/build/static/layout/Breadcrumb_cap_w.png

Installing software without disabling User Account Control

Hello,

I'd like to use KACE to install software to Windows 7 machines without disabling User Account Control.  Is this possible?  I have scripts written in KACE that install Adobe, install Quicktime, etc.  These work on Windows XP, but fail on 7.  If I disable UAC on 7, they work.

We migrated from Altiris to KACE, and Altiris was able to do this without disabling UAC.

I've been searching the forums and most people have been saying UAC must be turned off.

 

I found a workaround that disables a registry setting for UAC.  This was mentioned here in an article written by KACE employees:  http://www.kace.com/~/media/Files/Support/KACE-Konference/2012/2012_K2000-%20PostInstall%20Troubleshooting.ashx

"Disable User Account Control (UAC) or UAC prompting for admins 

– This can be done in the unattend file or as a postinstall task (no reboot 

required) 

› reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v 

ConsentPromptBehaviorAdmin /t REG_DWORD /d 0 /f"

 

I wrote the following install that disables UAC, tries to install Adobe, then reenables UAC:

 

Task 1

Attempts:
On Failure: Break Continue

Verify

  1. Verify that “HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System!ConsentPromptBehaviorAdmin” exists.

On Success

  1. Set “HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System!ConsentPromptBehaviorAdmin” to “0x00000000”.
  2. Launch “SYS\cmd.exe” with params “ping loopback -n 60”.
  3. Install “Adobe Acrobat X Pro” with arguments “start /wait setup.exe”.
  4. Launch “SYS\cmd.exe” with params “ping loopback -n 300”.
  5. Set “HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System!ConsentPromptBehaviorAdmin” to “0x00000005”.
  6. Launch “SYS\cmd.exe” with params “ping loopback -n 60”.
  7. Log “Adobe Acrobat X Pro install command issued successfully.” to “status”.

Remediation

  1. Install “Adobe Acrobat X Pro” with arguments “start /wait setup.exe”.
  2. Log “Adobe Acrobat X Pro install command issued successfully.” to “status”.

On Remediation Success

On Remediation Failure

 

 

If I run each of these 3 steps as seperate scripts, it works.  If I try to chain them all together however, it fails.  I stuck the ping commands in there to try and make it wait.  It does not work.

How should I be installing software on machines with UAC enabled?  How do I make a script wait for the next command instead of trying to run them all at once?

 

 


0 Comments   [ + ] Show comments

Answers (6)

Posted by: nheyne 11 years ago
Red Belt
1

We run our install scripts as the SYSTEM user, hasn't prompted us for UAC once:


Comments:
  • This does not work for us. When I try to run it as local system it fails - edwimb 11 years ago
    • What happens if you switch to "run as user" and supply a local or network admin account? - jknox 11 years ago
  • If I do that with a network admin account, it fails with UAC on. If I do that with UAC turned off it works. If I run it on XP like that it works. - edwimb 11 years ago
    • Fails or the UAC prompts and installs correctly? - dugullett 11 years ago
  • Fails. No UAC prompt pops up at all if I run it with a domain admin account and enable UAC. If I disable UAC and run it again like that it works. - edwimb 11 years ago
Posted by: edwimb 11 years ago
Third Degree Blue Belt
1

This does not work for us.  When I try to run it as local system it fails.


Comments:
  • Installing Adobe shouldn't fail when running as SYSTEM. Maybe there's an issue in your script? Have you tried running this through a managed install? What steps are you taking on your Kace script? - dugullett 11 years ago
  • I just took screenshots of the entire thing and posted it. It does not work for Windows 7 running as system. We tried it just now with a user logged in without admin rights. We are trying it again with no one logged on to the machine. - edwimb 11 years ago
  • We are using the run now tab inside of KACE to run these. - edwimb 11 years ago
  • Running it as system without anyone logged in also failed. - edwimb 11 years ago
Posted by: edwimb 11 years ago
Third Degree Blue Belt
1


Comments:
  • I'm guessing that you have all the files zipped and uploaded to Kace? So your just calling this install using Kace. Does your setup.exe run when manually installed on a Win 7 box?

    I would highly recommend creating a MI for this. The way your script is currently setup it would always try to install. If you add a VERIFY step that checked if a file existed (C:\program files\adobe\some_file.exe), then on Remediation run your install. That way it will not run on a machine that already has it. - dugullett 11 years ago
  • I don't really care about installing it on a machine that already has it right now. Yes I have the files zipped and uploaded to KACE. Remember this works in KACE if I do it with an administrator account and disable UAC. - edwimb 11 years ago
    • That's strange. If it works with UAC off, it should also work with it on and you clicking yes. I've never heard of the UAC failing to let an app install if you allow it to run. That sounds like a fun one. - dugullett 11 years ago
  • When you turn on UAC, and you then try to deploy software to that machine remotely using administrative credentials, UAC will never prompt the logged on user with a pop up box. It doesn't work that way. - edwimb 11 years ago
  • I also highly recommend using managed installs for application deployment. The main drawback is not being able to schedule as with scripts, but the benefits outweigh this drawback.

    For the record, all of my Win7 machines have UAC turned on and the managed installs push apps to them with no problem - hence my recommendation.

    John - jverbosk 11 years ago
Posted by: edwimb 11 years ago
Third Degree Blue Belt
0

Does anyone have a solution to this?  Is there a way for KACE to deploy software to a Windows 7 machine with UAC enabled?


Comments:
  • All of my software deploys on both Win 7 x86 and x64 with UAC enabled without a prompt. You might want to contact support. Since it looks like you are having bigger issues with your Kbox. - dugullett 11 years ago
Posted by: jverbosk 11 years ago
Red Belt
0

The "solution" is to use managed installs.  I use these with my UAC-enabled Win7 clients with no issues whatsoever.  In my experience, scripts just aren't as resilient for application installs (and definitely not as easy to track and check status).

John


Comments:
  • Hi John. FYI I have followed your guide on the KACE helpdesk and you helped me out a lot in setting it up. Thank you.

    I initially went with the distribution tab and my deskside guys hated it. They hated the fact that someone would call, ask for a piece of software, and then to install it they had to edit the distribution to include their machine, find their machine and force the inventory, then wait and hope it worked sometime soon. The managed installs just seemed to take forever. I also didn't like how on the managed installs I had to grant them full access to the script in order to edit who got it.

    With scripting I just grant them access to the run now tab while making the scripts read only. That way they can run them but can't change them. Scripting also seems to work instantly.

    Someone with Dell support advised us to use scripting instead of managed installs a few months back, after I had set up everything in managed installs. - edwimb 11 years ago
  • I just tested this using the distribution tab and it did work going to a Windows 7 machine with UAC enabled John. At least I have some sort of a solution now, no thanks to dell support... I would really prefer to use the scripting tab however. I don't understand why the exact same script installing the same thing to the same machine fails when run as a script but works when done as a distribution. - edwimb 11 years ago
Posted by: jverbosk 11 years ago
Red Belt
0

The "solution" is to use managed installs for deploying applications.  I use these with my UAC-enabled Win7 clients with no issues whatsoever.  In my experience, scripts just aren't as resilient for application installs (and definitely not as easy to track and check status).

John

Don't be a Stranger!

Sign up today to participate, stay informed, earn points and establish a reputation for yourself!

Sign up! or login

View more:

Share

 
This website uses cookies. By continuing to use this site and/or clicking the "Accept" button you are providing consent Quest Software and its affiliates do NOT sell the Personal Data you provide to us either when you register on our websites or when you do business with us. For more information about our Privacy Policy and our data protection efforts, please visit GDPR-HQ