/build/static/layout/Breadcrumb_cap_w.png
03/02/2017 2352 views
I'm trying to run a number of powershell scripts via K1000 scripting. The scripts remove unwanted metro apps and onedrive from Windows 10. This is for an in-place upgrade situation, its already been implemented into our standard image.

I'm calling the powershell script via K1000, via step "run the batch file .." which uses the following batch command:
powershell.exe -ExecutionPolicy Bypass -File remove-apps.ps1

When running manually on a test PC as the local administrator account, the Script will fail with "Access Denied" messages when attempting to remove each app when run in a regular cmd prompt. When run in an elevated cmd prompt (Run as administrator/UAC) the script runs successfully.

I believe the script is failing due to the command not having this elevation when run from the K1000.
I've tried using both an Offline Kscript and and Online Kscript (specifying the local administrator account)
I've tried utilising psexec in the script, but this requires elevation in itself, so run into the same issue.
I've tried creating a scheduled task with elevated privelages, but in order to import this task on another computer that would also require elevation.
Even turning off UAC on the machine, the script still fails.

Am I right in my suspicions that the script is not being elevated at all?
Does anyone have any suggestions in how to achieve this, or another method you could recommend?

Thanks
Answer Summary:
0 Comments   [ + ] Show comments

Comments


Answer Chosen by the Author

1
After hitting many brick walls... I eventually solved my problem. 
Found this helpful tool - 
https://technet.microsoft.com/en-gb/library/d08d6a02-4d5b-4929-87ad-98f03be11898?f=255&MSPPError=-2147217396

Using this along with temporarily disabling UAC prompts via registry allowed the powershelll commands to run with elevation as intended. 

My final script was:

REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 0 /f
elevate %SystemRoot%\sysnative\WindowsPowerShell\v1.0\powershell.exe -executionpolicy bypass -file remove-default-apps.ps1
ping -n 60 localhost>nul
REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 5 /f
Answered 03/09/2017 by: rjonesdj
Orange Senior Belt


Community Chosen Answer

1
Thanks rockhead.

I have been trying to use the -Ver RunAs argument; to no success so far... but I will definetly give your .bat template a go.
At the moment, Im going down a slighty different route making use of this - https://gist.github.com/TaoK/1582185
Seems to achieve what I want when run locally, will be testing how it runs via k1000 this morning.
Answered 03/03/2017 by: rjonesdj
Orange Senior Belt

  • Looks nice. Please let me know what you find that works.
    • So far nothing...
      Seems UAC is doing what its supposed to, and is very difficult to circumvent.
      But even with UAC disabled, I cant get these particular powershell commands to work.
    • After hitting many brick walls... I eventually solved my problem.
      Found this helpful tool -
      https://technet.microsoft.com/en-gb/library/d08d6a02-4d5b-4929-87ad-98f03be11898?f=255&MSPPError=-2147217396

      Using this along with temporarily disabling UAC prompts via registry allowed the powershelll commands to run with elevation as intended.

      My final script was:

      REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 0 /f
      elevate %SystemRoot%\sysnative\WindowsPowerShell\v1.0\powershell.exe -executionpolicy bypass -file remove-default-apps.ps1
      ping -n 60 localhost>nul
      REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 5 /f
      • @rjonesdj...looks like you and I are hitting the same brick walls. I am trying to replicate what you just suggested but am running into additional Access denied issues...and as I am not that adept at scripting I was hoping for a bit more clarity.

        1) Was this a bat file run through Kace?
        2) Which user did you use to execute? System, other domain user, etc.?
        3) Were there any Parameters required to be placed in the Kace admin?

        Thanks a lot for any input you can provide! It looks as if you are very close to helping solve my headaches.
      • @hollistd
        I know all about those headaches, Iv'e been losing my sanity over this the past week!

        To answer your questions:
        1) bat file created on KACE, and run via KACE.
        2) Its an offline script, no account is specified, so using System account which I believe is the default for this.
        3) I had no other parameters outside of the bat file.

        The bat file had a number of dependencies-
        elevate.cmd and elevate .vbs (from here - https://technet.microsoft.com/en-gb/library/d08d6a02-4d5b-4929-87ad-98f03be11898?f=255&MSPPError=-2147217396)
        remove-default-apps.ps1 (powershell script from here - https://github.com/W4RH4WK/Debloat-Windows-10)

        Good luck

All Answers

0
You can use this as a guide

https://support.quest.com/kb/148903

The only time I have done it, my .bat looked like this:

================================================================================================

@ECHO OFF
SET ThisScriptsDirectory=%~dp0
SET PowerShellScriptPath=%ThisScriptsDirectory%MyPowerShellScript.ps1
PowerShell -NoProfile -ExecutionPolicy Bypass -Command "& {Start-Process PowerShell -ArgumentList '-NoProfile -ExecutionPolicy Bypass -File ""C:\ProgramData\Dell\KACE\kbots_cache\packages\kbots\255\OSDT.ps1""' -Verb RunAs}";


=============================================================================================

I believe the     -Verb RunAs     was the key. It has been a while since I ran this so my memory is a bit fuzzy. 
Answered 03/02/2017 by: rockhead44
Red Belt