Post

Universal Print – Admin Overview

How Strategic Systems connects the Ohio HQ printer to Microsoft Universal Print using an Azure Windows Server VM, site‑to‑site VPN, and Intune printer provisioning.

Posted
By Trever Ehrfurth
5 min read
Universal Print – Admin Overview

Overview

This document explains how Strategic Systems publishes the HQ office printer via Microsoft Universal Print using an Azure‑hosted Windows Server VM and Intune.

End result: any Intune‑managed laptop automatically receives the HQ Universal Print queue and can print to the HQ printer from anywhere.

High‑level flow:
Azure VM (UP-connector) → Site‑to‑site VPN → HQ printer → Universal Print service → Intune‑managed laptops

Architecture Summary

  • Azure VM: UP-connector (Windows Server) running the Universal Print connector.
  • Azure networking:
    • Virtual network: vnet-up (172.18.0.0/16)
    • Subnets:
      • default – hosts the UP-connector VM
      • GatewaySubnet – dedicated to the VPN gateway
    • VPN gateway: OfficeVPNGateway with a public IP assigned by Azure.
  • On‑prem network (HQ office):
    • Public IP (firewall): 162.213.12.98
    • Printer subnet: 192.168.168.0/24
    • Printer IP: 192.168.168.153
  • VPN:
    • Site‑to‑site IPsec tunnel between OfficeVPNGateway and the HQ firewall.
    • Local network gateway in Azure represents 162.213.12.98 / 192.168.168.0/24.
  • Universal Print:
    • Universal Print connector installed on UP-connector.
    • Printer registered and shared via Universal Print.
  • Intune:
    • Settings Catalog profile (“Universal Printers”) using Printer Provisioning.
    • Deployed to SG-Sec-IntuneDevices (all Intune‑managed laptops).

Step 1 – Azure VM and VNet

1.1 Create VNet and subnets

  1. Create VNet vnet-up in the rg-up-connector resource group:
    • Address space: 172.18.0.0/16.
  2. Create subnets:
    • default172.18.0.0/24 (VMs).
    • GatewaySubnet172.18.1.0/27 (must be named exactly GatewaySubnet for the VPN gateway).

1.2 Provision UP-connector VM

  1. Create Windows Server VM UP-connector in rg-up-connector:
    • Network: vnet-up, subnet default.
    • Static private IP recommended.
  2. Harden basics:
    • Enable Windows Update.
    • Disable sleep/hibernate.
    • Restrict RDP access via NSG / Just‑in‑Time as appropriate.

Step 2 – Azure VPN Gateway and Site‑to‑Site Tunnel

2.1 Create VPN gateway

  1. Create Virtual network gateway OfficeVPNGateway in rg-up-connector:
    • Gateway type: VPN (route‑based).
    • Virtual network: vnet-up.
    • Subnet: GatewaySubnet.
    • Public IP: new, e.g., vpngw-up.
    • Active‑active: Disabled (single public IP).
  2. Wait for deployment to complete (20–45 minutes).
    Note the public IP of OfficeVPNGateway (e.g., 20.75.247.62).

2.2 Create Local Network Gateway

  1. Create Local network gateway lng-office-hq in rg-up-connector:
    • IP address: 162.213.12.98 (HQ firewall public IP).
    • Address space: 192.168.168.0/24 (office LAN containing the printer).

2.3 Create Azure VPN connection

  1. On OfficeVPNGatewayConnectionsAdd:
    • Name: conn-office-hq.
    • Connection type: Site-to-site (IPsec).
    • Virtual network gateway: OfficeVPNGateway.
    • Local network gateway: lng-office-hq.
    • Shared key (PSK): strong secret (stored in Strategic Systems password manager).

