By default, the PaperCut Client (v23) supports UPN-based authentication for the application itself.
However, print jobs sent to the server are still processed using the SAM Account Name rather than the UPN. This can create issues in multi-domain environments where users are synchronized using UPN format.
To work around this, you can place the PaperCut Client into KIOSK mode, which forces the client to authenticate using the UPN. Below is the approach I’ve used successfully.
On your print server, copy the following file: C:\Program Files\PaperCut MF\server\data\pc-shared-secret.dat
This file must be accessible during client installation or delivered to the workstation by another method.
If you’re deploying via an RMM tool, you can bundle this file with your installer. If you're deploying over the network (e.g., GPO or other scripted task), ensure this file is included in the \\PRINTSERVER\PCClient share or copied to the client through another mechanism.
Start-Process -Wait -FilePath "\\PRINTSERVER.domain.local\PCClient\client-local-install.exe" -ArgumentList "/verysilent"
Copy-Item -Path "\\PRINTSERVER.domain.local\PCClient\pc-shared-secret.dat" -Destination "C:\Program Files (x86)\PaperCut MF Client\pc-shared-secret.dat" -Force -ErrorAction SilentlyContinue
# Prevent PaperCut from starting automatically with default arguments
Remove-ItemProperty -Path "HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run" -Name "PaperCut MF Client" -Force -ErrorAction SilentlyContinue
New-ItemProperty -Path "HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run" -Name "PaperCut MF Client" -Value 'cmd /c "C:\Program Files (x86)\PaperCut MF Client\upn-startup.bat"' -Force -ErrorAction SilentlyContinueCreate a batch file named upn-startup.bat in: C:\Program Files (x86)\PaperCut MF Client\upn-startup.bat
for /f "delims=" %u in ('whoami /upn') do "C:\Program Files (x86)\PaperCut MF Client\pc-client.exe" --user "%u" --pre-authenticate --shared-secret-file "C:\Program Files (x86)\PaperCut MF Client\pc-shared-secret.dat"
for /f "delims=" %u in ('whoami /upn') do "C:\Program Files (x86)\PaperCut MF Client\pc-client.exe" --user "%u" --use-pre-authenticationThis is the equlivlant of running the following manually: (Do not include this in the batch script)
"\path\to\pc-client.exe" --user "user@domain.com" --pre-authenticate --shared-secret-file "\path\to\pc-shared-secret.dat"
"\path\to\pc-client.exe" --user "user@domain.com" --use-pre-authenticationThis ensures the PaperCut Client launches using the UPN rather than the SAM Account Name.
Finally, update the PaperCut Start Menu shortcut to point to your custom batch file instead of pc-client.exe.
If you are deploying the PaperCut Client using Intune or an RMM tool, you can streamline the process by packaging the following PowerShell script along with the required support files:
- pc-shared-secret.dat
- upn-startup.bat
- A modified version of the PaperCut Start Menu shortcut
Begin by creating a ZIP file of the PaperCut client install directory from your print server’s share.
Name the file: windows-papercut.zip
If (Get-Item -Path "C:\Program Files (x86)\PaperCut MF Client" -ErrorAction SilentlyContinue) {
Start-Process -Wait -FilePath "C:\Program Files (x86)\PaperCut MF Client\unins000.exe" -ArgumentList "/verysilent" -ErrorAction SilentlyContinue
}
Expand-Archive -LiteralPath 'windows-papercut.zip' -DestinationPath "windows-papercut"
Start-Process -Wait -FilePath ".\windows-papercut\client-local-install.exe" -ArgumentList "/verysilent"
Copy-Item -Path "pc-shared-secret.dat" -Destination "C:\Program Files (x86)\PaperCut MF Client\pc-shared-secret.dat" -Force -ErrorAction SilentlyContinue
Copy-Item -Path "upn-startup.bat" -Destination "C:\Program Files (x86)\PaperCut MF Client\upn-startup.bat" -Force -ErrorAction SilentlyContinue
Copy-Item -Path "PaperCut MF Client.lnk.TMP" -Destination "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PaperCut MF\PaperCut MF Client.lnk" -Force -ErrorAction SilentlyContinue
Remove-ItemProperty -Path "HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run" -Name "PaperCut MF Client" -Force -ErrorAction SilentlyContinue
Remove-Item -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint"
New-Item -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint"
# Bypass admin consent for driver installation
New-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint" -Name "ServerList" -Value "PRINTSERVER-01.domain.com;PRINTSERVER-02.domain.com"
New-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint" -Name "RestrictDriverInstallationToAdministrators" -Value 0
New-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint" -Name "Restricted" -Value 1
New-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint" -Name "TrustedServers" -Value 1
New-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint" -Name "InForest" -Value 0
New-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint" -Name "NoWarningNoElevationOnInstall" -Value 1
New-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint" -Name "UpdatePromptSettings" -Value 2Most RMM platforms do not allow uploading .lnk files directly. To work around this, rename the shortcut file after editing it to point to upn-startup.bat instead of pc-client.exe.
Run the following command after updating the shortcut to use the batch script:
cd "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PaperCut MF"
copy "PaperCut MF Client.lnk" "PaperCut MF Client.lnk.TMP"You can now include the .TMP file in your deployment package and rename it back to .lnk during installation, as shown in the script above.
In my environment, I've also intergrated this with a tool I created called Printer Mapper.
This will handle mapping of multiple printers dynamicaly via Group Policy. This makes it super easy to deploy new printers out to your users.