Issues with elevation after 1803 upgrade

Ask your Windows PowerShell-related questions, including questions on cmdlet development!
Forum rules
Do not post any licensing information in this forum.

Any code longer than three lines should be added as code using the 'Select Code' dropdown menu or attached as a file.
Locked
us.dechrait@dechra.com
Posts: 3
Joined: Fri Oct 05, 2018 8:30 am

Issues with elevation after 1803 upgrade

Post by us.dechrait@dechra.com » Thu May 02, 2019 4:44 am

So my company has a lot of remote users, and to get them upgraded to 1803 and update firmware we send them thumbdrives that have a script on it that they run. I built it via Powershell Studio so I could bake the admin credentials into it without fear of someone being able to view said credentials and on a machine already running 1703 it works great. However, if it is run on one that is already running 1803 it gets an "Access is denied" error when trying to create the scheduled task that runs the firmware upgrade after rebooting. I know I read some places that 1803 disable or messed with the built-in admin account, but this is running with one we added via GPO when the machine is imaged. If I right-click the exe and "Run as administrator" it works fine, but if I rely on the exe to self-elevate with the baked-in credentials it doesn't work.

Has anyone seen anything like that?

jvierra
Posts: 14000
Joined: Tue May 22, 2007 9:57 am
Contact:

Re: Issues with elevation after 1803 upgrade

Post by jvierra » Thu May 02, 2019 5:01 am

Without more information it will be hard to understand what is happening.

What is the full error message.

us.dechrait@dechra.com
Posts: 3
Joined: Fri Oct 05, 2018 8:30 am

Re: Issues with elevation after 1803 upgrade

Post by us.dechrait@dechra.com » Thu May 02, 2019 5:12 am

There is no error. There's a command within the script (which is set via the build option to run as this local admin account) that creates a scheduled task.

Start-Process cmd.exe -ArgumentList '/C SchTasks.exe /Create /SC ONLOGON /TN "PostUpgrade" /TR "powershell.exe -executionpolicy bypass -noprofile C:\1803tmp\cleanup.ps1" /RU SYSTEM /RL HIGHEST' -Wait

It works fine when run on a 1703 machine, but if the machine is already running 1803 then this command gets an access denied and doesn't create the task.

jvierra
Posts: 14000
Joined: Tue May 22, 2007 9:57 am
Contact:

Re: Issues with elevation after 1803 upgrade

Post by jvierra » Thu May 02, 2019 5:56 am

Scheduling requires elevation in order to request an elevated task. Remove /RL and test. It should work.

jvierra
Posts: 14000
Joined: Tue May 22, 2007 9:57 am
Contact:

Re: Issues with elevation after 1803 upgrade

Post by jvierra » Thu May 02, 2019 6:24 am

What happens if you run the script as a script?

The scheduler needs to have the path of the task that you are creating.

/TN \folder\taskname

also

/TN \taskname

for a task in the root folder.

In 1803 the default folder may have changed or the root folder may have added protections.

jvierra
Posts: 14000
Joined: Tue May 22, 2007 9:57 am
Contact:

Re: Issues with elevation after 1803 upgrade

Post by jvierra » Thu May 02, 2019 6:54 am

I ran you task creation on an 1802 system. It causes no error but the task created is not visible anywhere.

jvierra
Posts: 14000
Joined: Tue May 22, 2007 9:57 am
Contact:

Re: Issues with elevation after 1803 upgrade

Post by jvierra » Thu May 02, 2019 7:10 am

This is the correct way to creatae your task and avoid the more restrictive issues of 1803.

Code: Select all

$arglist = '/F /Create /SC ONLOGON /TN \PostUpgrade /TR "powershell.exe -executionpolicy bypass -noprofile C:\1803tmp\cleanup.ps1" /RU SYSTEM /RL HIGHEST'
Start-Process SchTasks.exe -ArgumentList $arglist -NoNewWindow

us.dechrait@dechra.com
Posts: 3
Joined: Fri Oct 05, 2018 8:30 am

Re: Issues with elevation after 1803 upgrade

Post by us.dechrait@dechra.com » Thu May 02, 2019 8:19 am

Thanks for all the tips everyone. Unfortunately after trying the tweaks suggested, none of them have resolved the weird problem.

Locked