Birds of Printer drivers

Birds of Printer drivers

Implementing adminless can be hard, especially when a user is accustomed to the possibility of installing printers on their own. To take away some of this trouble of introducing adminless, you can give your end-users the possibility to install printer drivers on their own.

Of course, Printix or Microsoft Universal Printer are better solutions when you have some “static” printers. But for the frontline workers, who suddenly may need to use a printer somewhere, this solution can come in handy.

First I want to show you how you can do this when having your old-fashioned GPO’s. You need to configure 2 options:

The first one you need to configure:

And the second one:

*Class = Printer {4658ee7e-f050-11d1-b6bd-00c04fa372a7}

*Class = PNPPrinters {4d36e979-e325-11ce-bfc1-08002be10318}

The full list of device classes available:

https://docs.microsoft.com/en-us/windows-hardware/drivers/install/system-defined-device-setup-classes-available-to-vendors?redirectedfrom=MSDN

But when going full cloud you want to configure these settings in Intune.  I tried to accomplish this by creating new device configuration profiles.

The first one is a Windows 10 Administrative Template. You will need to search for: Allow installation… And add the 2 classes as I showed you with the old-fashioned GPO’s.

But I am missing the option to disable: “Prevent users from installing printer drivers”? So the first thing that will come to mind, use group policy analytics! So I did…

As shown above, MDM support is 0%. That’s bad news. So I created a new PowerShell script to configure these settings:

$Regpath = "HKLM:\Software\Policies\Microsoft\Windows\DriverInstall\Restrictions\AllowUserDeviceClasses"

$RegAllowPath = "HKLM:\Software\Policies\Microsoft\Windows\DriverInstall\Restrictions"

$name1 = "printer"
$value1 = "{4658ee7e-f050-11d1-b6bd-00c04fa372a7}"
$name2 = "PNPprinter"
$value2 ="{4d36e979-e325-11ce-bfc1-08002be10318}"
$name3="AllowUserDeviceClasses"
$value3 = 1

New-ItemProperty -Path $RegPath -Name $name1 -Value $value1 -PropertyType String | Out-Null
New-ItemProperty -Path $RegPath -Name $name2 -Value $value2 -PropertyType String | Out-Null
New-ItemProperty -Path $RegallowPath -Name $name3 -Value $value3 -PropertyType DWord | Out-Null

Or create a Intunewinapp like I did with a little more advanced PowerShell scripts. It contains the IntuneWinapp and a PowerShell script to deploy it to your tenant. (Don’t forget to change the source path).

https://call4cloud.nl/wp-content/uploads/2020/10/Windows10_AllowPrinterInstallation.zip

Now when you deploy the intunewinapp, go and install a new printer with a new fresh printer driver! As shown below, no UAC prompt!

Conclusion:

As I said before, you need to implement adminless! Almost none of your users need local admin permissions. Allowing users to install their own printers will create a small security breach in your fence. But by allowing it in this way you minimize the risks while greatly improving user freedom within their device.

Leave a Reply

Your email address will not be published. Required fields are marked *