How do I elevate all post-install tasks?
We are deploying an application called Admin By Request, which removes user accounts from the local Administrators group and allows them the specific permissions we configure. Our local admin account used for scripted installations is excluded, so it remains in the local Administrators group.
The problem is that when this app installs, it also re-enables UAC and prevents subsequent processes from running as admin. I have successfully disabled UAC again by setting the registry value HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA back to 0. This allows the local admin account to install applications and elevate automatically, but it breaks while trying to restore UAC, because it isn't running everything as admin by default. The reason I think this is the issue is that if I open Command Prompt during a scripted installation, it opens in a standard user context, which I can then elevate from. When I don't install Admin By Request, it is elevated automatically.
How does the SDA tell the local account to run everything as admin normally? If there's a registry value I can reset immediately after deploying Admin By Request, that would be an easy fix.
Answers (2)
Hi Emma,
May I suggest that you move the 'Admin By Request' software installation towards the end of the post-install task sequence, perhaps just before the KACE cleanup in the SDA. Hence, all previous tasks requiring admin elevation will not be affected by this privilege management software yet.
If you have the KACE SMA, you can utilise smart labels & managed installation to install 'Admin By Request' as a post OS deployment installation. There are many ways you could go about. Cheers.
