SAURABH BANSAL: Are you in the
middle of your move to cloud? Have you thought about print? How will you move your
print servers to Azure? You don't need to. Let's talk about eliminating print servers using Universal Print. My name is Saurabh
Bansal, a program manager with the Universal
Print team at Microsoft. With me, I have my colleague Jimmy. JIMMY WU: Thanks, Saurabh. Hi, everyone. My name is Jimmy Wu, and
I'm also a program manager on the same Universal Print team. In this session, we'll go over three core design principles of Universal Print, and how it can eliminate
on-premise infrastructures, such as your print servers. First is the security design. Second, how we streamline the deployment and printer management. Third, keeping the user's experience familiar with Windows 10. To get started, let me
paint this scenario for you. Imagine you're an IT admin waiting for a flight at the airport, or more realistically, being
stuck at home right now. You get an alert on your phone regarding some problem with your printer system. Immediately, you pop open your laptop and connect to check in what's going on, without even ever needing to worry about your Wi-Fi connection, or if it's VPN connected or not. "How all of this possible?" you ask? We'll dive into this in this
session a little bit later. Let's first start with a quick overview of Universal Print's service. Universal Print is a cloud service built on Microsoft Azure, and your printers are
registered in your Azure tenant. As IT admins, you control who
has access to those printers and what printer
capabilities are available. Users then get the benefit of being able to discover the printers nearest to them, install them, and use them immediately, without ever having to worry
about any printer drivers. And you also have, as admins, access to print job reports that tells you who is the heaviest user
in your organization, or which printers are
being loaded the most. As mentioned, Universal Print
is built on Microsoft Azure. This means that Azure
AD is your one source of identity management. It also means that your print
jobs are stored securely on the cloud in the same storage service as your emails and SharePoint documents. By the way, wanting to deploy printers on your client's devices? Universal Print's got you covered as well, with Microsoft Endpoint Manager, or commonly known as Intune. And what if you need to
build your own web app or line of business application? With Universal Print, it is integrated with the broader Microsoft Graph API, such that you can retrieve printers, get printer statuses,
and submit print jobs, among other things. Now let's revisit the
scenario described earlier about being stuck at the airport. How can you be confident
that the connection from the laptop to
Universal Print is secure? Universal Print applies the Zero Trust security model to all connections, be it the client device or a printer. I won't go into depth about what Zero Trust network is in this session. But the basic idea is that all users and connections are untrusted. Access is granted dynamically per request, based on a common set of security rules. So, what does this mean
for Universal Print? As mentioned previously, printers are registered
with Azure Active Directory and are given an identity
similar to your user account. Each request, both for
clients or printers, are authenticated and
checked for permissions, regardless of which network
it was connected to, even over an airport Wi-Fi network. This means that printers
can now be isolated in its own network segment without ever having access
to your corporate network. This reduces the possibility of hacks to gain sensitive data
such as quarterly reports, tax information, customer
info, or even patent ideas, or to use a previously hacked printer to gain access to your company's network. And because of the
integration with Azure AD, Universal Print does not need
any on-premise infrastructure, such as Active Directory for user identity or print servers for
print queue management since everything is now in the cloud and managed within the cloud. The added benefit is that when you turn on
multifactor authentication or single sign-on in your tenant, it automatically applies to users connecting to Universal Print. As for printers, because they now have their own identity and access token, enforcing zero-trust access based on the printer's
identity is now possible. This removes the traditional tasks such as spoofing the printer's
MAC address or IP address to gain access to sensitive data. If we come back to a scenario of using Universal Print at the airport, The zero-trust security
model assumes all connections originate from untrusted networks. So what does this mean
for Universal Print? Universal Print enforces all connections coming from either client
devices or printers to be authenticated and authorized, and ensuring that the connection itself are encrypted using TLS 1.2. This means that even on
unsecure airport Wi-Fi networks, each connection to Universal Print are encrypted and secure. Additionally, one of the key benefits of Universal Print is that printers, be it Universal Print-ready
printers or a printer proxy through the Universal
Print's connector software, the printers are connected from behind the company's firewall out to Universal Print over port 443. This means that you don't
need any type of DMZ or opening up some form
of printer listening port or anything like that. So far, we have covered
securing the network connection in each individual network request. I want to reinforce that these
apply to end users, as well. Additionally, as administrators, you have the power to control end user access for each printer, be it you want to grant
everybody in your tenant access, or select users or even
select user groups. Universal Print offers
you that flexibility to meet your business needs. If you want to go one step further and ensure that your print administrators do not have the right to
other parts of the system, such as creating users, user groups, or managing applications
that your business needs, we've created a new role
