Bundling multiple msi's, mixed context

I am bunding 5 MSI’s that need to be run in specific order, 3 of which run under system context, 2 need to run as currently logged in user (steps 2 & 3).

Can this be done in a single script?

I tried the “Execute-ProcessAsUser” for the MSI needing local user, the process fails:

  1. the Task Schedule is generated as the elevated user used to launch the PS session (LabAdmin), not the currently logged on user (TestUser1).
  2. The permissions for the Scheduled Task fail to be created for the elevated account.

Log snippet:

[Installation] :: Copying [C:\temp\AdeptBundle\PSAppDeployToolkit_3.10.0\AppDeployToolkit\RunHidden.vbs] to destination [C:\Users\labadmin\AppData\Local\Temp\PSAppDeployToolkit\ExecuteAsUser]. Execute-ProcessAsUser 5/4/2024 2:42:00 PM 1248 (0x04E0) [Installation] :: Setting permissions [Permissions:Read, InheritanceFlags:None, PropagationFlags:None, AccessControlType:Allow, Method:Add] on path [C:\Users\labadmin\AppData\Local\Temp\PSAppDeployToolkit\ExecuteAsUser\RunHidden.vbs] for user [C:\temp\AdeptBundle\PSAppDeployToolkit_3.10.0\Files\ClientServices.msi /passive]. Set-ItemPermission 5/4/2024 2:42:00 PM 1248 (0x04E0) [Installation] :: Failed to set read permissions on path [C:\Users\labadmin\AppData\Local\Temp\PSAppDeployToolkit\ExecuteAsUser\RunHidden.vbs]. The function might not be able to work correctly. Execute-ProcessAsUser 5/4/2024 2:42:00 PM 1248 (0x04E0) [Installation] :: Setting permissions [Permissions:Read, InheritanceFlags:None, PropagationFlags:None, AccessControlType:Allow, Method:Add] on path [C:\Users\labadmin\AppData\Local\Temp\PSAppDeployToolkit\PSAppDeployToolkit-ExecuteAsUser-001.xml] for user [C:\temp\AdeptBundle\PSAppDeployToolkit_3.10.0\Files\ClientServices.msi /passive]. Set-ItemPermission 5/4/2024 2:42:01 PM 1248 (0x04E0) [Installation] :: Failed to export the scheduled task XML file [C:\Users\labadmin\AppData\Local\Temp\PSAppDeployToolkit\PSAppDeployToolkit-ExecuteAsUser-001.xml].

Appreciate any feedback and guidance.

Do the user MSIs need an admin account to install for that user?

FYI: there is a newer version of PSADT available.

No, they run for the user (no admin prompt).

I haven’t had need of Execute-ProcessAsUser so maybe I’m off base. However, your log seems to be referring to ClientServices.msi as a user. That would seem to point to a problem with your code.

for user [C:\temp\AdeptBundle\PSAppDeployToolkit_3.10.0\Files\ClientServices.msi

have you tried the 3.10.1 version that just came out.

Execute-ProcessAsUser is meant to be launched while PSADT is running as SYSTEM.

If you are trying to run you idea without SCCM or Intune, you should be logged-in as the user (TestUser1) and launching PSADT using RunAs the admin account (LabAdmin).

I missed the latest revision and will try that next.

I am testing outside of CM, logged on as the testuser1 account with elevated session as the lab admin to execute the script.

Really appreciate the feedback! Thanks!

The 3.10.1 update fixed the issue of setting the read permissions but the msi still installs under the LabAdmin account from which the PS1 script is launched.

Is it possible that the Execute-ProcessAsUser cannot be used with MSI or EXE? Apologies as I am a newbie to the PSADT tool. If anyone has a link to videos or blogs that address bundles, I would appreciate.

So you know, the application components install as expected if run individually in Software Center (in the sequence requested by the vendor). While laborious, this is the current process the users are following with instructions.

I considered both Task Sequence and Application Group, but each has its own limitations in this scenario.

This is the command line I am using under the installation section:
Execute-ProcessAsUser -Path ‘ClientServices.msi’ (with and without the ‘least privilege’ parameter).

Sample screen shots attached.
2024-05-10 17_46_43-



Thanks,
sgb

follow-up to the above… I may have answered my own question.

I tried again with the following and the MSI interacts with the local profile and now installs in the logged on user profile.

Execute-ProcessAsUser -Path “$PSHOME\powershell.exe” -Parameters “-Command "& { & 'C:\Temp\ClientServices.msi'; Exit $LastExitCode }`”" -RunLevel ‘LeastPrivilege’

There still appears to be a separate issue if the product exists on another profile, but I will tackle that separately.

Appreciate everyone’s patience. Cheers!

1 Like

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.