Install as local admin user

Question

I have a task of installing applications through Intune, 98% of all the installations are fine. but I have an issue with some of them.

The issue is when an application can't be installed or just run by the system account.

I've tried to create a local admin account, and then let the script start the other script as that account, but here the windows security kicks in - the system account is not allowed to run Start-Process

I use PSExec64.exe to start the powershell.exe

here is the code to do the install

$InstallUser = "IntuneInstaller"
$password = -join ((33..126) | Get-Random -Count 32 | ForEach-Object {[char]$_})

$passwordSecure =  ConvertTo-SecureString  -AsPlainText $password -Force

$null = New-LocalUser "$InstallUser" -Password $passwordSecure -FullName "$InstallUser" -Description "Automated Install Account" -AccountNeverExpires -PasswordNeverExpires
Add-LocalGroupMember -Group "Administrators" -Member "$InstallUser" -ErrorAction SilentlyContinue

$Credentials = New-Object System.Management.Automation.PSCredential -ArgumentList @($InstallUser,$passwordSecure)

Start-Process PowerShell.exe -Credential ($Credentials) -WorkingDirectory "c:\sysman" -ArgumentList "c:\SysMan\WriteMyNameInTheSand.ps1 -MyName $env:USERNAME -MyLocation c:\sysman -MyMessage $password" -Wait -WindowStyle Hidden

Remove-LocalUser -Name "$InstallUser" 

It woks fine if I run it as adminstrator - but if I run it as Systemaccount I get the error:

Start-Process : This command cannot be run due to the error: Access is denied.
At C:\SysMan\RunInstallAsAdminUser.ps1:20 char:1
+ Start-Process Powershell.exe -Credential ($Credentials) -WorkingDirec ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [Start-Process], InvalidOperationException
    + FullyQualifiedErrorId : InvalidOperationException,Microsoft.PowerShell.Commands.StartProcessCommand

Anyone with a good sugestion?

Answer 1

The troubleshooting question here is:

• When you rerun it in the same environment, does it always fail?

The point is that you take for the password all the characters between [char]33 and [char]126 which might include characters that might affect or even break the command line for the PowerShell.exe command-line interface as e.g. a single quote ('):

$Message = "te'st"
Start-Process PowerShell.exe -ArgumentList "-NoExit", "-Command Write-Host $Message" -Wait

The string is missing the terminator: '.
+ CategoryInfo : ParserError: (:) [], ParentContainsErrorRecordException
+ FullyQualifiedErrorId : TerminatorExpectedAtEndOfString

In other words, you might want to use a more sophisticated password generator as in this question

Creating a temporary account with a random password might be a smart thing to do here but passing a plaintext password to the C:\SysMan\RunInstallAsAdminUser.ps1 script isn't secure (someone might simply spoof that script and create a few other admin accounts).

As for ConvertTo-SecureString -AsPlainText $password -Force statement, a SecureString shouldn't be used and if you do:

⚠️ Important

A SecureString object should never be constructed from a String, because the sensitive data is already subject to the memory persistence consequences of the immutable String class. The best way to construct a SecureString object is from a character-at-a-time unmanaged source, such as the Console.ReadKey method.

Meaning instead of this:

$password = -join ((65..90) | Get-Random -Count 32 | ForEach-Object {[char]$_})
$passwordSecure =  ConvertTo-SecureString  -AsPlainText $password -Force

It is safer to do this:

$passwordSecure = [SecureString]::New()  
(65..90) | Get-Random -Count 32 | ForEach-Object { $passwordSecure.AppendChar([Char]$_) }