Birds of Printer drivers

Birds of Printer drivers

This blog is going to show you 2 options you have when you want to make sure the end-user without admin permissions could still install printer drivers when needed

I am going to divide this blog into 5 parts:

  1. Introduction
  2. Option 1 Administrative Templates
  3. Option 2 PowerShell Script
  4. Option 3 Settings Catalog
  5. Conclusion

1.Introduction

Implementing adminless can be hard, especially when a user is accustomed to the possibility of installing printers on their own. To take away some of this trouble of introducing adminless, you can give your end-users the possibility to install printer drivers on their own.

Of course, Printix or Microsoft Universal Printer are way better solutions when you have some “static” printers. But for the frontline workers, who suddenly may need to use a printer somewhere, this solution can come in handy.

First I want to show you how you can do this when having your old-fashioned GPO’s. You need to configure 2 options:

The first one you need to configure:

And the second one:

*Class = Printer {4658ee7e-f050-11d1-b6bd-00c04fa372a7}

*Class = PNPPrinters {4d36e979-e325-11ce-bfc1-08002be10318}

The full list of device classes available:

https://docs.microsoft.com/en-us/windows-hardware/drivers/install/system-defined-device-setup-classes-available-to-vendors?redirectedfrom=MSDN

But when going full cloud you want to configure these settings in Intune.

Of course, you could also choose to push the Printer and its drivers on your own. I created a blog how you could make sure the printer is installed on a device which its corresponding drivers and settings

2.Administrative Templates

The first one is a Windows 10 Administrative Template. You will need to search for: Allow installation… And add the 2 classes as I showed you with the old-fashioned GPO’s.

But I am missing the option to disable: “Prevent users from installing printer drivers”? So the first thing that will come to mind, use group policy analytics! So I did…

As shown above, MDM support is 0%. That’s bad news.

3.PowerShell Script

So I created a new PowerShell script to configure these settings:

$Regpath = "HKLM:\Software\Policies\Microsoft\Windows\DriverInstall\Restrictions\AllowUserDeviceClasses"

$RegAllowPath = "HKLM:\Software\Policies\Microsoft\Windows\DriverInstall\Restrictions"

$name1 = "printer"
$value1 = "{4658ee7e-f050-11d1-b6bd-00c04fa372a7}"
$name2 = "PNPprinter"
$value2 ="{4d36e979-e325-11ce-bfc1-08002be10318}"
$name3="AllowUserDeviceClasses"
$value3 = 1

New-ItemProperty -Path $RegPath -Name $name1 -Value $value1 -PropertyType String | Out-Null
New-ItemProperty -Path $RegPath -Name $name2 -Value $value2 -PropertyType String | Out-Null
New-ItemProperty -Path $RegallowPath -Name $name3 -Value $value3 -PropertyType DWord | Out-Null

Or create an Intunewinapp as I did with a little more advanced PowerShell scripts. It contains the IntuneWinapp and a PowerShell script to deploy it to your tenant. (Don’t forget to change the source path).

https://call4cloud.nl/wp-content/uploads/2020/10/Windows10_AllowPrinterInstallation.zip

Now when you deploy the intunewinapp, go and install a new printer with a new fresh printer driver! As shown below, no UAC prompt!

4.Settings Catalog (UPDATE 14-05-2021)

And there it is… “Prevent users from installing Printer drivers when connecting to shared printers” is now available from the Settings Catalog

Now we have all settings available, let’s also add the: Allow installation of devices using drivers that match these device setup classes:

{4d36e979-e325-11ce-bfc1-08002be10318}
{4658ee7e-f050-11d1-b6bd-00c04fa372a7}

Conclusion:

As I said before, you need to implement adminless! Almost none of your users need local admin permissions. Allowing users to install their own printers will create a small security breach in your fence. But by allowing it in this way you minimize the risks while greatly improving user freedom within their device.

If you want boys to respect you, show them you’re serious, Install Drivers, Print Something

You have got 3 options to implement this: A PowerShell script or the new nice setting catalog!

Crazy Noises: The Book Job | Dead Homer Society

6 thoughts on “Birds of Printer drivers

  1. Pingback: Company App: Unchained - Call4Cloud
  2. It seems support for “Prevent users from installing printer drivers” is now in the Settingscatalogue (Previes)

  3. Hi,
    when I assign this policy, allow installation of …, to users or devices, the result is always Not Applicable. I use the right device ID classes. What is your experience?

    1. Hi,

      I just created the settings catalog in a test tenant to check out whats happening and if I am experiencing the same thing

Leave a Reply

Your email address will not be published. Required fields are marked *

  +  38  =  48