Printer Deployment using MEM/SCCM - Detection method Logic - I need help

Matt Dillon 1,211 Reputation points
2021-10-01T21:09:19.48+00:00

I am struggling with the logic needed to get Network Printers installed via SCCM with the latest patching requiring Admin Credentials.

After reading this: (https://support.microsoft.com/en-us/topic/kb5005652-manage-new-point-and-print-default-driver-installation-behavior-cve-2021-34481-873642bf-2634-49c5-a23b-6d8e9a302872) I came up with a plan to run three Deployments in one:

  1. Run as Admin - Add reg key from article to allow non-admin printer installs using a powershell script with the detection method checking for the entry.
  2. Run as User - Run a PowerShell script - Add-Printer -ConnectionName "\SERVER\Printer" with the detection method being Get-Printer -Name "\SERVER\Printer"
  3. Run as Admin - Remove the reg key added in Step 1.

Step 3 is where it has been tricky. It is essentially undoing the first step. This results in the Application thinking it is installed before it is even run. I thought maybe add a reg entry or a file and while that works, it is messy. If the printer is uninstalled, that file or reg entry remains and will not rerun the script. I was looking for a universal registry entry or file that gets created when the printer is added, but that has proven difficult. Since the printer needs to be installed as a User, the get-printer command will not result in showing the printer is installed.

I tried the following script for detection, but it will not run:

`# Look For Registry Values that show East Copy Room Printer Installed
New-PSDrive -Name HK_USERS -PSProvider Registry -Root HKEY_USERS | Out-Null
$RegUserValues = (Get-ChildItem REGISTRY::HKEY_USERS | Select-Object -ExpandProperty name)
Foreach ($item in $RegUserValues)
{

    $Result = (Get-ItemProperty "HK_USERS:\$item\Printers\Connections\*" -ErrorAction SilentlyContinue | Select-Object PSChildName)
    If ($Result -ne $null)    # ",,SERVER,EastCopyRoom1")
        {
        Write-Output "Success!!"
        break
        }
    else 
        {}

    }

Remove-PSDrive -Name * -Force`

EDIT: To clarify, by not run I mean that I get an error in the AppDiscovery.log that shows Script Execution returned error message: Get-ChildItem: Requested Access is not allowed.....PermissionDenied (HKEY_USERS...SecurityException

I can run the script as Admin on my laptop and it results in "Success!!" when I have the printer installed for my user and blank when then printer is not installed for my user.

Anyone have any thoughts on a different detection method here? Looking for a file or reg entry that get generated when a network connection printer is installed and gets removed when the printer is removed.

Microsoft Configuration Manager Application
Microsoft Configuration Manager Application
Microsoft Configuration Manager: An integrated solution for for managing large groups of personal computers and servers.Application: A computer program designed to carry out a specific task other than one relating to the operation of the computer itself, typically to be used by end users.
469 questions
Microsoft Configuration Manager
0 comments No comments
{count} votes

6 answers

Sort by: Most helpful
  1. Rahul Jindal [MVP] 9,556 Reputation points MVP
    2021-10-02T05:45:56.423+00:00

    Maybe this can help. I set it up using Intune, but you can replicate it in ConfigMgr. intune-configure-printers-for-non.html

    2 people found this answer helpful.

  2. AlexZhu-MSFT 5,626 Reputation points Microsoft Vendor
    2021-10-04T05:47:15.47+00:00

    Hi,

    Firstly, if we use custom script detection methods, please check below table for the logic that the configuration manager determines if an application is installed.

    Create applications in Configuration Manager
    https://learn.microsoft.com/en-us/mem/configmgr/apps/deploy-use/create-applications

    137304-sccm-script-detection-method.png

    Secondly, for the script you shared, it seems the break is not necessary (Please correct me if I am wrong since I'm unable to touch the real environment)

    foreach enumerates all the child keys, if break is used, only the first key, that is HKEY_USERS.DEFAULT in my test, is executed.

    test script (just show how it works) for your information

    # Look For Registry Values that show East Copy Room Printer Installed  
    New-PSDrive -Name HK_USERS -PSProvider Registry -Root HKEY_USERS | Out-Null  
    $RegUserValues = (Get-ChildItem REGISTRY::HKEY_USERS | Select-Object -ExpandProperty name)   
    Foreach ($item in $RegUserValues)   
    {   
       "=====   " + $item + "   ====="  
       $reg_path = "HK_USERS:\" + $item + "\Printers\ConvertUserDevModesCount"  
       $Result = Get-ItemProperty -path $reg_path -ErrorAction SilentlyContinue  
       If ($Result -ne $null) # ",,SERVER,EastCopyRoom1"  
    		{  
    			$Result  
    			Write-Output "Success!!"  
    			#break  
    		}  
       else  
    		{  
    		}  
    }  
    Remove-PSDrive -Name HK_USERS -Force  
      
    

    screenshots from lab test

    registry hive
    137229-sccm-script-detection-method-00.png

    script result w/o break
    137240-sccm-script-detection-method-02.png

    script result w/ break
    137159-sccm-script-detection-method-01.png

    Alex
    If the response is helpful, please click "Accept Answer" and upvote it.

    1 person found this answer helpful.

  3. Garth 5,801 Reputation points
    2021-10-02T00:07:53.67+00:00

    Why have a detection method at all? Why did you need to rerun the script if the printer is remove? What is you sla for printer reinstalls?

    I have ideas but it needs 3rd party tools.


  4. Matt Dillon 1,211 Reputation points
    2021-10-04T14:18:26.237+00:00

    Ugh. Still messy . Now after waiting the weekend, the AppDiscovery.log no longer shows the error. I have to run the job twice before everything removes itself. Not good enough. Back to the drawing board. Seeing as Step 1 and Step 3 have opposite detection methods, this will be a bit more challenging than I had hoped if I want it to be secure.

    0 comments No comments

  5. Eirik Hamer 81 Reputation points
    2021-10-07T15:23:20.95+00:00

    As much as I love ConfigMgr, I prefer GPP for printer deployment... Any reason it has to be done by CM?

    0 comments No comments