Share via

How does Group Policy Printer Deployment mark printers as non-removable?

JRV 551 Reputation points
2022-07-06T20:27:04.357+00:00

BACK-STORY
Ever since PrintNightmare patches were installed last fall, Group Policy Printer Deployment (meaning "Deploy by Group Policy" in Print Management MMC, not Group Policy Preferences/Printers) (and which I'll call GPPD here) has not worked. That's not news...it's broken for everyone!

I've discovered that PowerShell is able to connect to and remove printers, including installing the drivers when run elevated, and also to map the printers with drivers thus added into the user session. Basically, the same PS commands have to run once while elevated to install the drivers, and then again as the non-elevated user to add the printer connections for the user.

So now I'm deep into a PowerShell script that more-or-less restores GPPD functionality by doing this with printers pushed to HKLM\SOFTWARE\Policies & HKCU\SOFTWARE\Policies by GPPD. And removes them when they're removed from GPPD. The script just has to be run after all GPPD GPOs have processed. I have proof-of-concept; now refining it.

I am intentionally avoiding the registry entries here--

kb5005652-manage-new-point-and-print-default-driver-installation-behavior-cve-2021-34481-873642bf-2634-49c5-a23b-6d8e9a302872

--that re-enable point-and-print behavior (and GPPD) at the expense of disabling the PrintNightmare fixes.

SO, HERE'S THE QUESTION
There's one thing I've not been able to figure out how to duplicate with PowerShell: How are printers deployed with GPPD marked as non-removable in the GUI?

When I look in HKEY_CURRENT_USER\Printers\Connections, registry values for GPPD-deployed printers look no different than printers connected interactively by the user. So that's not it.

I also checked to see whether, if connected printer sharenames match what's in HKCU\SOFTWARE\Policies or HKLM\SOFTWARE\Policies, Windows would hide the Remove button. But if I push a printer by GPPD (so that the Policies registry entries exist, even though the printer itself is not connected), and then connect to the printer share manually, it's still removable.

The un-elevated user has Full Control over the registry keys in HKCU\Printers\Connections.

Anyone know how GPPD marks printers as non-removable?

Windows for business | Windows Server | User experience | Print jobs
Windows for business | Windows Client for IT Pros | User experience | Other
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Limitless Technology 39,926 Reputation points
    2022-07-11T14:06:21.457+00:00

    Hello JeffVandervoort

    There 2 ways to prevent the deletion:

    Through GPO:
    Navigate to User Configuration –> Administrative Templates –> Control Panel –> Printers, and then double-click “Prevent deletion of printers” from the right panel ---> Set as "Enabled"

    Equivalent in Registry:
    Path: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
    Entry: “NoDeletePrinter”
    Value: "1" (No Delete)

    --------------------------------------------------------------------------------------------------------------------------------

    --If the reply is helpful, please Upvote and Accept as answer--

    1 person found this answer helpful.
  2. Alan Morris 1,336 Reputation points
    2022-07-16T03:50:00.047+00:00

    There is a flag that is set by gpprn.dll when the connection to a share is created using Deploy Printers.

    There is absolutely no policy setting for not being able to delete Deployed Printers. That is absolutely by feature design. The user can't remove them. They will need to be pulled from the Deployed Printer policy to get removed from the client system.

    Yes, I used to test this feature when I worked at Microsoft.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.