Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Tuesday, April 23, 2019 7:16 PM
Why does an application run as user context (appenforce.log) when it is set to install for system in the application? I want the end user to be able to go into Software Center, click install on the application, and have it run as system. This is critical for non-admin users to install application during maintenance windows if they desire.
All replies (21)
Tuesday, April 23, 2019 7:55 PM
It doesn't. The message in appenforce.log is misleading. You can easily see that the application is installed for the system by checking the location that it is installed to. Additionally, they probably wouldn't install at all as the user (hopefully) doesn't have local admin permissions.
Jason | https://home.configmgrftw.com | @jasonsandys
Tuesday, April 23, 2019 8:00 PM
It doesn't get installed, it logs an exit code (5) if a non-admin logs in, opens Software Center, and hits Install. If an admin logs into the PC, opens Software Center, and hits Install, it installs fine.
Tuesday, April 23, 2019 9:04 PM
What version exactly of ConfigMgr are you running?
What setting exactly do you have configured on the user experience tab for the deployment type for installation behavior?
What command-line is configured for the install command-line on the deployment type?
What is the setting for Install Permissions on the Computer Agent tab of the applicable client settings for the system where this is occurring?
And finally, please post the entire relevant snippet from appenforce.log.
Jason | https://home.configmgrftw.com | @jasonsandys
Wednesday, April 24, 2019 2:25 AM
It seems that you have targeted application on User's collection. If that is the case:
You might be using Installation Behavior as "Install for system if resources is device; otherwise install for user"
Above mentioned behavior will do following:
- If you are targeting the application on Device collection, then System Context will be used for installation.
- If you are targeting the application on User collection, normal User ID will be used for installation and installation will fail if user doesn't have admin rights to install it.
If you wanted to get the application installed with System context only, make sure to use Installation Behavior "Install for System"
MANISH BANGIA
Wednesday, April 24, 2019 6:19 AM
Hi,
If you plan to share your log files, please be careful to hide your sensitive information and confidential content.
Best regards,
Larry
Please remember to mark the replies as answers if they help. If you have feedback for TechNet Subscriber Support, contact [email protected].
Wednesday, April 24, 2019 12:49 PM
1) Version: 1810
2) User Experience Tab:
Install for System
Whether or Not a User is Logged On
Hidden
(Defaults)
Runtime: 120
Estimated Time: 0
Determine behavior based on return codes
3) Command Line:
Run this "SCCM_Install.cmd"
msiexec /I "/folder/folder/folder/app.msi" /q
4) Sorry, not sure where this is located
5) This actually ran last night with system context and still failed with (5). So I'll use that example.
+++ Starting Install enforcement for App DT "Creative Cloud 4.7.0.400 x64" ApplicationDeliveryType - ScopeId_A34553FD-168B-48A3-8DDA-C43767F16259/DeploymentType_4bc491e3-43ec-4bfb-969a-8ad26002ce2b, Revision - 16, ContentPath - C:\WINDOWS\ccmcache\33, Execution Context - System AppEnforce 4/24/2019 12:00:02 AM 460 (0x01CC)
Performing detection of app deployment type Creative Cloud 4.7.0.400 x64(ScopeId_A34553FD-168B-48A3-8DDA-C43767F16259/DeploymentType_4bc491e3-43ec-4bfb-969a-8ad26002ce2b, revision 16) for system. AppEnforce 4/24/2019 12:00:02 AM 460 (0x01CC)
+++ Application not discovered. [AppDT Id: ScopeId_A34553FD-168B-48A3-8DDA-C43767F16259/DeploymentType_4bc491e3-43ec-4bfb-969a-8ad26002ce2b, Revision: 16] AppEnforce 4/24/2019 12:00:02 AM 460 (0x01CC)
App enforcement environment:
Context: Machine
Command line: "SCCM_Install.cmd"
Allow user interaction: No
UI mode: 0
User token: null
Session Id: 4294967295
Content path: C:\WINDOWS\ccmcache\33
Working directory: AppEnforce 4/24/2019 12:00:02 AM 460 (0x01CC)
Prepared working directory: C:\WINDOWS\ccmcache\33 AppEnforce 4/24/2019 12:00:02 AM 460 (0x01CC)
Prepared command line: "C:\WINDOWS\ccmcache\33\SCCM_Install.cmd" AppEnforce 4/24/2019 12:00:02 AM 460 (0x01CC)
Executing Command line: "C:\WINDOWS\ccmcache\33\SCCM_Install.cmd" with system context AppEnforce 4/24/2019 12:00:02 AM 460 (0x01CC)
Working directory C:\WINDOWS\ccmcache\33 AppEnforce 4/24/2019 12:00:02 AM 460 (0x01CC)
Post install behavior is BasedOnExitCode AppEnforce 4/24/2019 12:00:02 AM 460 (0x01CC)
Waiting for process 21348 to finish. Timeout = 120 minutes. AppEnforce 4/24/2019 12:00:02 AM 460 (0x01CC)
Process 21348 terminated with exitcode: 5 AppEnforce 4/24/2019 12:00:14 AM 460 (0x01CC)
Looking for exit code 5 in exit codes table... AppEnforce 4/24/2019 12:00:14 AM 460 (0x01CC)
Unmatched exit code (5) is considered an execution failure. AppEnforce 4/24/2019 12:00:14 AM 460 (0x01CC)
Wednesday, April 24, 2019 12:51 PM
Yes it is set to install for system. This is targeting a device collection.
