We’d like to make it possible for BYOD devices to install a shared printer via the company portal.
We’ve created a PowerShell script that:
Checks whether the printer is installed
If so, ends the script
Checks whether the AD user account ID (user/pwd) is present in the Windows Password Manager for connection to the print server share
If not, a login window is displayed
Credentials are saved
Connect to print server share
Install printer
# Variables
$PrinterPath = "\\printserver.domain.lan\FOLLOWME-PRN"
$NetworkPath = "\\printserver.domain.lan"
$CredentialTarget = "printserver.domain.lan"
# Check printer presence
$PrinterInstalled = Get-Printer | Where-Object { $_.Name -like "*FOLLOWME-PRN*" }
if ($PrinterInstalled) {
Write-Host "Printer is already installed." -ForegroundColor Green
exit
}
# Check whether identifiers are registered in the Windows Pssword Manager for CredentialTarget
Write-Host "Check Windows Password Manager..."
$StoredCredential = cmdkey /list | Select-String -Pattern $CredentialTarget
if (-not $StoredCredential) {
Write-Host "Identifier not found. Please provide your login for $NetworkPath."
$Credential = Get-Credential -Message "Login"
$Username = $Credential.UserName
$Password = $Credential.GetNetworkCredential().Password
# Enregistrer les identifiants dans le Gestionnaire d'identification
cmdkey /add:$CredentialTarget /user:$Username /pass:$Password
Write-Host "Identifier saved." -ForegroundColor Green
} else {
Write-Host "Identifier already present." -ForegroundColor Cyan
}
# Make connection to share
$NetUseCommand = "net use $NetworkPath"
Invoke-Expression -Command $NetUseCommand
# Add printer
try {
Add-Printer -ConnectionName $PrinterPath
Write-Host "The printer has been successfully added." -ForegroundColor Green
} catch {
Write-Host "An error occurred during printer installation : $_" -ForegroundColor Red
}
# Disconnect from share
Invoke-Expression -Command "net use $NetworkPath /delete" -ErrorAction SilentlyContinue
If I run this script on the device, everything works as expected.
Unfortunately, in Intune, it is not possible to make this script available in the corporate portal in a “User” execution context. The application simply doesn’t appear.
Microsoft has confirmed that for Personal devices, this execution context is not supported by the Company Portal.
In SYSTEM context, application is available but doesn’t work because there’s no interaction with the user.
I’ve made various attempts with PSADT and/or serviceui.
With serviceui I get interaction with the logged-in user’s session but, as the script still runs in SYSTEM, the credentials are saved in the SYSTEM profile.
Is there a solution for what we want to do?
I am desperate :-/
You might try with Execute-ProcessAsUser · PSAppDeployToolkit. Creating a PSADT package that runs as SYSTEM and executes your powershell script as the user through Execute-ProcessAsUser.
Disclaimer: This is not something I have tested myself.
The suggestion from @JFP seems worth a try, I feel your pain as Printing in the modern world has more and more downsides when using ‘legacy’ / Point and Print printing:
Security - “Print Nightmare” (Grab a drink to read this one - A Practical Guide to PrintNightmare in 2024 | itm4n's blog), The suggestion is to transition away from traditional Point and Print Drivers to Universal Print (Although implementing this has it’s challenges too)
Intune and BYOD - Intune has it’s setup issues for printing from BYOD devices too, I guess that’s why you’re having issues?
N.B. A number of 3rd Party BYOD printing solutions have appeared to try and ‘solve’ this, here are a couple although not all are directly for Intune
The suggestion from @JFP seems worth a try, I feel your pain as Printing in the modern world has more and more downsides when using ‘legacy’
Yes, I know…
I have already explored the alternatives you mentioned.
I agree with you. We should change the way we manage printing, but right now, it is not an option.
The problem is that we urgently need to find a solution for this need by being able to distribute a script that runs in the context of the user logged in locally (students’ laptops for example).
If I understand correctly, this should work?
If deploying a system-wide app via Intune, no such option is available. It is recommended to use ServiceUI.exe to make the deployment process visible to the user using this helper script: Invoke-ServiceUI.ps1
Yes, in theory, but you probably still also need to ensure the device has been user enrolled into your Intune tenant, so you ‘can’ manage and install things on the device - I’d hazard a guess that without this, you don’t have the rights to.
The behavior is as follows on the client workstation after clicking on the app in the company portal:
The PSADT Welcome window is displayed (Show-ADTInstallationWelcome).
When we validate the execution of the installation on this window, our script is executed. This script executes the Powershell .ps1 file with “Get-Credential”.
At the same time, the PSADT installation progress window appears for a few seconds and disappears to make way for the installation completion window.
Our problem is that PSADT does not wait for the process launched by Start-ADTProcessAsUser to complete and the user does not have time to enter the login information.
If I move the execution of our script (Start-ADTProcessAsUser) before the Show-ADTInstallationWelcome message, it runs correctly as a child process and gives the user time to enter the information because the installation launch window waits for the user to click Install before continuing the process.
Is it possible to run our script, and have PSADT wait for the launched process to complete before PSADT continues its sequence ?
- 