Home > Software engineering >  copy files from network share while running a remediation script in Intune with alternate credential
copy files from network share while running a remediation script in Intune with alternate credential

Time:12-30

Using Intune I beleive the problem is I can't access the Network share from the SYSTEM account, so really asking if, as a remediation script in INTUNE, there is any way to run the script as SYSTEM but invoke commands via script block as another user (with permissions to network share

I need to copy a file from the network share to the C:\windows\temp folder, then install the software on the local machine using the proactive remediation script in Microsoft Intune

$FSPath = "C:\Program Files (x86)\Freshdesk\Freshservice Discovery Agent"
$serviceName = 'FSDiscoveryAgent'

$tempPath = "c:\windows\temp"

$FSService = Get-Service -Name $serviceName

if(Test-Path $FSPath -eq $false){

    Write-Output "Freshservice agent not installed on workstation."
    $password = ConvertTo-SecureString "hello1" -AsPlainText -Force
    $Cred = New-Object System.Management.Automation.PSCredential ("myUsername", 
    $password)

    $alternateUsers = [scriptblock]{
        Copy-Item -Path (Join-Path -Path "\\myShare.com\util\software\FreshService\2.9 Agent" -ChildPath "fs-windows-agent-2.9.0.msi") `
        -Destination "$tempPath\fs-windows-agent-2.9.0.msi"
    }
    Invoke-Command -ScriptBlock $alternateUsers -Credential $Cred

}else{

    Write-Output "Freshservice agent is installed"
}

CodePudding user response:

I would suggest to use regular Intune Win32 app deployment capabilities for this and not abuse proactive remediations for this task. Storing credentials within a script is considered bad practice and contents will be logged plain text in the Intune management extension log. Win 32 apps provide detection rules, you could test if the service is present on the device - if not install the agent otherwise it's considered as installed or add additional logic to check for a specific version. https://docs.microsoft.com/en-us/mem/intune/apps/apps-win32-add, https://github.com/Microsoft/Microsoft-Win32-Content-Prep-Tool/releases/latest

CodePudding user response:

This is working code that allows me to use another account when installing software. I will try in intune tomorrow

    $password = ConvertTo-SecureString "p@ssw0rd" -AsPlainText -Force
    $Cred = New-Object System.Management.Automation.PSCredential ("domain.com\adminAccount", $password)

    $alternateUsers = [scriptblock]{
        Copy-Item -Path (Join-Path -Path "\\sharedDrive.com\util\software\FreshService\2.9 Agent" -ChildPath "fs-windows-agent-2.9.0.msi") -Destination "C:\windows\temp\fs-windows-agent-2.9.0.msi"
    }

    # https://www.itdroplets.com/run-a-command-as-a-different-user-in-powershell/

    $GetProcessJob = Start-Job -ScriptBlock $alternateUsers -Credential $Cred

    Wait-Job $GetProcessJob

    $GetProcessResult = Receive-Job -Job $GetProcessJob

    Write-Output $GetProcessResult

    if($GetProcessResult.state -eq "Completed"){
        Start-Process "C:\windows\temp\fs-windows-agent-2.9.0.msi" -ArgumentList "/i /qn"
    }

  • Related