Deploy-Application.exe Unknown Error (0xffffffff) as a non-admin user

Hi all,

I am having a problem running Deploy-Application.exe as a non-admin user
Even running a default script template with nothing in I get the same problem.

  • A ‘non-admin’ user runs ‘Deploy-Application.ps1’ it works OK.
  • An ‘admin’ user runs ‘Deploy-Application.exe’ it works OK
  • But when 'an non-admin user runs ‘Deploy-Application.exe’ …
    Window pops ‘Deploy Application 1.1.1.0’ with message ‘Unknown Error (0xffffffff)’

Seems strange, the ps1 runs OK but the .exe throws this error if a non-admin user.
To troubleshoot, I have.

  • Set the execution policy to bypass
  • Removed all antivirus protection from the machine
  • Permissions on the folder appear to be fine in all ways
  • Configured AppDeployToolkitConfig.xml with <Toolkit_RequireAdmin>False</Toolkit_RequireAdmin>

Ultimately the package would be deployed through sccm to run in the user context.
Been using PSADTK for the past few months, loving it, I hope this is a simple newbie problem.

I found the problem causing this for me, it is particular to my company, they have blocked user accounts from running ‘powershell.exe’ and ‘powershell_ise.exe’ in group policy…
https://www.technipages.com/prevent-users-from-running-certain-programs

Not a bad idea at all for security puposes, but of course better ways to go about by using script signing … thats going to be a fun but politics I’ll need to sort out :slight_smile:

So this leaves me with one option of delivery through sccm, as the system account only.
I’m so impressed with PSAppDeployToolkit’s commands for reaching users hives, and running processes as user in the system context, what a time saver, its just totally awesome.

I have various user based Office plugins and browser plugins installations working again and a nice consistent approach to delivery in sccm, which is a great thing.

But there are some circumstances where I need the user to run a powershell script … such as setting up user based App-V connection groups.

I am working on a method which removes exe block from the registry of the user at the start and then applies it at the end. most obvious way would be to deliver a PSAppDeployToolkit folder inside of a PSAppDeployToolkit folder, I can think of many other variants to try, I’m working on it and will post results in time.

1 Like

Hello,
I came across the same issue here and thanks to your post it saved me time investigating why some of our deployments suddenly started failing. The PSDeploymentToolkit, even ran as system via SCCM will spit out files in the user’s directory to run as a user context so the UI displays (for closing applications etc).
I signed up to provide my fix since one was never included here sadly. It’s not the cleanest. It’ll go through all user profiles and remove the entry which blocks powershell. I saved this as a seperate script and have it run in the Pre-installation/Pre-uninstallation phases. You’ll either need to add another command in at the end of the script to add the key value back in, we just relied on group policy reapplying it later on. I hope this helps someone!

        ### Bypass Powershell restriction policies before invoking user powershell session ###
        $ErrorActionPreference = "SilentlyContinue"

        New-PSDrive -PSProvider Registry -Name HKU -Root HKEY_USERS

        $PatternSID = 'S-1-5-21-\d+-\d+\-\d+\-\d+$'

        $LoadedHives = gci Registry::HKEY_USERS | ? {$_.PSChildname -match $PatternSID} | Select @{name="SID";expression={$_.PSChildName}}

        $SIDList = $LoadedHives | select -expand SID

        Foreach ($SID in $SIDList) {
        
        $RestrictPSKey = "HKU:\$SID\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun"

        ### Query to search for which registry value has the data 'Powershell.exe' and set it as a variable. Useful if multiple block rules are enforced ###
        $RestrictPSKeyValue = Get-ItemProperty $RestrictPSKey | ForEach-Object {$_.psobject.properties} | Where-Object{$_.Value -like "powershell.exe"} | Select-object -ExpandProperty name


        if (Test-Path $RestrictPSKey) {
        $registryValue = Get-ItemProperty -Path $RestrictPSKey

        if ($registryValue.PSObject.Properties | Where-Object { $_.Value -eq 'powershell.exe' }) {
        Write-Host "A registry entry with the data value 'powershell.exe' exists in the DisallowRun key. Deleting it..."
        
        # Remove the registry entry
        Remove-ItemProperty -Path $RestrictPSKey -Name $RestrictPSKeyValue
        Write-Host "The registry entry 'powershell.exe' has been deleted."
        }
        else {
        Write-Host "No registry entry with the data value 'powershell.exe' found in the DisallowRun key."
             }
        }
    }
1 Like