IE Enhanced Security and add role on Win Server 2016

Hello everyone,

I’m trying to disabled IE Enhanced Security and install windowsfeature like ASPNET and SNMP-Service with Bigfix using a Powershell script.

I need to “run as administrator” the script to work.

My Bigfix fixlet to run the Powershell script is :
waithidden powershell.exe -ExecutionPolicy unrestricted -File “NameOfScript.ps1”

The script itself :

#Self-elevate the script if required_
if (-Not ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] ‘Administrator’)) {
if ([int](Get-CimInstance -Class Win32_OperatingSystem | Select-Object -ExpandProperty BuildNumber) -ge 6000) {
$CommandLine = "-File “” + $MyInvocation.MyCommand.Path + “” " + $MyInvocation.UnboundArguments
Start-Process -FilePath PowerShell.exe -Verb Runas -ArgumentList $CommandLine
Exit
}
}

$ErrorActionPreference="SilentlyContinue"
Stop-Transcript | out-null
$ErrorActionPreference = "Continue"
Start-Transcript -path C:\TEMP\S1-WindowsFeature-$(get-date -f dd-MM-yyyy).txt -append

function isadmin
{
#Returns true/false_
([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] “Administrator”)
}

New-ItemProperty -Path “HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}” -name IsInstalled -value “00000000” -Force
New-ItemProperty -Path “HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components{A509B1A8-37EF-4b3f-8CFC-4F3A74704073}” -name IsInstalled -value “00000000” -Force

Install-WindowsFeature -name NET-Framework-45-ASPNET
Install-WindowsFeature -name SNMP-Service -includeAllSubFeature -includeManagementTools

Echo "Is this script running as admin?"
isadmin

Stop-Transcript

The modification didnt work though bigfix fixlet but when I localy launch my ps1 script it’s all OK…

My logfile tell me the following :

New-ItemProperty : Cannot find path ‘HKLM:\SOFTWARE\Microsoft\Active Setup\Installed
Components{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}’ because it does not exist.
At D:\Softwares\FO_Scripts\S1-Reg.ps1:31 char:1

New-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Active Setup\Install …

  + CategoryInfo          : ObjectNotFound: (HKLM:\SOFTWARE\...C-4F3A74704073}:String) [New-ItemProperty], 

ItemNotFoundException

  • FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.NewItemPropertyCommand
    New-ItemProperty : Cannot find path ‘HKLM:\SOFTWARE\Microsoft\Active
    Setup\Installed Components{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}’ because it
    does not exist.
    At D:\Softwares\FO_Scripts\S1-Reg.ps1:31 char:1

    New-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Active Setup\Install …

    + CategoryInfo          : ObjectNotFound: (HKLM:\SOFTWARE\...C-4F3A7470407
    

    3}:String) [New-ItemProperty], ItemNotFoundException
    + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.NewIt
    emPropertyCommand

AND

nstall-WindowsFeature : The term ‘Install-WindowsFeature’ is not recognized as the name of a cmdlet, function, script
file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct
and try again.
At D:\Softwares\FO_Scripts\S1-WindowsFeature.ps1:22 char:1

Install-WindowsFeature -name NET-Framework-45-ASPNET

  + CategoryInfo          : ObjectNotFound: (Install-WindowsFeature:String) [], CommandNotFoundException
  + FullyQualifiedErrorId : CommandNotFoundException

Install-WindowsFeature : The term ‘Install-WindowsFeature’ is not recognized
as the name of a cmdlet, function, script file, or operable program. Check the
spelling of the name, or if a path was included, verify that the path is
correct and try again.
At D:\Softwares\FO_Scripts\S1-WindowsFeature.ps1:22 char:1

Install-WindowsFeature -name NET-Framework-45-ASPNET

  + CategoryInfo          : ObjectNotFound: (Install-WindowsFeature:String)
 [], CommandNotFoundException
  + FullyQualifiedErrorId : CommandNotFoundException

Is this script running as admin?
True

I think there is a Problem with the user that use bigfix to deploy the fixlet, but how can i fix this ?
Did someone have an idea ?

Thx,

Robin

The script is running in 32-bit client mode. Before running the powershell command add this to your action script

Action uses wow64 redirection false

There are much easier methods for installing a feature, via dism.exe rather than this powershell.

1 Like

I’ve actually started using

action uses wow64 redirection {not x64 of operating system}

in almost all of my actions now, because of random issues like this. The only exception is if I know for sure that I need something to run in 32-bit mode.

This will automatically detect if the operating system is 64-bit without having to use an IF statement. Thanks to jgstew for mentioning this in another thread.

wow… wow64 did the work.

Thanks a lot for your both answers

I will do like you Mwolff, thanks for the tips.

Have a Nice day :smiley:

Hello again,
I have one more question, with the following script :

 function E-Copy
 {
    IF(!(Test-Path $destination)){
    mkdir $destination
    }
    Else {}
 Copy-Item -path $source -Destination $destination
 fc.exe /B "$source" "$destination\$fileName"
 Write-Output ""
 }

$fileName = "S1-IIStest.ps1"
$source = "\\SRV\share\script\$fileName"
$destination = "c:\Users\Public\Desktop"
Write-Output "Copy script S1-IIStest.ps1 to Desktop"
E-Copy

If I execute it localy on my computer I have the following infos on my log file :

Copy script S1-IIStest.ps1 to Desktop
Comparing files \\SRV\SHARE\SCRIPT\S1-IIStest.ps1 and C:\USERS\PUBLIC\DESKTOP\S1-IISTEST.
PS1
FC: no differences encountered

But If launch my filxlet I only have this on my log file :
Copy script S1-IIStest.ps1 to Desktop

Do you know why this happen ?

Thx again

Robin

The BigFix client is running under the SYSTEM account, and does not have credentials to connect to your network share on another server.

1 Like

The problem is not the copy, the problem is only the log of error.
Copy work.