/build/static/layout/Breadcrumb_cap_w.png

Powershell script via K1000 - Is UAC an issue here?

I'm trying to run a number of powershell scripts via K1000 scripting. The scripts remove unwanted metro apps and onedrive from Windows 10. This is for an in-place upgrade situation, its already been implemented into our standard image.

I'm calling the powershell script via K1000, via step "run the batch file .." which uses the following batch command:
powershell.exe -ExecutionPolicy Bypass -File remove-apps.ps1

When running manually on a test PC as the local administrator account, the Script will fail with "Access Denied" messages when attempting to remove each app when run in a regular cmd prompt. When run in an elevated cmd prompt (Run as administrator/UAC) the script runs successfully.

I believe the script is failing due to the command not having this elevation when run from the K1000.
I've tried using both an Offline Kscript and and Online Kscript (specifying the local administrator account)
I've tried utilising psexec in the script, but this requires elevation in itself, so run into the same issue.
I've tried creating a scheduled task with elevated privelages, but in order to import this task on another computer that would also require elevation.
Even turning off UAC on the machine, the script still fails.

Am I right in my suspicions that the script is not being elevated at all?
Does anyone have any suggestions in how to achieve this, or another method you could recommend?

Thanks

0 Comments   [ + ] Show comments

Answers (3)

Answer Summary:
Posted by: rjonesdj 7 years ago
Orange Senior Belt
1
Thanks rockhead.

I have been trying to use the -Ver RunAs argument; to no success so far... but I will definetly give your .bat template a go.
At the moment, Im going down a slighty different route making use of this - https://gist.github.com/TaoK/1582185
Seems to achieve what I want when run locally, will be testing how it runs via k1000 this morning.

Comments:
  • Looks nice. Please let me know what you find that works. - rockhead44 7 years ago
    • So far nothing...
      Seems UAC is doing what its supposed to, and is very difficult to circumvent.
      But even with UAC disabled, I cant get these particular powershell commands to work. - rjonesdj 7 years ago
    • After hitting many brick walls... I eventually solved my problem.
      Found this helpful tool -
      https://technet.microsoft.com/en-gb/library/d08d6a02-4d5b-4929-87ad-98f03be11898?f=255&MSPPError=-2147217396

      Using this along with temporarily disabling UAC prompts via registry allowed the powershelll commands to run with elevation as intended.

      My final script was:

      REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 0 /f
      elevate %SystemRoot%\sysnative\WindowsPowerShell\v1.0\powershell.exe -executionpolicy bypass -file remove-default-apps.ps1
      ping -n 60 localhost>nul
      REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 5 /f - rjonesdj 7 years ago
      • @rjonesdj...looks like you and I are hitting the same brick walls. I am trying to replicate what you just suggested but am running into additional Access denied issues...and as I am not that adept at scripting I was hoping for a bit more clarity.

        1) Was this a bat file run through Kace?
        2) Which user did you use to execute? System, other domain user, etc.?
        3) Were there any Parameters required to be placed in the Kace admin?

        Thanks a lot for any input you can provide! It looks as if you are very close to helping solve my headaches. - hollistd 7 years ago
      • @hollistd
        I know all about those headaches, Iv'e been losing my sanity over this the past week!

        To answer your questions:
        1) bat file created on KACE, and run via KACE.
        2) Its an offline script, no account is specified, so using System account which I believe is the default for this.
        3) I had no other parameters outside of the bat file.

        The bat file had a number of dependencies-
        elevate.cmd and elevate .vbs (from here - https://technet.microsoft.com/en-gb/library/d08d6a02-4d5b-4929-87ad-98f03be11898?f=255&MSPPError=-2147217396)
        remove-default-apps.ps1 (powershell script from here - https://github.com/W4RH4WK/Debloat-Windows-10)

        Good luck - rjonesdj 7 years ago
Posted by: rjonesdj 7 years ago
Orange Senior Belt
1

Top Answer

After hitting many brick walls... I eventually solved my problem. 
Found this helpful tool - 
https://technet.microsoft.com/en-gb/library/d08d6a02-4d5b-4929-87ad-98f03be11898?f=255&MSPPError=-2147217396

Using this along with temporarily disabling UAC prompts via registry allowed the powershelll commands to run with elevation as intended. 

My final script was:

REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 0 /f
elevate %SystemRoot%\sysnative\WindowsPowerShell\v1.0\powershell.exe -executionpolicy bypass -file remove-default-apps.ps1
ping -n 60 localhost>nul
REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 5 /f
Posted by: rockhead44 7 years ago
Red Belt
0
You can use this as a guide

https://support.quest.com/kb/148903

The only time I have done it, my .bat looked like this:

================================================================================================

@ECHO OFF
SET ThisScriptsDirectory=%~dp0
SET PowerShellScriptPath=%ThisScriptsDirectory%MyPowerShellScript.ps1
PowerShell -NoProfile -ExecutionPolicy Bypass -Command "& {Start-Process PowerShell -ArgumentList '-NoProfile -ExecutionPolicy Bypass -File ""C:\ProgramData\Dell\KACE\kbots_cache\packages\kbots\255\OSDT.ps1""' -Verb RunAs}";


=============================================================================================

I believe the     -Verb RunAs     was the key. It has been a while since I ran this so my memory is a bit fuzzy. 

Don't be a Stranger!

Sign up today to participate, stay informed, earn points and establish a reputation for yourself!

Sign up! or login

View more:

Share

 
This website uses cookies. By continuing to use this site and/or clicking the "Accept" button you are providing consent Quest Software and its affiliates do NOT sell the Personal Data you provide to us either when you register on our websites or when you do business with us. For more information about our Privacy Policy and our data protection efforts, please visit GDPR-HQ