Why is powershell behaving differently when ran from kace than from powershell.exe in session?
I'm trying to deploy a software, but several steps need to be done before that (creating a local user and putting the computer in a specific group).
script is setup as this :
Launch “$(KACE_SYS_DIR)\WindowsPowerShell\ ” with params “-executionpolicy bypass -File $(KACE_DEPENDENCY_DIR)\v1.0\ powershell.exe InstallEndpointEncryption.ps1 ”
it's run as domain admin, not local admin.
When I try to deploy the script via kace, the log send me this :
2018-07-25 12:56:54 INFO: Trying to create local admin credentials
2018-07-25 12:56:56 INFO: trying to create the local user
2018-07-25 12:56:59 ERROR: The term 'New-LocalUser' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
2018-07-25 12:57:00 INFO: Adding computer PP-PRET4 to the encrypted laptop group
It doesn't recognise the command "new-localuser" which is a base command in powershell.
And despite the fact that i have no error message, the computer is not added to the group (i do an "invoke-command -computername NameOfTheDC -scriptblok{...}" see bellow the complete script)
When I run the script manually (the same script downloaded by kace on the machine, not a copy, another version or anything else) by using the following command :
powershell.exe -executionpolicy bypass -file C:\ProgramData\Quest\KACE\kbots_cache\packages\kbots\115\InstallEndpointEncryption.ps1
... the log is correct :
2018-07-25 14:16:55 INFO: Trying to create local admin credentials
2018-07-25 14:16:55 INFO: trying to create the local user
2018-07-25 14:16:56 INFO: Adding computer PP-PRET4 to the encrypted laptop group
2018-07-25 14:16:58 INFO: The script ended successfuly
The laptop is added in the group and the local user is created.
I have checked, the same version of powershell is ran from kace or from windows (eg : 5.1.16299.15)
Here is the complete scrip :
<#
.NOTES
===========================================================================
Created with: SAPIEN Technologies, Inc., PowerShell Studio 2018 v5.5.153
Created on: 23/07/2018 14:31
Created by: tal
Organization: Toyota Belgium
Filename: InstallEndpointEncryption.ps1
===========================================================================
.DESCRIPTION
This script create an local user "unlock".
This is a backup user for the endpoint encryption used on laptop computers.
Afterward, it Add the current computer to the group "encrypted laptop".
It then proceed to install the entpoin encryption software by running the MSI.
#>
function Write-Log
{
[CmdletBinding()]
Param
(
[Parameter(Mandatory = $true,
ValueFromPipelineByPropertyName = $true)]
[ValidateNotNullOrEmpty()]
[Alias("LogContent")]
[string]$Message,
[Parameter(Mandatory = $false)]
[Alias('LogPath')]
[string]$Path = 'C:\Logs\PowerShellLog.log',
[Parameter(Mandatory = $false)]
[ValidateSet("Error", "Warn", "Info")]
[string]$Level = "Info",
[Parameter(Mandatory = $false)]
[switch]$NoClobber
)
Begin
{
# Set VerbosePreference to Continue so that verbose messages are displayed.
$VerbosePreference = 'Continue'
}
Process
{
# If the file already exists and NoClobber was specified, do not write to the log.
if ((Test-Path $Path) -AND $NoClobber)
{
Write-Error "Log file $Path already exists, and you specified NoClobber. Either delete the file or specify a different name."
Return
}
# If attempting to write to a log file in a folder/path that doesn't exist create the file including the path.
elseif (!(Test-Path $Path))
{
Write-Verbose "Creating $Path."
