question

BatmanJohn-5715 avatar image
0 Votes"
BatmanJohn-5715 asked EricTreater-8637 answered

Installing INF by app via company portal. Admin creds being prompted.

Turning down UAC then installing INF.

Write-Host "Disabling UAC"
Set-ItemProperty -Path “HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System” -Name “FilterAdministratorToken” -Value “0”;
Set-ItemProperty -Path “HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System” -Name “EnableUIADesktopToggle” -Value “0”;
Set-ItemProperty -Path “HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System” -Name “EnableSecureUIAPaths” -Value “0”;
Set-ItemProperty -Path “HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System” -Name “EnableLUA” -Value “0”;
Set-ItemProperty -Path “HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System” -Name “ConsentPromptBehaviorAdmin” -Value “0”;
Set-ItemProperty -Path “HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System” -Name “ConsentPromptBehaviorUser” -Value “0”;


Start-Process -filePath C:\Install\drivers\printers\ricoh\RicohMP3555\disk1\oemsetup.inf -Verb Install -ArgumentList "/S /v /qn"

24641-2020-09-10-19-17-09.png


mem-intune-application-management
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Jason-MSFT avatar image
0 Votes"
Jason-MSFT answered

Disabling UAC requires a reboot so simply flipping those registry values has no effect until the system restarts. ALso, if you are running this in the user's context, they may not have permissions to flip these anyway.

Is there a reason you aren't installing this in the System context (which will side-step UAC)?

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

BatmanJohn-5715 avatar image
0 Votes"
BatmanJohn-5715 answered

Thanks for your answer. I had some success with this UAC script but may be oranges and apples. I'm fairly new to PS and Intune and have been trying to get this printer installed for some time so admittedly I'm grasping at straws. pnputil.exe not this Start-Process will work, it seems and I'm getting a bit desperate to get this working. I cannot understand why using Intune Autopilot is so limited by admin rights? Every time I turn around I need to jump through hoops for admin creds. I thought that was the point of all this? Sorry for venting.
So, I see the logic of your response but I'm no closer to getting this line to run unprompted.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

BatmanJohn-5715 avatar image
0 Votes"
BatmanJohn-5715 answered Jason-MSFT commented

BTW, I did run the app in User context and I also got prompted for creds.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Right, which is why I suggested running it in the System context.

Ultimately, this is unrelated to Intune (and certainly not Autopilot). This is just how Windows and UAC work.

0 Votes 0 ·
BatmanJohn-5715 avatar image
0 Votes"
BatmanJohn-5715 answered Jason-MSFT commented

But the Powershell works in every other context. Even our machines without Autopilot have less trouble. This is all about automation and security. There must be a way to solve this problem. That's what I am seeking assistance with.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

There's nothing special about running it in Autopilot.

As asked, have you tried running this in the System context which will side-step UAC?

0 Votes 0 ·
BatmanJohn-5715 avatar image
0 Votes"
BatmanJohn-5715 answered

System and User configuration asks for admin creds. It seems like there must be a way for Intune to apply this install for the user with total admin authority. I can't imagine this is new. So far the only way around I see is Universal printing. We are running into this though on legacy programs and different issues.

If we turn off the UAC and do reboot the policies reapply immediately. A real catch-22. That's why I'm here.

BTW I am installing as available from Company Portal. I'm confused why this process doesn't have full admin authority. ?


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Jason-MSFT avatar image
0 Votes"
Jason-MSFT answered

The System context is higher than full admin and not subject to UAC. If you are seeing a UAC prompt. Are you 100% sure that you have the application configured to use System for its Install behavior in Intune.

Initiating from Company Portal is irrelevant here.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

EricTreater-8637 avatar image
0 Votes"
EricTreater-8637 answered

I have a ONE line script I believe is exhibiting the same behavior.
I can run it manually, but it prompts for UAC Elevation.
I packaged it as an INTUNEWIN, and deployed it via Intune. If I run it in the USER Context, it'll prompt for UAC, but then work, if I feed it credentials.
If I run it using SYSTEM Context, it won't work. I'm almost positive the UAC prompt is holding it up.

I'm going to do some testing of disabling UAC to see if I can get it to work in the system context.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Jason-MSFT avatar image
0 Votes"
Jason-MSFT answered EricTreater-8637 commented

The local SYSTEM account is not subject to UAC.

What does this INF do?

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

I'm not actually doing an .INF, just calling a Setup from a UNC path. I'm just calling this:

\\servername\sharename\Inventor2021\Img\Setup.exe /W /q /I "\\servername\sharename\Inventor2021\Img\Inventor2021.ini" /language en-us

I know that SYSTEM is SUPPOSED to Bypass UAC, but this one does not seem to be doing that. If I run it manually OR via Intune under user context, it runs but throws UAC prompt. If I run it via Intune as SYSTEM, it fails, with not much detail in the IME log to tell me what went wrong.

0 Votes 0 ·
Jason-MSFT avatar image
0 Votes"
Jason-MSFT answered

I know that SYSTEM is SUPPOSED to Bypass UAC

No, this is incorrect. As noted, it is not subject to UAC at all. Bypass implies that UAC could somehow impact it -- this is simply not in way possible with the local SYSTEM account.

Why are you calling something from a UNC instead of providing the files within the Win32 package? This is generally a bad idea.

Also, do the local computer accounts on the systems have access to the location since those are the accounts that will be used?



5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

EricTreater-8637 avatar image
0 Votes"
EricTreater-8637 answered Jason-MSFT commented

I know, and I hate doing it this way, since it won't work offsite, but the package (many of the Autodesk packages, actually) is over 12 GB, and the Win32 Packager has a limitation of 8 GB.

These machines are AAD joined, they don't have ANY active Local accounts. I have set the path up with Everyone read access on both share and NTFS permissions.

That gives me another idea though. I may try copying the files locally, running the command, and then deleting the "source" once it's installed.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Ugh, OK.

Have you tested access to the UNC and the command-line as the local SYSTEM account (using psexec)? I have a feeling Everyone won't work here.

0 Votes 0 ·