Prompt taking window focus when elevating Deploy-Application.exe

We are migrating to Beyond Trust’s “Privilege Management for Windows” which automatically elevates our SCCM packages to administrator permissions when the package executes as the logged-on user. When the package is elevated from this tool, even if we are marking it as silent in PSADT and the SCCM program flags, there is a brief <1sec PowerShell looking prompt that pops up and takes the window focus (I say “PowerShell looking” because when I look at the ProcMon trace it appears to technically be conhost.exe).

Has anybody experienced anything similar to this? This appears to specifically be related to Deploy-Application.exe being elevated by the tool. This does not happen with Beyond Trust’s older tool “PowerBroker”, which is what we used to use. This is happening with the past few versions of PSADT I’ve tested with, going back to 3.8.2

The workaround I’ve found is changing the AppDeployToolkitConfig.xml “Toolkit_RequireAdmin” option to False. This will no longer trigger a UAC prompt when executing Deploy-Application.exe, resulting in a silent execution. This leads me to believe that the UAC prompt triggered from PSADT is different, or at least is being handled differently by the auto-elevation tool than “normal” UAC prompts.

We have opened a ticket with the vendor, but I’d like to hear if anyone else has seen this. Because the default Toolkit_RequireAdmin value is True, we’d have to touch 25% of our packages. Not ideal, especially when we aren’t sure what other long term consequences there may be.


Are all your users are admins on their computers?

No. Our packages are executed from a locked down directory which triggers our tool to elevate the package to administrator privileges when executed. This popup occurs on both level 1 and level 3 machines. Essentially whenever Depoy-Application.exe is executed and then elevated by Privilege Management the popup occurs. This does not happen with any other files that we have found which is why I think Deploy-Application.exe throws the UAC prompt differently somehow. Calling Deploy-Application.ps1 via a .vbs or .bat does not cause the popup, likely because no UAC prompt is thrown.