What is zero touch or no touch deployment? Well it is the process of configuring devices and pushing updates out to the network from a central location. As the term implies, zero-touch configuration enables IT teams to configure, or modify, hundreds or even thousands of devices remotely. In this case a zero touch deployment of a printer to a half dozen workstations. Now I understand there are many different ways of doing it and Microsoft has allowed this pretty far back and was mostly done with bat files and scripts. In an effort to modernize things here is how you can do it using just your active directory. I do have some caveats that will need to be in place first. Also be aware that this is what Print Nightmare exploits, I will go though some mitigation things that can be done; however as always you have convince vs security.
Here are some mitigation links you can read about for the Print nightmare exploits.
- You will need a print server and it will have to be connected to your AD
- You will need properly setup security groups in your ad
- You will need your print servers setup with drivers installed and drivers setup for deployment.
On the print server I have everything patched as much as I can; and I have employed all the print nightmare mitigations, besides disabling the print spooler for obvious reasons. So on your print server you should have your printer shared with proper permissions. Here is where you set all your printer defaults for your clients, like the default paper tray, duplex, etc.
So in this case I have the administrators group for the domain, the local admin, and the organizational group that needs to print to the printer.
As you can see if it is deployed with group policy, the shows up in the "Deploy with group policy" menu item
Then in deployed printers it will show how you have the printer deployed.
Now on your active directory controller, go to the group policy object you deployed the printer to in this case "Group That needs printer"
Edit the Group policy "Group that needs printer" which we deployed our printers on from the print server. In the Policies settings we should see the deployed printers for both users and computers because that is where we deployed them.
Now it's up to you how to want to install the printer. You can deploy it by user or computer, in this case I am deploying it by user, if you want things to be a bit more restrictive deploying by location based computer would definitely be the way to go as the use will still have the printer if they use say a remote desktop server to connect occasionally. In this case I do want that functionality as it was requested and approved. In group policy go to User Configuration or Computer Configuration -> Preferences -> Control Panel Settings -> Printers
To add a printer; right click in printers -> select shared printer (which is what I want in my case you can also select an ip printer or a local printer)
Select your share path and fill out any options you need. Such as update, create, remove, etc. In this case I used create, and set as default printer.
The printer should automatically deploy though group policy. In this case, I had users already logged in get the printer with the defaults. In this case Tray 2's uptake was not working so I disabled it in the driver and had setup tray 3 to be the default. The deployment went quickly and easily; granted print nightmare is still a problem but we still need to use these printers, and we have all the print nightmare fixes in that we can have, so users can still use their printers.
