Has anyone come up with a solution or a workaround to use a BigFix task and elevate (Run As Admin) a Command Prompt? I have been working on a software distribution task to upgrade an existing software installation and the batch file that installs it requires the command prompt to be elevated. I have tested the action with the fixlet debugger and it completes successfully but the batch file in the software package itself fails with an error 5 (Access Denied). I can run the same package and use runas admin on the batch file and it completes with error code 0. Here is the action I am using:
dos mkdir "C:\Axway"
pause while {not exists folder "C:\Axway"}
dos xcopy /e "\\SHARE\SHARE\SHARE\Axway\*.*" "C:\Axway\"
parameter "startTime"="{now}"
pause while { (now-time(parameter "startTime") < 20*second) }
runhidden "C:\Axway\upgrade.bat"
continue if {exit code of action = 0}
The files will not run from a share so I am copying all files to the local machine. The upgrade.bat is the batch file that needs to be run as administrator. Thank you in advance for your help and time.
When run through the console (not the debugger) the commands will be run from the SYSTEM account, which has equal or greater permissions as an admin, but the SYSTEM account will most likely not have access to the file share, even if it is mapped under a currently logged on user’s account.
Why are you copying the files from a share instead of having IEM / BigFix download it using the prefetch command?
None of the above addresses your issue of “access denied” when running upgrade.bat. I would suggest adding a “continue if” statement before the “runhidden”
continue if{ exists file “C:\Axway\upgrade.bat” }
Also, i’d recommend waithidden instead of runhidden.
Thank you for the reply jgstew. I should have expanded a little in my original post. I am aware that BigFix uses the SYSTEM account and have a share open and available to Everyone. The action I listed was just the last one I have tried, there were about 20 different variations I have tried before with all of them failing. I have tried multiple different tasks using both the Windows Software Distribution Wizard and the Software Distribution Package Site.
As jgstew stated BES will run all tasks with elevated permissions, so that is not the issue.
The method you are using to call the .bat looks fine, although I would also recomend using waithidden instead. Waithidden will wait for that command/process to complete before continuing to the next step. Using waithidden should eleminate the need to pause between steps.
Since the system account is not a user, everyone permissions will not be enough, you will need to setup the share as a null share if you want to go that route (very insecure). I would also recommend going the prefetch route.
The reason for your exit code 5 is likely due to something the .bat file is doing. I would test running your .bat file as the system account manually and see if that works. You can start cmd as system using psexec as outlined in the link below:
Thank you to everyone for the replies and responses, I meant to respond sooner. My issue ended up not even being related to BigFix at all. The location that the batch file was extracting the data to and trying to execute the installer from was in an HBSS blocked list, which was not allowing executables to run from that location.
Hi Jgstew,
as you mentioned,“the commands will be run from the SYSTEM account, which has equal or greater permissions as an admin, but the SYSTEM account will most likely not have access to the file share”, will the file permission issue happen to local file also??