I came across a situation recently where a company was migrating from what I call traditional AD-joined/SCCM managed clients to Autopilot provisioned AAD-joined devices managed only by Intune. The main challenge of the migration was that these devices needed to work as seamlessly on the corporate network as the “old world” devices.
One particular issue was users trying to add network printers. In the old world a Group Policy could be used to configure Point & Print so that when a user added a printer from a trusted print server the drivers would install without requiring administrative rights. If this was not configured then the user would receive a prompt similar to the below if the drivers were not packaged in the correct (or Microsoft approved) way.
My first step was to see if I could configure P&P via a configuration profile. After digging around I found these settings did exist under Administrative Templates so this was a good start.
The problem I found was two-fold. The policy states the machine must be “domain-joined” and I am not sure if this was just a copy & paste job into Intune or whether it is actually relevant. The second issue I found was that if P&P restrictions were configured under Computer Configuration this would generate an error when deployed.
If I configured P&P under User Configuration I found the policy applied but seemingly had no effect with users still receiving UAC prompts. The conclusion was that this policy wasn’t particularly helpful in my quest to resolve the issue.
My quick and dirty fix was to create a .reg file with the below content which was then deployed to all devices. I chose to wrap it up using the PowerShell App Deploy Toolkit and ServiceUI.exe just because I like the control this toolkit offers but you could easily deploy by using a batch file or similar. Once deployed, standard users could then install network printers without issue.
reg import printkey.reg
REG FILE CONTENTS
Windows Registry Editor Version 5.00