Elevated permissions when using Invoke-Command

Question

I'm trying to deploy an MSI to remote computers using Invoke-Command, please see below.

It works if I run this script as "Domain\Administrator", if I try to run this as a specified account then MSI fails to install. I have verified the account I'm running this as has local admin rights on all servers.

Is there a way to get PowerShell to elevate the permissions of the account if it's a member of local admins?

I want to avoid saving credentials in the script itself.

$cred = Get-Credential
$MSISource = "E:\DeploymentTool\Deploy.msi"
$csv = Import-Csv "C:\Scripts\Deploylist.csv"
$csv | ForEach-Object {
    $Server = $_.Server
    Copy-Item $MSISource -Destination "\\$Server\E$\temp\Deploy.msi" -Force 
    Invoke-Command -ComputerName $Server -Credential $Cred -ScriptBlock {
        Msiexec /i "E:\temp\Deploy.msi" /quiet /qn /norestart /log E:\temp\MSIInstall.txt
    }

Hi, check this https://www.metisit.com/blog/securely-storing-credentials-with-powershell/ And i know there is also some option how to generate text file with encrypted passwd and then reuse with some specific commands, but currently cannot find it, at least I found [SO discussion about](https://stackoverflow.com/questions/7468389/powershell-decode-system-security-securestring-to-readable-password) — xxxvodnikxxx, Mar 12 '19 at 12:24
You can create a custom [PSSessionConfiguration](https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/new-pssessionconfigurationfile?view=powershell-6), that runs as an admin, no matter who connects. Sounds like a potential security hole, but with a bit of work you can severely limit what commands are allowed in the session, so only the ones you want users to run are available. — boxdog, Mar 12 '19 at 12:29
Thanks for the suggestions both, really appreciated. it is the "Invoke-command" on the remote side that requires the elevated rights, not sure if I'm reading it wrong but wouldn't the PSSessionConfig be a solution if you wanted elevated privileges on the host side? — Milkman_2009, Mar 12 '19 at 14:04
@Milkman_2009. If you create a [constrained endpoint](https://devblogs.microsoft.com/scripting/introduction-to-powershell-endpoints/) on the target, then you can connect using the settings you specify (including elevation) by passing the name of the configuration using the `-ConfigurationName` parameter on [Invoke-Command](https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/invoke-command?view=powershell-6). — boxdog, Mar 12 '19 at 14:55
@boxdog, that seems to be the answer to my question. Thanks for your help — Milkman_2009, Mar 13 '19 at 11:40

Namit Agarwal · Answer 1 · 2020-02-12T05:51:18.617

I had a similar problem. I wanted to install node.msi in remote computer using invoke-command.

For elevation, we can use -Verb RunAs in Start-Process command. The updated code is written below.

$cred = Get-Credential
$MSISource = "E:\DeploymentTool\Deploy.msi"
$csv = Import-Csv "C:\Scripts\Deploylist.csv"
$csv | ForEach-Object {
    $Server = $_.Server
    Copy-Item $MSISource -Destination "\\$Server\E$\temp\Deploy.msi" -Force 
    Invoke-Command -ComputerName $Server -Credential $Cred -ScriptBlock {
        start-process powershell.exe -verb runas -argumentlist ('Msiexec /i "E:\temp\Deploy.msi" /quiet /qn /norestart /log E:\temp\MSIInstall.txt')}

Now, if this gives error as below for account with local admin rights.

This command cannot be run due to the error: This operation requires an interactive window station.

I did the following change in registry as the key didnot existed to make it work -

Elevated permissions when using Invoke-Command

1 Answers1