Wednesday, April 24, 2019 1:14 PM
One thing to note is that I'm not downloading the application install files to cache, only the command file that points to the MSI on a network share. The application is much too large to download to cache then run.
Wednesday, April 24, 2019 1:21 PM
Hi,
And the permissions to that share is correct so that all Computers accounts can reach it? As it installed in System?
Regards,
Jörgen
-- My Enterprise Mobility blog ccmexec.com -- Twitter @ccmexec
Wednesday, April 24, 2019 1:42 PM
One thing to note is that I'm not downloading the application install files to cache, only the command file that points to the MSI on a network share. The application is much too large to download to cache then run.
This will cause you a pile of headaches. Why don't you download to the cache?
Garth Jones
Blog: https://www.enhansoft.com/blog Old Blog: https://sccmug.ca/
Twitter: @GarthMJ Book: System Center Configuration Manager Reporting Unleashed
Wednesday, April 24, 2019 1:51 PM
I don't think I have ran into any issues doing it this way before. This is a 30GB software installed and 30Gbs installation files, so 60Gbs total would be added to a PC. We throttle using BITS during the day as to not disrupt the network. This way they can install directly from the network share and nothing needs downloaded to cache.
Wednesday, April 24, 2019 1:55 PM
System has full control, authenticated users have read and execute, and Config Mgr Servers have modify rights.
Wednesday, April 24, 2019 2:02 PM
I don't think I have ran into any issues doing it this way before. This is a 30GB software installed and 30Gbs installation files, so 60Gbs total would be added to a PC. We throttle using BITS during the day as to not disrupt the network. This way they can install directly from the network share and nothing needs downloaded to cache.
So using this method will mean that the network is affected as nothing will stop the deployment from using the whole network pipe.
Garth Jones
Blog: https://www.enhansoft.com/blog Old Blog: https://sccmug.ca/
Twitter: @GarthMJ Book: System Center Configuration Manager Reporting Unleashed
Wednesday, April 24, 2019 2:05 PM
System has full control, authenticated users have read and execute, and Config Mgr Servers have modify rights.
SCCM runs as local system account, The local system account will not have access to both the share and files. The only solutions are:
- Use the SCCM cache instead of a network share, Best option
- Enable All Computer accounts to have access to the share and files (works but not best option)
- Enable Guest account (worse option)
Garth Jones
Blog: https://www.enhansoft.com/blog Old Blog: https://sccmug.ca/
Twitter: @GarthMJ Book: System Center Configuration Manager Reporting Unleashed
Wednesday, April 24, 2019 2:27 PM
The PC is on the domain, this should mean whatever the computer has access to the system account also has access to, no?
Wednesday, April 24, 2019 2:31 PM
The PC is on the domain, this should mean whatever the computer has access to the system account also has access to, no?
No, The computer account will need to be grant access.
Garth Jones
Blog: https://www.enhansoft.com/blog Old Blog: https://sccmug.ca/
Twitter: @GarthMJ Book: System Center Configuration Manager Reporting Unleashed
Wednesday, April 24, 2019 2:34 PM
If I do an "effective access" search for PCNAME$ on that MSI, it has execute file access. "Authenticated Users" has "Read & Execute" permissions which would allow for this.
Wednesday, April 24, 2019 2:59 PM
You need to grant permissions to the [built-in] Domain Computers group.
Also, don't fool yourself about placing the MSI on a network share being any better. It still must be copied across the network to run on the local system -- Windows just copies it to memory but it still must traverse the network link which will be unthrottled as Garth noted..
Jason | https://home.configmgrftw.com | @jasonsandys
Wednesday, April 24, 2019 4:47 PM
I will just test downloading to cache first and go that route. I apologize if I'm still misunderstanding but this still doesn't explain why if I start the install it works and it doesn't for a non-admin. If it is truly using a system account. It should not matter who presses the button at that point. If the system account doesn't have access it is going to fail for both of us.
Wednesday, April 24, 2019 4:51 PM
That sounds like two separate issues and may come down to the client settings I asked about earlier: https://docs.microsoft.com/en-us/sccm/core/clients/deploy/about-client-settings#computer-agent
Jason | https://home.configmgrftw.com | @jasonsandys
Wednesday, April 24, 2019 5:02 PM
If I'm looking in the right place, the computer agent tab in client settings under Administration has All Users for Install Permissions.