2.4 Configure HQ firewall (MSP / ISP)

Performed by the MSP on the office firewall:

  • Remote peer: Azure VPN gateway public IP (20.75.247.62).
  • Local subnet(s): 192.168.168.0/24.
  • Remote subnet(s): 172.18.0.0/16.
  • Shared key: same PSK as Azure.
  • Allow rules for traffic between 172.18.0.0/16 and 192.168.168.0/24 (at minimum TCP 9100 / printing and ICMP for testing).

Validation

  • In Azure, conn-office-hq shows Connected.
  • From UP-connector VM:
    • ping 192.168.168.153 (Ohio HQ printer).
    • Access printer web UI via http://192.168.168.153.

Step 3 – Universal Print Connector on UP-connector

3.1 Install Universal Print connector

On UP-connector (local admin session):

  1. Download connector: https://aka.ms/UPConnector.
  2. Run installer with defaults.
  3. Launch Universal Print connector application.

3.2 Register connector

  1. Sign in with a licensed account that has Printer Administrator or Global Administrator rights.
  2. Name the connector after the VM (e.g., UP-Connector).
  3. Confirm registration succeeds and connector status is “Connected”.

At least one admin account must have a Universal Print–eligible license (e.g., M365 Business Premium) and a defined Usage location in Entra ID.

Step 4 – Add and Register the Printer

4.1 Install printer locally on the VM

Because auto‑discovery does not work across the VPN, the printer is added manually:

  1. On UP-connectorAdd printer:
    • “The printer that I want isn’t listed.”
    • “Add a printer using a TCP/IP address or hostname.”
    • IP: 192.168.168.153.
  2. When prompted for a driver:
    • Use the Generic Plus UFR II v2.50 x64 driver package (copied from \\ssdc file share via staff).
  3. In Printer Properties → Ports:
    • Verify a Standard TCP/IP Port pointing to 192.168.168.153.

4.2 Register printer to Universal Print

  1. In the Universal Print connector app:
    • Refresh printers.
    • Select the printer from Available printers.
    • Click Register.
  2. In the Universal Print admin portal:
    • Confirm the printer appears under Printers.

4.3 Create and share the printer

  1. In the Universal Print / Azure portal:
    • Open the printer → Shares → create a new share (e.g., Ohio HQ Printer).
    • Assign permissions to an Azure AD group that represents users allowed to print (e.g., SG-Sec-Print).

Record:

  • Printer share ID (GUID).
  • Printer share name.

These values are used in Intune.

Step 5 – Intune Deployment to Laptops

5.1 Intune configuration profile

Create a Settings catalog profile named e.g. Universal Printers:

  • Platform: Windows 10 and later.
  • Category: Printer Provisioning (User).

Included settings (User scope):

  • Install (User) – set to True.
  • Printer Shared Name (User)Ohio HQ Printer (exact share name).
  • Printer Shared ID (User) – GUID of the printer share.
  • (Optionally) Cloud Device ID (User) if used instead of share ID.

Assignments:

  • Include: SG-Sec-IntuneDevices.

5.2 Client behavior

  • When an Intune device checks in:
    • Printer provisioning evaluates the policy.
    • If the user has permission on the Universal Print share, Windows installs the Universal Print queue automatically.
  • Users see the printer under Printers & scanners and can print without VPN to HQ; traffic goes via Universal Print and the UP-connector VM.

Operational Notes

  • Connector VM uptime: UP-connector must stay online; consider Azure Backup and monitoring (availability alerts).
  • Firewall/VPN changes: Any changes to HQ firewall, public IP, or subnets must be mirrored in:
    • Azure Local network gateway
    • VPN connection definition
    • Intune printer policy (if VNet address space changes).
  • Printer changes:
    • If the printer device IP changes, update:
      • TCP/IP port on UP-connector.
    • If the device is replaced, unregister the old printer in Universal Print and repeat Step 4 with the new model.

Contact

Primary owner: Trever Ehrfurthtehrfurth@strsi.com

Microsoft, Printing
universal print azure vpn intune printers
This post is licensed under CC BY 4.0 by the author.