called Print Administrator within Azure AD for this purpose. To sum up, Universal Print is designed from the ground up with security in mind, and all connections to Universal Print are encrypted using TLS 1.2. Permissions and validation are done at a per-connection and caller level, regardless of which network
the source came from, including printers. And now, I'll hand off
to my colleague Saurabh. SAURABH BANSAL: Thanks, Jimmy. From security to ease of use, Universal Print makes the experience, be it of the print
administrator or print user intuitive and easy. How? Let's see. Universal Print is now
part of Microsoft 365 for users on Business Premium, Enterprise, and Education subscriptions. With public preview announcement in July, at no additional cost, customers can enable
Universal Print themselves. Microsoft 365 customers
can go to Purchase services under the Microsoft 365 admin portal and navigate to Universal Print add-on. This will enable 300,000 user licenses for one year with
Microsoft 365 subscription. In future, when Universal Print will GA and be included with Microsoft 365, then all corresponding
Microsoft 365 customers will automatically be enabled to find Universal Print
in their subscription. Once you have Universal Print, all printers that you register, be it Universal Print ready, be it connected to the connectors, or be it the single footprint queues, are visible, and can be managed through a single console in Azure portal. From here, you can share your printers, you can assign permissions,
manage defaults, or even view and cancel print jobs across your whole printer fleet. If you have repetitive tasks, you can use PowerShell
to script those tasks. This task can do jobs in bulk, as well, like sharing printers across
all your organization. What does an experience
look like for a print user? How hard is it to search and
add a Universal Print printer? Not at all. User experience to add a
printer on a Windows 10 device remains similar to other printers that they have been adding before. It's actually better. Printers are now shown in order based on the geolocation
and proximity to the user. Printers in the same building as the user will appear on top. There is no installation of print drivers. Yes, you heard it right. Universal Print works
without drivers on Windows. It uses industry standards IPP and Mopria to standardize printing. We hope that very soon there will be more platforms
and web applications that will be able to send print jobs to Universal Print directly. And again, they won't need any drivers. They will do so by using
the industry standards, IPP and Mopria. Universal Print integrates deep into the existing print
system on Windows 10. Printers are available
across all print dialogs, modern or traditional. Users can print using Universal
Print from any browser, modern Windows Store applications, Adobe, Office, or even old
Win32 apps like Notepad. Users would select Universal Print printer and corresponding print
options before clicking Print. Once a job is submitted, its status can be monitored
in the print queue, just like any other print
queue on Windows 10 device. Earlier, we mentioned
the airport scenario, where an admin can manage printers from anywhere securely without VPN. Even a user can print
securely without VPN, be it from airport or from home. Universal Print is a product which is supported from
Microsoft, even during preview. In other words, if you notice any issue or face a challenge while
deploying Universal Print, reach out to Microsoft Support by logging a support ticket
using Azure's Support Portal. Recently, we announced support for Microsoft Endpoint Manager. Organizations want to
automatically add printers to the Windows devices. Users expect printers
to come preconfigured on their Windows devices. They want to leave it to
their IT administrators to identify the best printers for them. Ability to preconfigure printers saves on help desk calls
about printer installation and gives IT departments more control. You can download the
printer provisioning tool from Microsoft Download Center, and then use this tool
with the Endpoint Manager to preprovision printers
on the users' devices. Let's do a quick demo on how the printer provisioning tool works. Welcome to the demo, where
we will deploy printers using Microsoft Endpoint Manager. First, download the Universal
Print provisioning tool from the Microsoft Download Center. Download contains three files. I've put them in a folder on my device. Let's check the folder. In the folder, I'll select the file with an extension intunewin. This is a Windows app Win32 package that needs to be deployed
on all Windows 10 machines where printers need to be provisioned. Package installs a lightweight
background service, which will detect and add printers. Let's go to the Endpoint
Manager to deploy this package. We are now in Endpoint
Manager under All apps. Let's click on Add. Under App type, let's
select Windows app, Win32. In step one under Select file, let's select the intunewin file that we downloaded from
the Download Center. For Publisher, which is a mandatory field, let's select Microsoft. All the other optional
fields in this wizard, I'm going to skip. You will notice that all
the important fields, like Install and Uninstall command, have been prepopulated. I'm going to leave them as it is. For Install behavior, it
is selected as System, since this tool needs to be
provisioned for all the devices that need to have the
printers preprovisioned, and it needs to be at a system level. I will leave the other
fields and click Next. Under Requirements, I'll
select Operating system as both 32 and 64 bit. And then, for Minimum operating system, I'll select Windows 10 1903, which is a prerequisite
for Universal Print. For Detection rules, let's go with manual and click on Add. Select the Rule type as MSI. Skip the Dependencies. Under Assignments, let's add the devices where the printer provisioning
tool needs to be provisioned. Let's click on Add group. I have created a device
group for this demo. I'm going to select that and click Next. You can review all your
settings and click on Create. The printer provisioning tool has been added to Endpoint Manager. Endpoint Manager will
