but it will work. If you assume three programs, you deploy the last one (remove reg key) to the computers and the prereq (chaining) will install the second (user setting) and first one (setting reg key).

  • Write each PowerShell script to to each step and test them.

  • Create one package with all three scripts

  • Create one program for each script, make sure to set (chaining)

  • Deploy the last one to the computer.

  • Done


0 Votes 0 ·
MattD-7613 avatar image MattD-7613 GarthJones-9654 ·

I contemplated using the Package method. I just really like the Application Model, but if I have to get these printers installed, that may be the only real solution. The scripts all work just fine. I'll let you know what I do.

0 Votes 0 ·
RahulJindal-2267 avatar image
1 Vote"
RahulJindal-2267 answered MattD-7613 commented

Maybe this can help. I set it up using Intune, but you can replicate it in ConfigMgr. intune-configure-printers-for-non.html


· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Will take a look. Thanks.

0 Votes 0 ·
AlexZhu-MSFT avatar image
0 Votes"
AlexZhu-MSFT answered AlexZhu-MSFT commented

Hi,

Firstly, if we use custom script detection methods, please check below table for the logic that the configuration manager determines if an application is installed.

Create applications in Configuration Manager
https://docs.microsoft.com/en-us/mem/configmgr/apps/deploy-use/create-applications

137304-sccm-script-detection-method.png


Secondly, for the script you shared, it seems the break is not necessary (Please correct me if I am wrong since I'm unable to touch the real environment)

foreach enumerates all the child keys, if break is used, only the first key, that is HKEY_USERS.DEFAULT in my test, is executed.


test script (just show how it works) for your information

 # Look For Registry Values that show East Copy Room Printer Installed
 New-PSDrive -Name HK_USERS -PSProvider Registry -Root HKEY_USERS | Out-Null
 $RegUserValues = (Get-ChildItem REGISTRY::HKEY_USERS | Select-Object -ExpandProperty name) 
 Foreach ($item in $RegUserValues) 
 { 
    "=====   " + $item + "   ====="
    $reg_path = "HK_USERS:\" + $item + "\Printers\ConvertUserDevModesCount"
    $Result = Get-ItemProperty -path $reg_path -ErrorAction SilentlyContinue
    If ($Result -ne $null) # ",,SERVER,EastCopyRoom1"
         {
             $Result
             Write-Output "Success!!"
             #break
         }
    else
         {
         }
 }
 Remove-PSDrive -Name HK_USERS -Force


screenshots from lab test

registry hive
137229-sccm-script-detection-method-00.png

script result w/o break
137240-sccm-script-detection-method-02.png

script result w/ break
137159-sccm-script-detection-method-01.png

Alex
If the response is helpful, please click "Accept Answer" and upvote it.



· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thanks for the very detailed reply, but the problem I am having is not with the "break" command in the script. The problem is that the $RegUserValues = (Get-ChildItem REGISTRY::HKEY_USERS | Select-Object -ExpandProperty name) will not run. I get this error in the AppDiscovery log file:

 ***In-line script returned error output: Get-ChildItem : Requested registry access is not allowed.

At C:\WINDOWS\CCM\SystemTemp\5433e0cc-04dc-4aa2-8664-4eda7a23a2ce.ps1:3 char:19
+ $RegUserValues = (Get-ChildItem REGISTRY::HKEY_USERS | Select-Object ...***


For my environment - the network printer called EastCopyRoom1 will not be installed on the DEFAULT user. I can run my detection script on my test laptop as Administrator and it shows Success when the printer is installed and does not when I remove it from my user.

I guess I was looking for another place to show that the network connection printer is installed that could be easily detected. I love how easy the printer installs using PowerShell and would like to keep that part of my printer deployment, but that final step needs a second detection method other than the reg key has been removed.


0 Votes 0 ·

Hi,

Thank you very much for the clarification. For the Get-ChildItem : Requested registry access is not allowed error, which user context the script is run under?

If run as administrator or with SYSTEM acount context, the permission is enough. While running with common user (even if the user is administrator), it will will throw the error and we can add -ea silentlycontinue to hide the error message

137573-sccm-script-detection-method-03.png

137520-sccm-script-detection-method-04.png

137591-sccm-script-detection-method-registry.png

Alex
If the response is helpful, please click "Accept Answer" and upvote it.


0 Votes 0 ·
MattD-7613 avatar image
0 Votes"
MattD-7613 answered

Ugh. Still messy . Now after waiting the weekend, the AppDiscovery.log no longer shows the error. I have to run the job twice before everything removes itself. Not good enough. Back to the drawing board. Seeing as Step 1 and Step 3 have opposite detection methods, this will be a bit more challenging than I had hoped if I want it to be secure.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

EirikHamer avatar image
0 Votes"
EirikHamer answered

As much as I love ConfigMgr, I prefer GPP for printer deployment... Any reason it has to be done by CM?

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.