Circumvent PrintNightmare issues using Ivanti Workspace Control

Since the whole PrintNightmare debacle started lot’s of printer issues have been reported after installing the latest Windows Update. Printers connected through a printserver used to automatically install and update drivers from this server onto the client. But these days only administrators are allowed to install printer drivers. Sure, you can disable that with a registry (policy) setting but then your clients will be vulnerable. I’m going to show you a way to circumvent these printer issues without having to compromise security using Ivanti Workspace Control.

In Workspace Control you can execute commands before or after other login actions. We’re going to take advantage of that. First open your Workspace Control console and go to Composition > Actions By Type > Execute Command and create a new command. Use these settings:

This will disable the printer security before printers are connected, making it possible for the drivers to be installed/updated. Now all we have to do is to enable the security after the printers have been connected and drivers are up-to-date. For this purpose I’ve created a small powershell script that will wait until all connected printers are ready for action and enable the printer security afterwards. So create another command with these settings:

$Start = Get-Date
Do
{
   $Printers = Get-Printer | where Type -eq Connection
   If ($Printers.PrinterStatus -contains 'DriverUpdateNeeded')
   {
      $Ready = $false
      $Timer = (Get-Date) - $Start
      sleep -Milliseconds 500
   }
   else
   {
      $Ready = $true
   }
}
Until ($Ready -or $Timer.Minutes -ge 3)
Set-ItemProperty -Path "HKLM:\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint" -Name RestrictDriverInstallationToAdministrators -Value 1

Now when a user logs on the PrintNightmare Security is temporarily disabled until all printers have been connected and installed. You might think you’re done now (I sure did) but there’s a catch! If your Workspace Control environment is set to reconnect printers on Session Reconnect and/or Workspace Refresh you’ll be right back where you started! Even if the drivers on the client are up-to-date the Do you trust this printer error will occur anyway. So we’ll need a third script to fix this situation. We can’t pull the same trick as before because a command that runs at reconnect or refresh will always occur after the printers are connected so we won’t be able to disable security before that happens. So we’ll create a new command with the following settings:

#Reconnect printers that the DriverUpdateNeeded status. Run with Dynamic Privileges.
$Printers = Get-Printer | where Type -eq Connection
If ($DriverNeeded = $Printers.where{$_.PrinterStatus -eq 'DriverUpdateNeeded'})
{
   foreach ($Printer in $DriverNeeded)
   {
      $Printer | Remove-Printer
      Add-Printer -ConnectionName $Printer.Name
   }
}

Now we’re done! This script will find out which of your connected printers have driver issues and reconnect them. Since this script is run with Dynamic Privileges the required drivers will be installed without having to worry about the security setting. You may ask: why not use this script at logon as well? Well, if you have printers in your environment whose drivers are not yet available in the clients image those printers won’t be connected at all because the driver is unable to install. The last script only works for connected printers that already have drivers installed.

I hope this helps you work around those pesky printer issues! Until next time.

Michaja van der Zouwen

Is an all-round IT engineer with special skills in Microsoft, Citrix, RES and VMware products. Loves a challenge in his work and has taught himself scripting. Initially batch scripts, and later PowerShell. This helps him to automate processes and procedures, and to develop his own management tools which can be used every day.

Core qualities
Team player, enthusiastic, eager to learn, sociable, positive

Hobbies
Football, playing music, watching movies and series

Job description
Senior Technical Specialist