then deploy this package across all the Windows 10 clients, which were selected in our device group. Once those devices are ready, you can add printers of your choice across all these Windows
10 client devices. Let's think about the printers that need to be preprovisioned on these devices. Let's go back to a downloaded files, that there is a .zip file,
which contains some samples. Let's unzip this file. Under the unzipped folder,
there are two files. One of the files is
printer.csv. Let's open it. This file has three columns, SharedId, SharedName, and IsDefault. The SharedId and
SharedName can be retrieved from the Universal Print
portal or the PowerShell. These are the details
which a printer will have, once it's shared for the users. Let's retain the header and clear the examples
from the sample file. Let's go to Universal
Print and get the printers that we desire to put in this file. In the Universal Print portal, we are on the Printers tab,
which lists all the printers. I will choose a printer which is already shared with the users and put that in the CSV file. I'll copy the Share Id and put it in the .csv file. Now I'll copy the shared
name of the same printer, and put it in the .csv file again. I'll also add one more printer. Copy the Shared ID, followed by the SharedName. I'll also mark the first
printer as a default printer. Now I'll close the
printers.csv and save it. Along with printers.csv, we have another file
called InstallPolicy.cmd. This is a command script
that'll be used to copy the printers.csv on Windows 10 clients in its appropriate folder. On the Command prompt, I'm altering the directory of the tool. And let's launch the IntuneWinAppUtil.exe. Under the source folder, let's get the folder where
both our InstallPolicy.cmd and printers.csv are stored. Under the Setup file, let's point to our InstallPolicy.cmd. For Output folder, let's enter a folder where we will want the
output to be stored. Since this folder does not exist, the tool asks for a confirmation. Let's say yes, and select
the catalog folder as no. The tool has now generated
the IntuneWinApp package. Let's go to our Explorer and check. We have the intunewin file that we need to deploy to all the users who need to have the
printers preprovisioned. Let's go to Endpoint Manager
to deploy this package. Under Endpoint Manager, we are
back to the Apps/All apps UI. We click on Add. Select app type as Win32 app. Under files, let's
select the intunewin file that we just created. It was InstallPolicy.intunewin. Under Publisher, I will
continue using Microsoft. For Install command, use
the InstallPolicy.cmd, with two parameters. The first parameter tells the utility to add printers.csv in the
user folder or a device folder. Since we will be adding
printers at a user level, I'm going to use the user level folder. Second parameter tells us whether we want to add the printers.csv, or we want to remove the printers.csv. For adding printers.csv, we use install. For uninstall command, we will use the exactly same command with the second parameter as uninstall. Install behavior will be User, and then Device restart behavior
will be No specific action. Requirements will be both 32 and 64-bit with Windows 10 1903 as operating system. For detection rules, let's say, Manually configure detection
rules, click on Add. Since we are copying files, we'll select the Rule type as File. Path will be the user's specific folder where printers.csv is
expected to be copied. For File or folder, we
will choose printers.csv, and detection method will be selected as File or folder exists. We'll skip the Dependencies, and then the Assignments,
we'll select the users to whom the printers need
to be preprovisioned. Let's click on Add a group, and let's select our
sample group for this demo. We can review the settings
and then click on Create. Both our intunewin packages
are now in Endpoint Manager. Let's go to a Windows client and see how these printers get
installed automatically. I have a Windows 10 device on which I expect the
two intunewin packages to be installed and deploy printers. In Endpoint Manager, I
check that these two devices have those two packages installed. Let's go to the device. Logging into the device. First of all, I check that the Universal
Printer Provisioning Service has been installed. Next, I check if the printers.csv has been copied to the user's folder. The folder here is AppData, and I see there's a folder for UniversalPrintPrinterProvisioning
files. I look at the configuration, and there, we have the printers.csv. Let's now go to the printers
and see what's going on. Under the printers, I notice that there are two
printers that are installed, which are part of the printers.csv, and the first one has been set as default. That concludes my demo. Thank you so much. You can start deploying
Universal Print today. Universal Print is deployed globally across different Azure Data Centers, to serve the customers from
within the region they are in. We will continue to add more Data Centers as we march towards GA. Multiple partners have
announced collaboration with Universal Print to
support their solutions. Now, those solutions are real
and already in the market. Solutions that replace
Universal Print connector, or remove it altogether,
are now available. We now have printer updates that make some of the existing printers work directly with Universal Print. There are Follow-Me or pull print queues that leverage Universal Print
and can be enabled today. It's an exciting time. With a variety of solutions
to try from and choose from, it's time to get started. We invite you to extend your
interest in Universal Print. To learn more about Universal Print, set up a pilot and try it out. Setup is easy and quick. We have heard from our preview customers, it takes only a few minutes
to set it up and get going. We are listening. Once you have tried Universal
Print, provide your feedback, how you like it, what are your needs? Because we would want to evolve with your needs as a top priority. Thank you for your time today. To learn more, visit
the link on your screen. We will see you there.
