First run with Admin rights (issues with Choco installs + fix)

S

SomeTechGuy

New Member
Messages
17
Reaction score
2
My issue was that certain choco installs in my PowerShell script were halting due to it prompting for an action button (y/n) to continue. After reading many forms here and elsewhere, it is because the first run, runs as the system account which can affect some of the choco apps. I found a fix for this which is to run with admin rights (assuming your user account has local admin). To make this happen, review the following:

My Post-Setup:

1726194306561.png
I complete a move on the script as a verification it makes it on the image as part of my testing.

After Logon Actual command: Powershell -Command "Start-Process PowerShell -Args '-ExecutionPolicy Bypass -File C:\UpdatePC.ps1' -Verb RunAs"


PowerShell -NoProfile -ExecutionPolicy Bypass - Runs from the system Account after the very first sign in.
Start-Process PowerShell.exe - This now runs everything from the user account

Note: -Verb RunAs specifies that the new PowerShell process will be started in an Administrator window. Found this golden nugget straight from a Microsoft support page. Look at their Example 5: https://learn.microsoft.com/en-us/p....management/start-process?view=powershell-7.4


Example from a first run test:

1726195363921.png

This works for me and has been successfully tested. Happy scripting!
 

Attachments

  • 1726195652595.png
    1726195652595.png
    16.4 KB
Last edited:
Post-Setup (Before logon) commands exist in script SetupComplete.cmd, and run as SYSTEM.
Post-Setup (After logon) commands exist as RunOnce tasks, and run with Administrator rights if you're the primary user.

Therefore you don't need the "-Verb RunAs" for PS privilege escalation. Except for specific apps which only install as per-user instances, and not per-machine, you shouldn't need to do anything special to install Choco packages.

When you add any PS script, NTLite will implicitly execute the file as "powershell -NoProfile -ExecutionPolicy Bypass -f"

Install Chocolatey via PowerShell & Post-Setup software
 
Thanks for the information. It helped me reconfigure/rethink on some things:

"Post-Setup (After logon) commands exist as RunOnce tasks, and run with Administrator rights if you're the primary user." I don't think this is fully true or working correctly. The powershell window does not show Administrator in the title bar. While the access could be native on the first run, I get some continue prompts in choco installs, which from you and others are saying it is not running with admin rights - Just like in the link you posted above. It could also be how choco does the installs. My process just takes the guess work out and makes sure you are completing installs in a true admin powershell window.

Regarding (Admin PS Window) the "-Verb Runas," I tested without this and the powershell window open as a regular user, so it's required in this situation to elevate it to an admin window.

I basically just use the ntlite after logon process to kick it off.

Reconfigured After Logon command: Powershell -Command "Start-Process PowerShell -Args '-ExecutionPolicy Bypass -File C:\UpdatePC.ps1' -Verb RunAs"
(Per my testing I had to pass the -ExecutionPolicy Bypass (again) in the new powershell process).

My solution is an easy one for users looking for a true admin powershell window when trying to complete installs after the user signs in. Yes, the user has to be member of admin.
 
1. File / Add this test script from (After logon), with no additional parameters:
Code: 
if (([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] 'Administrator')) {
    "$env:USERNAME is running with Admin rights."
}
else {
    "$env:USERNAME is not running with Admin rights."
}
Start-Sleep 300

Blue: RunOnce task
Black: CMD shell opened from desktop

Windows 11 x64-2024-09-13-15-50-01.png

2. When creating the primary user in Unattended, that user is by default a member of the Administrators group. If you're doing your own user setup, and not assigning them an Admin role – then privilege escalation is required. Users created by OOBE are also automatically Administrators.
 
Well that worked. I didn't understand that ntlite calls the powershell command automatically if you just directly add it. I misunderstood it when you said "NTLite will implicitly execute the file as "powershell -NoProfile -ExecutionPolicy Bypass -f." I took that as you still had to call/open powershell as a After logon command first, but it would add in the -noprofile and -executionpolicy and -f for calling the file.

New process: Drag and droped the ps file to the After logon section where the type defaults to "Run." No other Parameters.

Thank you! This definitely simplified everything mentioned above, and I can confirm it worked as expected with the admin ps window.

Eats the humble pie.
 
You must log in or register to reply here.
Back
Top