PS2EXE should no longer be necessary (that was the workaround before we added argument-based privilege elevation), but the approach you describe should definitely work.
Does it work correctly if you manually launch the command you configured to be elevated? In the logging at logoff, is your configured executable mentioned in the Privilege elevation statistics logging?
If I click the .exe in it's share (from the desktop) it runs, but cmd window errors with below:
"Error: Requested registry access is now allowed"
The UEM Logs are applying the priv settings, so coupled with the above, it looks to me like UAC or some other GPO is preventing write access to HKLM. However, if I run regedit as administator, I can amend keys, so surely this is the same level of access that Priv Elevation uses? Unless the problem now points at something like the UEM service account (or whatever account/context the Privlege Elevation tool uses to elevate things) doesn't have local-admin rights on the local machine?
2020-03-26 10:05:48.217 [INFO ] Collected path-based privilege elevation settings to apply for elevated applications ('Excel DDE Fix.xml')
2020-03-26 10:05:48.233 [INFO ] Applied privilege elevation settings
I'm wondering if I need to us something like Appvols to run the script instead (how, I'm not sure...any idaes?)
I know this is faux pas, but Liquidware Profile Unity can do this kind of thing without any problem, it just runs scripts as SYSTEM context and you can configure the life out of everything! Would really help if VMware took a leaf from their book...
Thanks for getting back!
1 person found this helpful
The fact that elevation kicks in if you launch your .exe from File Explorer is a good sign. Now let's try to figure out why it does not work from the console.
Does something like the following get logged at logoff?
2020-03-13 19:15:15.795 [INFO ] Privilege elevation statistics:
2020-03-13 19:15:15.795 [INFO ] Elevated C:\Windows\System32\reg.exe 1 time (argument-based).
How exactly are you launching the command from your shortcut or in your manual tests? \\server\share\folder\folder\your-command.exe?
So, it transpires that the user account I was testing with had a UEM issue 'Failed to load flexengine.dll' at logon. Not sure on root cause, but after creating a new test account - everything worked as expected.
Script runs, priv elevation works and voila!
Thanks a lot for your time and help and pointing out the log entries to be aware of. Good to know that it IS possible to change computer settings!