Do you know how to bypass UAC when deploying action script ?
Currently we have action script to install Microsoft OneDrive, and because the behaviour of Microsoft OneDrive that can’t be installed by local system user, so we have to use current user to run the installation (if I use PsExec tool the process is done but no application installed in Control Panel),
But since the UAC active, when the action script running, it gives a pop up message that ask the user to approve or reject the installation,
I have tried using both action script manually and action script generated by Software Distribution, but it still same,
I have tried to use RunAsCurrentUser.exe tool but it still same too,
If I disable the UAC, the action script run well, but I want to deploy the application silently without any user action
In below link shows how to disable UAC but we need to restart each computer then activate again after deploying the application but not sure if this is the best solution for my case https://www.bigfix.me/fixlet/details/1376
Delevelop a program like “RunAsCurrentUserElevated.exe” to run with elevated token. RunAsCurrentUser.exe or Override runwas=localuser will run the command with restricted token.
We use all three methods depending on the situation.
In the scheduled task method, we use dynamically create a task configuration xml where we set the advanced options. Then we call the xml to create the task. You can tailor it to run as a particular user and also force it to run with high privileges. Since the xml is dynamically generated, it can be adapted based on any criteria - think subnet, machine role, geo, naming conventions, etc.
It is also a useful mechanism where credentials are needed to reach a network resource. At least on Windows it is handy to store credentials in Windows Credential Manager. Then scripts do not need credentials in them, but simply be called by a scheduled task in the appropriate user context leveraging the cached credentials. This approach works for both local and domain accounts.
I mean C/C++ programming with Win32 API.
When you logon where UAC is enabled, and your account is a member of Administrators group but not the builtin Administrator, then you have two tokens, Restricted and Elevated.
The Restricted is the one like used when you start program from Command Prompt and Elevated is the one used when you start program from “Administrator: Command Prompt.”
When you use Override RunAs=CurrentUser or RunAs=LocalUser, Restricted token is used and any program that require Administrative priviledge will not run.
BigFix Agent runs as a Local System, and for the program with Local System account, there is a way to retrieve Elevated token.
The desired solution would be BigFix Override to have parameter like elevation=true and use Elevated token to run the command, but this is currently not available.
For that specific circumstance, a scheduled task is likely the only way to achieve that result. So instead of Bigfix executing directly, you’d need to create the task xml with the desired parameters then schedule it to run as the desired user with the elevated token.
As jgstew mentioned, starting from 9.5.7, override has asadmin keyword.
The asadmin does more than just elevation, but it uses Elevated token to run the command.
One note is it requires you to provide authentication information (password), in addition to userid.
Yes, we’re at 9.5.7 and I tested this pretty thoroughly yesterday. The problem is, we require PIV enforcement here so passwords won’t authenticate on our workstations. Guess I’ll just submit a PMR for our use case and hope it gets added to the roadmap.