Printer Deployment using MEM/SCCM - Detection method Logic - I need help

Question

I am struggling with the logic needed to get Network Printers installed via SCCM with the latest patching requiring Admin Credentials.

After reading this: (https://support.microsoft.com/en-us/topic/kb5005652-manage-new-point-and-print-default-driver-installation-behavior-cve-2021-34481-873642bf-2634-49c5-a23b-6d8e9a302872) I came up with a plan to run three Deployments in one:

1. Run as Admin - Add reg key from article to allow non-admin printer installs using a powershell script with the detection method checking for the entry.
2. Run as User - Run a PowerShell script - Add-Printer -ConnectionName "\SERVER\Printer" with the detection method being Get-Printer -Name "\SERVER\Printer"
3. Run as Admin - Remove the reg key added in Step 1.

Step 3 is where it has been tricky. It is essentially undoing the first step. This results in the Application thinking it is installed before it is even run. I thought maybe add a reg entry or a file and while that works, it is messy. If the printer is uninstalled, that file or reg entry remains and will not rerun the script. I was looking for a universal registry entry or file that gets created when the printer is added, but that has proven difficult. Since the printer needs to be installed as a User, the get-printer command will not result in showing the printer is installed.

I tried the following script for detection, but it will not run:

`# Look For Registry Values that show East Copy Room Printer Installed
New-PSDrive -Name HK_USERS -PSProvider Registry -Root HKEY_USERS | Out-Null
$RegUserValues = (Get-ChildItem REGISTRY::HKEY_USERS | Select-Object -ExpandProperty name)
Foreach ($item in $RegUserValues)
{

    $Result = (Get-ItemProperty "HK_USERS:\$item\Printers\Connections\*" -ErrorAction SilentlyContinue | Select-Object PSChildName)
    If ($Result -ne $null)    # ",,SERVER,EastCopyRoom1")
        {
        Write-Output "Success!!"
        break
        }
    else 
        {}

    }

Remove-PSDrive -Name * -Force`

EDIT: To clarify, by not run I mean that I get an error in the AppDiscovery.log that shows Script Execution returned error message: Get-ChildItem: Requested Access is not allowed.....PermissionDenied (HKEY_USERS...SecurityException

I can run the script as Admin on my laptop and it results in "Success!!" when I have the printer installed for my user and blank when then printer is not installed for my user.

Anyone have any thoughts on a different detection method here? Looking for a file or reg entry that get generated when a network connection printer is installed and gets removed when the printer is removed.

Answer 1

So I deployed this through SCCM as a package/ program and it does work as intended. I deploy the first powershell script as an admin to add the required gpo to allow printer adds. I then run the second powershell script (with a requirement of having the first script run) as the user and the printers install as requested. The final script is run as an admin (with the second script as a requirement) and removes the reg key that allows the printer installs.

I attempted to build this using the application method, but am still having an issue with the first and last scripts basically cancelling each other out. The secure setting has the reg key set to 0 which is a requirement for the second script to run. the last script changes the same key to 1 to secure the endpoint. However since 0 is required for script 2, the setting changes back and forth endlessly. I only deploy the last script with 2 as a requirement which has 1 as a requirement. I'm not seeing a way around this. Can anyone prove me wrong? I don't think what I want to do is possible. I see no logical way to temporarily change the reg key needed to 0 add the printer and then change back to 1. Anyone?