Running a script during MSI install

Ask your PowerShell-related questions, including questions on cmdlet development!
Forum rules
Do not post any licensing information in this forum.

Any code longer than three lines should be added as code using the 'Select Code' dropdown menu or attached as a file.
This topic is 7 months and 4 weeks old and has exceeded the time allowed for comments. Please begin a new topic or use the search feature to find a similar but newer topic.
Locked
akontokanis
Posts: 17
Last visit: Thu May 23, 2024 1:29 pm
Has voted: 1 time

Running a script during MSI install

Post by akontokanis »

I hope this is the right section to post this in.
I'm having trouble running a script successfully during the MSI installation process.

My goal is to import a set of modules as a custom action during installation. The primary module (VMware.PowerCLI) includes scripts which are blocked by execution policy by default. I have tried building with a packaged exe, and I have tried building with a ps1 and checking the "Use execution policy bypass", neither seem to work.
  1. Set-ExecutionPolicy -ExecutionPolicy Bypass -Scope Process -Force -Confirm:$false
  2. Import-Module VMware.PowerCLI
  3. Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -Confirm:$false > $null
  4. Set-PowerCLIConfiguration -Scope AllUsers -ParticipateInCeip $false -Confirm:$false > $null
  5. Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings" -Name CertificateRevocation -Value 0 > $null
  6. Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing" -Name State -Value 146944 > $null
The script contents:
1. Bypass execution policy temporarily, the installer is run with Admin privileges.
2. The module import.
3-4. Two module settings that are available after the import
5-6. Two reg settings that speed up module load times, these are on isolated networks.

After the MSI installer runs, I can see that the registry entries have been applied but the module was never successfully imported.
If I manually bypass execution policy and then manually run the script, the module imports.

Any ideas for making it successfully run with the installer?
User avatar
Alexander Riedel
Posts: 8583
Last visit: Fri Nov 08, 2024 3:54 pm
Answers: 23
Been upvoted: 42 times

Re: Running a script during MSI install

Post by Alexander Riedel »

I am not sure what your expectation is here. Import-Module is a session specific thing. So it will import that module in the script that runs as a custom in the installer. It has no lasting effect on other scripts.
That the action runs is verified by the registry entries existing after the install.
Alexander Riedel
SAPIEN Technologies, Inc.
akontokanis
Posts: 17
Last visit: Thu May 23, 2024 1:29 pm
Has voted: 1 time

Re: Running a script during MSI install

Post by akontokanis »

While preparing a response I realized I had some incorrect assumptions about how execution policy interacted with the modules, and I've decided to disable execution policy by setting it to unrestricted via the registry.

I now have a slightly different but essentially the same problem. I have verified that some of the registry keys are modified during installation but not the one controlling execution policy.

This code is packaged into an exe and run as a custom action (deferred)
  1. Set-ItemProperty -Path "HKLM:\Software\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell" -Name ExecutionPolicy -Value Unrestricted > $null
  2. ...
  3. Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings" -Name CertificateRevocation -Value 0 > $null
  4. Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing" -Name State -Value 146944 > $null
I can verify that the last two keys are successfully modified during the installation but not the first one. If I run the exe manually afterwards, the first key gets modified.
User avatar
Alexander Riedel
Posts: 8583
Last visit: Fri Nov 08, 2024 3:54 pm
Answers: 23
Been upvoted: 42 times

Re: Running a script during MSI install

Post by Alexander Riedel »

I don't know your use case, so I'll just throw in some opinions here, which also may benefit anyone finding this later.
I would never recommend setting the execution policy in an installer to anything, let alone 'unrestricted'. I think this should always be left to whoever is in charge of that computer or network.
If you are publishing a module for a broader audience you should get a proper certificate for code signing. Even if this is in-house only, I would recommend at the very least generating a locally trusted certificate for signing.
Generally, modifying any trust setting in an installer without prompting for permission should be a no-go.

Back to your registry key. Modifying HKLM anything requires access rights. You certainly are getting an error message but you are piping the output to null. I would recommend to at least log errors somewhere.
I cannot tell from this post if your installer requires admin rights. If it does and runs elevated, a custom action SHOULD update that key unless there is another hurdle. (See error message)
If your installer is not requiring elevation, the packaged exe must require elevation if it needs that access.
Alexander Riedel
SAPIEN Technologies, Inc.
akontokanis
Posts: 17
Last visit: Thu May 23, 2024 1:29 pm
Has voted: 1 time

Re: Running a script during MSI install

Post by akontokanis »

> "I would never recommend setting the execution policy in an installer to anything, let alone 'unrestricted'."
This is a good point, however the scope here is very limited and we do have ownership of the target computers.

> "you should get a proper certificate for code signing"
I'm not familiar with the process of code signing with certificates, however I should point out that the execution policy needs to be disabled in order to run the VMWare PowerCLI modules, and not anything that I am producing. I'm very much an amateur coder and my work has been limited to attempting to produce a more user friendly GUI with automation of preexisting cmdlets and modules. I'm not sure how code signing would fit into that.

> "You certainly are getting an error message"
You are correct, I forgot that I had selected a silent engine for the packager. When I switched it back to the Command line, I saw an error stating "Requested registry access is not allowed"..."PermissionDenied" So it would seem that although the Require Administrator box is checked on the MSI builder, those permissions are not being passed to the custom action portion.

Unfortunately, I have spent far too long troubleshooting this already. My compromise is to have the MSI place a shortcut to the exe that was a custom action onto the desktop, which will be deleted when running the exe, and include instructions to run the exe as admin after install.
User avatar
Alexander Riedel
Posts: 8583
Last visit: Fri Nov 08, 2024 3:54 pm
Answers: 23
Been upvoted: 42 times

Re: Running a script during MSI install

Post by Alexander Riedel »

Have you tried setting a "Manifest for elevation" for the packaged executable?

Generally a custom action gets executed with admin privileges when "deferred" and "no impersonation" is checked.
That executes the custom action under the system account.
Now, if you ALSO want to modify current user registry keys, that would need to be moved to a separate custom action.
So in your case requiring elevation for the packaged exe would probably be better.

I am surprised a VMWare module would not be signed.
I downloaded the current version and all scripts in there have a digital signature.
Alexander Riedel
SAPIEN Technologies, Inc.
akontokanis
Posts: 17
Last visit: Thu May 23, 2024 1:29 pm
Has voted: 1 time

Re: Running a script during MSI install

Post by akontokanis »

I have not tried any of the settings in the manifest section, maybe if I have spare time later I'll return to try that.

Regarding the signatures, I was also surprised to see the modules were not working without disabling execution policy. My only guess is that our target systems are sometimes older versions of Windows, on isolated networks, and have never touched the internet.
This topic is 7 months and 4 weeks old and has exceeded the time allowed for comments. Please begin a new topic or use the search feature to find a similar but newer topic.
Locked