Application Launch with Admin Previledge

Shahban · April 5, 2021, 5:23pm

Created package for one Software (BLC Insurance Desk) and it’s package behavior is whenever we launch application we getting message "Internet Update did not run" seems during application launch application checking update and due to limited access getting this message this scenario is for domain / non admin users.

Temporary provide admin access to the same users then not getting any prompt and its launch well.

Any though to launch application (Shortcut) with admin privilege for Non admin users through Bigfix…

Aram · April 5, 2021, 7:42pm

Check out the asadmin options of the override command, as I believe it should allow for this capability.

Shahban · April 5, 2021, 8:32pm

I am executing / Installing file as below,

wait __Download\Setup.exe /S

and application installed on C:\Program Files (x86)\BLC\Lewin\Index.exe

can you please share one example to solve this issue…(Application Open with Admin privilege)

ageorgiev · April 6, 2021, 8:58am

Here is an example PS script that I run with a different user and as Admin (just need to change the user= parameter; once you run it will prompt you for a password):

parameter “PowerShellexe”="{value “Path” of key “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell” of native registry}"

override wait
Hidden=true
runas=localuser
asadmin=true
user=domain\user
password=required
wait “{parameter “PowerShellexe”}” -executionpolicy bypass -command “cd ‘<folder_path>’; .\script.ps1”

Pinki · April 6, 2021, 8:22pm

Seems we need to add user ID and password in this task, user=domain\user

same issue am facing for other application its work with Admin access but not working with non admin users,

Any possibility to provide right to launch application with Admin but here we don’t put admin user ID and password in the action,

might be something can do from Bigfix side ?

JasonWalker · April 6, 2021, 8:37pm

I’ve been doing some research into this, and though I’m not a developer it appears to be a feature in the Windows security model.

We can impersonate the user and run it interactively (with the user’s existing session), but it looks like we cannot elevate a non-admin user to an admin access token unless we create a new login session - which requires authenticating.

I don’t think this is necessarily a limitation in BigFix itself, but in the Windows API / security model as a whole. I don’t know of any way around it.

You should probably pursue getting the application updates to work using the LocalSystem account. A good way to test interactively first is using psexec from https://microsoft.com/Sysinternals

Run
psexec -i -s CMD.exe

…to open an interactive command prompt as the SYSTEM account, and then figure out a way to update this application silently.
Then you should be able to deploy that in BigFix without needing any action overrides.

trn · April 7, 2021, 7:25am

I’m not sure that the original post has anything to do with Bigfix.

My reading is the the application is installed, but when the user launches the application, it checks back to the application provider, finds an update but fails to install the update. Having an application manage its own updates sounds like a nice idea. What doesn’t sound so good is having application update rights for users with Internet access.