3

I need to query some WMI values using PowerShell from Windows 10 devices. The script is executed in the context of a non-admin user by some software distribution tooling.

There is a local admin account, and for the current purpose (retrieving information before wiping the system) it wouldn't be a problem to put the password in the script. As automation is a hard requirement, there is no way to deal with UAC windows or the user to enter some credentials.

Is there any way to get

$sess = New-CimSession -Credential $admincred

to work without running into Access is denied, because it isn't run in an elevated context? Can I somehow self-elevate it by just having the admin credentials?

[Edit]

The comments asked to provide more concrete information:

I want to onboard many unmanaged (i.e. no software distribution tool, no domain join) Windows 10 devices to Windows Autopilot.

  • The devices are not at a specific site.

  • The device vendor can't provide the information.

  • The users don't have administrative privileges

  • The users don't know the local admin password (I do)

  • Exposing the local admin password is less of a problem than the missing tech knowledge of the users (the password is considered legacy)

  • The firewall is preventing incoming traffic (no RDP, WinRM)

  • Code (Source):

    $devDetail = (Get-CimInstance -CimSession $session -Namespace root/cimv2/mdm/dmmap -Class MDM_DevDetail_Ext01 -Filter "InstanceID='Ext' AND ParentID='./DevDetail'")

It is too time consuming to get the information using manual remote sessions with a tool like Teamviewer. Getting the users to download a tool from the intranet and running it would be a way to go. So I created a standalone application that builds and runs a customized PowerShell script. What won't work is getting it to run in an elevated session. I always end up with Access denied.

muffel
  • 7,004
  • 8
  • 57
  • 98
  • Are you providing the local admin password? – Abraham Zinala Dec 20 '21 at 17:46
  • @AbrahamZinala yes, but I'm still ending up with `Access is denied` – muffel Dec 21 '21 at 08:42
  • Related: [Is it possible to run a command headlessly (in a bat script) as another user on Windows?](https://stackoverflow.com/q/14862230/11942268) – stackprotector Dec 21 '21 at 12:12
  • 1
    How do you trigger this code? It sounds like an XY problem without some more details of the context. – Zafer Balkan Dec 26 '21 at 21:56
  • (There isn't much background on what you wmi query is supposed to do...) What about running you WMI query / script under the SYSTEM account without the `-Credential` parameter (using the SYSTEM account) see: [Scheduled Task Powershell Script - Runs OK as user account, but not as SYSTEM](https://stackoverflow.com/a/51612478/1701026)? Which your local administrator credentials ($admincred?), you should be able to build something like a startup script or a Schedule task that runs under the system account. – iRon Dec 27 '21 at 14:46
  • @ZaferBalkan I don't actually care, as long as I can get it to work. I extended my question. – muffel Dec 31 '21 at 09:16
  • @iRon I extended the question to contain information about the exact query – muffel Dec 31 '21 at 09:16
  • @muffel Could you please elaborate more on "So I created a standalone application that builds and runs a customized PowerShell script." – CraftyB Dec 31 '21 at 23:07

1 Answers1

3

Can I somehow self-elevate it by just having the admin credentials?

No you cannot. UAC is designed to prevent exactly what you are trying to do. Related Q&A:

There may be many workarounds, but they all will have in common that you have to go to your machines (locally or remotely) at least once, gain administrative privileges and prepare something, e. g.:

  • A scheduled task that runs under your local administrator account or under SYSTEM and triggers the execution of your script
  • Disabling UAC (temporarily) (not recommended either way)
  • Installing any remote management software, services or accounts (with extra run as background job privilege)
stackprotector
  • 10,498
  • 4
  • 35
  • 64