Jelle Revyn

Jun 15, 2020 • 5 minutes read

Allow non-administrators to install printer drivers with intune

Hi all

This is my first blogpost, I wanted one for quite a while but never actually got around creating one. If it's not happening in this COVID-19 period it would never. I decided I would not use Wordpress, Joomla, Drupal,... but use something Laravel based. Worst idea ever... I've lost my blog text multiple times, but I guess that's just part of the experience. Luckily my brother jumped in and created this blog site for me based on CraftCMS.

To end this intro I want to thank my friend Ebe for helping me troubleshoot the Laravel part and for poking enough me to create this and of course my Brother for setting this up for me.

So here we go... Enjoy!

Jelle Revyn

As more and more people work from home and will work from home a lot more in the future you can't take your (multifunction) printers with you. I would rather have that people would work paperless but sometimes a printed copy is necessary.

So you will want your users to be able to use their home printer or a printer you drop shipped with a how to guide without putting to much pressure on the helpdesk. Even if you're not an administrator you can install printers but you can not put the driver in the driverstore.

How can we achieve this? Well the code below is a "translation" of a well known GPO:
Allow non-administrators to install drivers for these device setup classes
You can find it under:
Computer Configuration ➡ Policies ➡ Administrative Templates ➡ System ➡ Driver Installation

I created a PowerShell script that sets a few registry keys that would get set if you use the GPO, I then packaged it as an .intunewin file so it could be used with intune as a Win32 app. In our case this is actually a part (intune dependency) of an app but that is for another blogpost.🥳

AFAIK this is the only way to set this policy as no configuration profile is available, not even a custom OMA-URI.
You can find the code at the end of the post, instruction are provided in the comment section of the script or follow the step-by-step guide in this post. You could also just download the .intunewin file or the .ps1 from my Github.

—————————————————————————————————————————————
1. Package as intunewin

Use the tool created by microsoft to package the powershell script.
You can find it on Microsoft Github account. If you want to know more you should read the Microsoft doc's page about it.

Convert-to-intunewin.png
Packaging the .ps1 file as .intunewin

2. Upload the file

intunewin-uploaden.png
Uploading the .intunewin file

3. Setting the install and uninstall command

- Install command: powershell -ex bypass -file AllowNon-AdministratorsToInstallPrinterDrivers.ps1
- Uninstall command: powershell -ex bypass -file AllowNon-AdministratorsToInstallPrinterDrivers.ps1 -uninstall
install-and-uninstall-string.png
Setting the install and uninstall command

4. Setting the detection rules

- Rule type: Registry
- Key path: Computer\HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DriverInstall\Restrictions\AllowUserDeviceClasses\ 
- Value name: printer
- Detection method: Value exists

DetectionRulesUpdate.png
Configuring the detection rules

5. Assign to your users

Assign-to-users.png
Assign to users

⭐If you are looking for a solution to install printers you should check out Ben Reader's blog:
Installing printers with Intune & PowerShell

⭐Follow me on Twitter and start a conversation.

            <#
.SYNOPSIS
Enables users to install printer drivers on Azure AD joined devices
.DESCRIPTION
This powershell script was created to be uploaded as an Intunewin application in Intune.
Packaged with Microsoft Win32 Content Prep Tool and used with the parameters shown in the example below.

This is a translation of a well known GPO ("Allow non-administrators to install drivers for these device setup classes") under
"Computer Configuration -> Policies -> Administrative Templates -> System -> Driver Installation" to be used with intune.
AFAIK this is the only way to set this policy as no Configuration profile is availble, not even a custom OMA-URI.
.EXAMPLE
Via intune Win32App
    Install command: powershell -ex bypass -file AllowNon-AdministratorsToInstallPrinterDrivers.ps1
    Uninstall command: powershell -ex bypass -file AllowNon-AdministratorsToInstallPrinterDrivers.ps1 -uninstall
Manually configure detection rules
    Detection rules:
        - Rule type: Registery
        - Key path: HKLM:\Software\Policies\Microsoft\Windows\DriverInstall\Restrictions\AllowUserDeviceClasses\
        - Value name: printer
        - Detection method: Key exists
.NOTES
NAME: AllowNon-AdministratorsToInstallPrinterDrivers.ps1
VERSION: 1.1
DATE: 04.02.2020
AUTHOR: Jelle Revyn (jelle.revyn.xyz)
COAUTHOR: Bart Haevermaet
RELEASE NOTES:
    Version 1.0: Initial release
    Version 1.1: If path doesn't exist, create it, use of destinctive names.
LINKS:
https://theitbros.com/allow-non-admins-install-printer-drivers-via-gpo/
https://docs.microsoft.com/en-us/windows-hardware/drivers/install/system-defined-device-setup-classes-available-to-vendors
DISCLAIMER
    The script is provided "AS IS" with no warranties
#>

PARAM(
    [Parameter(Mandatory=$false)]
        [switch]$uninstall
)

#Set the path
$newPath = "HKLM:\Software\Policies\Microsoft\Windows\DriverInstall\Restrictions\AllowUserDeviceClasses"
$allowPath = "HKLM:\Software\Policies\Microsoft\Windows\DriverInstall\Restrictions"
#Property name
#Class = Printer
$name1 = "printer"
$value1 = "{4658ee7e-f050-11d1-b6bd-00c04fa372a7}"
#Class = PNPPrinters
$name2 = "PNPprinter"
$value2 ="{4d36e979-e325-11ce-bfc1-08002be10318}"
#AllowUserDeviceClasses
$name3="AllowUserDeviceClasses"
$value3 = 1

#Check if its an uninstall or install
if($uninstall){
    Remove-ItemProperty -Path $newPath -Name $name1 -Force -ErrorAction SilentlyContinue
    Remove-ItemProperty -Path $newPath -Name $name2 -Force -ErrorAction SilentlyContinue
    Remove-ItemProperty -Path $allowPath -Name $name3 -Force -ErrorAction SilentlyContinue
}
else{
    #check if the property exists
    $item1 = Get-ItemProperty -Path $newPath -Name $name1 -ErrorAction SilentlyContinue
    $item2 = Get-ItemProperty -Path $newPath -Name $name2 -ErrorAction SilentlyContinue
    if($item1 -And $item2){
        #DO NOTHING
    }
    Else{
        #check if path exits, if not create it
        if(!(test-Path $newPath)){
            New-Item -Path $newPath -force | Out-Null
        }
        #create a new property
        New-ItemProperty -Path $newPath -Name $name1 -Value $value1 -PropertyType String | Out-Null
        New-ItemProperty -Path $newPath -Name $name2 -Value $value2 -PropertyType String | Out-Null
        New-ItemProperty -Path $allowPath -Name $name3 -Value $value3 -PropertyType DWord | Out-Null
    }
}