$NewLogFile = New-Item $Path -Force -ItemType File
}
else
{
# Nothing to see here yet.
}
# Format Date for our Log File
$FormattedDate = Get-Date -Format "yyyy-MM-dd HH:mm:ss"
# Write message to error, warning, or verbose pipeline and specify $LevelText
switch ($Level)
{
'Error' {
Write-Error $Message
$LevelText = 'ERROR:'
}
'Warn' {
Write-Warning $Message
$LevelText = 'WARNING:'
}
'Info' {
Write-Verbose $Message
$LevelText = 'INFO:'
}
}
# Write log entry to $Path
"$FormattedDate $LevelText $Message" | Out-File -FilePath $Path -Append
}
End
{
}
}
#region global variables
$CredentialPath = "\\ServerPath\LocalAdminCred"
$ComputerName = $env:COMPUTERNAME
$ErrorNumber = 0
$logPath = "c:\temp\log\EncryptionInstallation.log"
$scriptPath = split-path -parent $MyInvocation.MyCommand.Definition
$VersionPowershell = $PSVersionTable.PSVersion
Write-Log -Message "the version is the following : $VersionPowershell" -Path $logPath -Level Info
#endregion
#region Local Admin Credentials
try
{
Write-Log -Message "Trying to create local admin credentials" -Path $logPath -Level Info
$KeyFile = "$CredentialPath\LocalAdminkey.txt"
$AdminPasswordFile = "$CredentialPath\LocalAdminPassword.txt"
$Key = Get-Content $KeyFile
$User = "Administrator"
$LocalAdminCredentials = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $User, (Get-Content $AdminPasswordFile | ConvertTo-SecureString -Key $key)
}
catch
{
$ErrorMessage = $_.Exception.Message
Write-Log -Message $ErrorMessage -Path $logPath -Level Error
$ErrorNumber += 1
}
#endregion
#region Domain Admin Credentials
try
{
$Username = "doman\domainadminuser"
$PasswordFile = "$CredentialPath\DomainAdminPassword.txt"
$KeyFile = "$CredentialPath\DomainAdminAES.key"
$Key = Get-Content $KeyFile
$DomainAdminCredentials = New-Object System.Management.Automation.PSCredential -ArgumentList $Username, (Get-Content $PasswordFile | ConvertTo-SecureString -Key $key)
}
catch
{
$ErrorMessage = $_.Exception.Message
Write-Log -Message $ErrorMessage -Path $logPath -Level Error
$ErrorNumber += 1
}
#endregion
#region Create Unlock User
try
{
Write-Log -Message "trying to create the local user" -Path $logPath -Level Info
$UnlockKeyFile = "$CredentialPath\Unlockkey.txt"
$UnlockPasswordFile = "$CredentialPath\UnlockPassword.txt"
$UnlockKey = Get-Content $UnlockKeyFile
$Password = Get-Content $UnlockPasswordFile | ConvertTo-SecureString -Key $UnlockKey
New-LocalUser "Unlock" -Password $Password -FullName "Encryption User" -Description "User to unlock an encrypted laptop"
}
catch
{
$ErrorMessage = $_.Exception.Message
Write-Log -Message $ErrorMessage -Path $logPath -Level Error
$ErrorNumber += 1
}
#endregion
#region Add Security group
Write-Log -Message "Adding computer $env:COMPUTERNAME to the encrypted laptop group" -Path $logPath -Level Info
try
{
Invoke-Command -Credential $DomainAdminCredentials -ComputerName DCAD1 -ScriptBlock{
$ComputerToAdd = Get-ADComputer -Filter "Name -like '$using:ComputerName'"
ADD-ADGroupMember "Encrypted Laptop" -Members $ComputerToAdd
}
}
catch
{
$ErrorMessage = $_.Exception.Message
Write-Log -Message $ErrorMessage -Path $logPath -Level Error
$ErrorNumber += 1
}
#endregion
#region install software
$MSI = "$scriptPath\EPS.MSI"
msiexec /i $MSI /quiet
#endregion
#region End Script
if ($ErrorNumber > 0)
{
Write-Log -Message "The script ended with $ErrorNumber error(s)" -Path $logPath -Level Warn
}
else
{
Write-Log -Message "The script ended successfuly" -Path $logPath -Level Info
}
#endregion
Why is powershell is behaving differently ? what can I do to make it behave correctly via kace?
Thanks in advance for your help.
PS : the MSI is installed correctly.
2 Comments
[ + ] Show comments
-
Are you deploying the script to a Windows 10 machine? - Channeler 5 years ago
-
Yes I am - schpounts 5 years ago
Answers (1)
Answer Summary:
Please log in to answer
Posted by:
ondrar
5 years ago
Top Answer
I had a problem when running a PowerShell script from KACE a while back, and I don't think it was exactly the same as your problem, but when I changed from launching PowerShell from C:\Windows\System32 to launching it from sysnative, it worked properly.
So what I use now is:
Launch “%SystemRoot%\sysnative\WindowsPowerShell\v1.0\powershell.exe ” with params “-executionpolicy bypass -file ”$(KACE_DEPENDENCY_DIR)\script.ps1 “”
Shot in the dark, but maybe worth a try.
Comments:
