So my company has a lot of remote users, and to get them upgraded to 1803 and update firmware we send them thumbdrives that have a script on it that they run. I built it via Powershell Studio so I could bake the admin credentials into it without fear of someone being able to view said credentials and on a machine already running 1703 it works great. However, if it is run on one that is already running 1803 it gets an "Access is denied" error when trying to create the scheduled task that runs the firmware upgrade after rebooting. I know I read some places that 1803 disable or messed with the built-in admin account, but this is running with one we added via GPO when the machine is imaged. If I right-click the exe and "Run as administrator" it works fine, but if I rely on the exe to self-elevate with the baked-in credentials it doesn't work.
Has anyone seen anything like that?
Issues with elevation after 1803 upgrade
Forum rules
Do not post any licensing information in this forum.
Any code longer than three lines should be added as code using the 'Select Code' dropdown menu or attached as a file.
Do not post any licensing information in this forum.
Any code longer than three lines should be added as code using the 'Select Code' dropdown menu or attached as a file.
-
us.dechrait@dechra.com
- Posts: 3
- Last visit: Tue Nov 21, 2023 3:25 am
-
us.dechrait@dechra.com
- Posts: 3
- Last visit: Tue Nov 21, 2023 3:25 am
Re: Issues with elevation after 1803 upgrade
There is no error. There's a command within the script (which is set via the build option to run as this local admin account) that creates a scheduled task.
Start-Process cmd.exe -ArgumentList '/C SchTasks.exe /Create /SC ONLOGON /TN "PostUpgrade" /TR "powershell.exe -executionpolicy bypass -noprofile C:\1803tmp\cleanup.ps1" /RU SYSTEM /RL HIGHEST' -Wait
It works fine when run on a 1703 machine, but if the machine is already running 1803 then this command gets an access denied and doesn't create the task.
Start-Process cmd.exe -ArgumentList '/C SchTasks.exe /Create /SC ONLOGON /TN "PostUpgrade" /TR "powershell.exe -executionpolicy bypass -noprofile C:\1803tmp\cleanup.ps1" /RU SYSTEM /RL HIGHEST' -Wait
It works fine when run on a 1703 machine, but if the machine is already running 1803 then this command gets an access denied and doesn't create the task.
Re: Issues with elevation after 1803 upgrade
What happens if you run the script as a script?
The scheduler needs to have the path of the task that you are creating.
/TN \folder\taskname
also
/TN \taskname
for a task in the root folder.
In 1803 the default folder may have changed or the root folder may have added protections.
The scheduler needs to have the path of the task that you are creating.
/TN \folder\taskname
also
/TN \taskname
for a task in the root folder.
In 1803 the default folder may have changed or the root folder may have added protections.
Re: Issues with elevation after 1803 upgrade
This is the correct way to creatae your task and avoid the more restrictive issues of 1803.
Code: Select all
$arglist = '/F /Create /SC ONLOGON /TN \PostUpgrade /TR "powershell.exe -executionpolicy bypass -noprofile C:\1803tmp\cleanup.ps1" /RU SYSTEM /RL HIGHEST'
Start-Process SchTasks.exe -ArgumentList $arglist -NoNewWindow
-
us.dechrait@dechra.com
- Posts: 3
- Last visit: Tue Nov 21, 2023 3:25 am
Re: Issues with elevation after 1803 upgrade
Thanks for all the tips everyone. Unfortunately after trying the tweaks suggested, none of them have resolved the weird problem.