Please understand that I am new to writing FixLet data. However, I am trying to perform a simple task, and while I am still learning, the answer continues to elude me. I am the equivalent of an end-user knowledge level when it comes to BigFix. I have someone who is an expert, but his time is limited, so I am turning to the support community. If you know of articles, KBs, or other support docs I would be grateful for pointing me to them, as I have searched the resources and some of the information is way above my head.
That said. I need to execute a simple command pertaining to Bitlocker Drive Encryption (manage-bde.exe -on c:). Target devices will be determined by a WMI string. That part works. When authoring the Fixlet in the Debugger I continually get an Access Denied. The reason for this is that the SYSTEM account that it’s executing in does not have Local Administrator rights. I know that RunAsAdministrator will work for this. What I am looking for is the proper code/relevance data to execute RunAsAdministator and execute the command.
One of the drawbacks of being apprentice to someone who’s too busy to help is you get half-answers and have to fill in the details yourself, but without confirmation that the half-answers are correct. Which, in this case, they’re not.
System has local administrator rights.
You’re probably running the debugger as yourself and you might not have admin rights, that’s why the debugger isn’t running as an admin.
This article has suggestions for running a command prompt as system, you can also use that info to run the debugger as system. That will give you a much better idea of what’s happening when the BigFix client tries to use your relevance.
Thanks for the reply. Actually, I ran the debugger under an account with local admin. I have tested it on a device as
SYSTEM
and it failed stating it did not have sufficent rights. The expereienced technician stated he’d seen this before and had to use RunAsUser.exe to kick off such a command.
I found this may be easier to do by copying a batch file over and executing it locally. However, the Action code I use come up invalid. Can someone validate/correct this statement please?
I am baiscally trying to use the action to copy the BAT file from \SERVER\SHARE called BLFIX.BAT to the local directior of C:Windows\FIXBAT. I will then execute it on the next line.
Thanks Noah. I did that now and found that it’s just easier to use DOS commands to do this. A simple MKDIR and then COPY works. However, now I run in to a key isue. Bigfix operates under the SYSTEM account. Which, in our envoriment doesn’t have the ability to isssues commands to the MANAGE-BDE task of Bitlocker. So I am left wondering how to specify credentials to run the Batch file under.
While I have been vauge, let me detail out my issue, steps i’m taking, and desired result. This may help understand my struggle
We are using Bitlocker Drive Encryption. As a result of an update some devices suspended their bitlocker protection. A simple solution is sending the CMD Manage-BDE.exe --on c: (exnteded: c:\windows\system32\manage-bde.exe -on c:) - This resumes the protection.
Here are my hurdles:
I need to issue this command on the local device.
I need it to run with local admin rights (I can supply pre-set credentials) - otherwise it will fail
*NOTE I have seen many people post about how the SYSTEM account has rights to do this, they don’t
I’m starting to think SCCM might have been the best way to do this as oppsed to the hours I have put in to attempt to compile what would seem to be an easy task.
Can anyone please tell me, in a very granular level, how to do this?
Click on the “BigFix Labs Management” dashboard in the left navigation control (it should be at the top).
Scroll down in the main content area.
There should be two sites listed: Win7 Migration and Bitlocker.
Enable the Bitlocker site.
Assign the site to at least one computer.
It doesn’t appear that we have a “turn on encryption” fixlet, but there might be enough information in the existing fixlets to help you with your task.