I have been asked to create a deployment package for a application that we need to install as user and not system.
Users are not local admins by default but can elevate using Make Me Admin but they still have to provide a password/pin for when selecting “Run as administrator”.
How do i make this installation start as the currently signed in user and the UAC-window is displayed so that the user can enter password/pin?.
I have tried with Start-ADTProcessRunAsUser but the user doesn’t get a UAC-window and after a few seconds the installation fails.
It depends…
What are you using to deploy the package?
Intune, SCCM, other etc?
In Intune you should set the deployment “Install behavior” as User on the second screen:
1 Like
Deployed with Intune. Have tried both User and System in the Intune config.
Install commando: .\ServiceUI.exe -Process:explorer.exe Invoke-AppDeployToolkit.exe -DeploymentType Install
That install command is only relavent if you are deploying as System. (ServiceUI brings any dialogs from the System context to the active account where explorer.exe is running (i.e. the current logged on user)
FYI: If you are deploying in the User context it should be:
.\Invoke-AppDeployToolkit.exe -DeploymentType Install
1 Like
That solved the issue with UAC prompt but the installation is still executed as System.
If the program is installed “manually” using elevated account with Make Me Admin the documentation that comes with the program are stored in Document folder of the user. But when i install it from Company Portal (with the options you mentioned, install command and install behavior) the documentation/demo files are stored in the C:\Users\Public\Desktop.
If you are referring to this:
as it was last updated 6 years ago, and as Windows security has moved on quite a lot since then, you may find that doesn’t work anymore.
As you are using Intune, It feels like you should be considering using a more modern way of doing this such as “Microsoft Intune just-in-time admin access”
This will give you some background:
https://techcommunity.microsoft.com/blog/intunecustomersuccess/configuring-microsoft-intune-just-in-time-admin-access-with-azure-ad-pim-for-gro/3843972
1 Like
Thanks for the suggestion but MakeMeAdmin is not the issue here.
Tried from a different tenant with an account that is local admin and the installation is initiated as system. Documentation/Demo files from the program is installed/stored in the public user isntead of the signed is user that accepts the UAC prompt.
Maybe you can use the argument -Verb RunAs with Start-Process.
I don’t know if MakeMeAdmin picks it up correctly but it could be worth a try.
You need to edit the RequireAdmin option in Config.psd1 to $false to allow an install to run without elevation.
Once you’ve done that, you’ll be able to execute a PSADT installation in user context with a UAC prompt. However, if the installer you’re trying to run still requires admin rights, you have a different problem to solve that PSADT alone can’t help you with.
3 Likes