none
how secure a task sequence advertisement

    Question

  • Hello

     

    We have a task sequence for the replacing of the OS. Only the local 1 level support should available do run this task sequence when he is logged on.

    When I advertise the  task sequence to this usergroupe the task sequence fails because task sequences can only be advertised to Computers.

    How can I secure the task sequence that only a limited group of Users can run the task sequence?

    minou

    Friday, July 02, 2010 5:32 AM

Answers

  • Here are some examples to get you going if you want to use ServiceUI to display your frontend in Full-Windows. Looks like different versions of ServiceUI.exe either parses arguments differently or do/don't honour the Path variable.

    These are the best ones i've come up with so far (without starting ServiceUI from vbscript) that doesn't require you to hardcode paths. It uses the SCCM working directory with %CD%, but it might not work with run from DP.

    Modena RC2 version:
    cmd /c ServiceUI.exe -process:tsprogressui.exe mshta.exe %CD%\DeploymentWizard.hta

    MDT 2010 Update 1 Beta 1 version:
    cmd /c ServiceUI.exe -process:tsprogressui.exe %SYSTEMROOT%\System32\mshta.exe %CD%\DeploymentWizard.hta

    Put ServiceUI.exe and your HTA in the package that you reference in your Run Commandline Task.

    Monday, July 05, 2010 8:40 PM

All replies

  • You have to get creative...because like you said, you cannot advertise it to users...

    So, you could add a "Run Command line" step to your TS and have that step call a script that you write which can determine the credentials of the logged on user...and if that user is not in the proper group...then you can throw an error and exit the TS.

    Or you could do the same thing and ask for a password in an HTA type file...and if people don't know the right password...again you throw an error and then exit out of the Task Sequence.

     

     


    Mike...
    Friday, July 02, 2010 1:28 PM
  • HI Mike

    Thank you for your answer. that was also my first idea, but the TS run in the rights of the system and not with the rights of the logged on user.

    Also the Way with the Password dont Work because the Dialogbox is not shown do the User

    minou

    Monday, July 05, 2010 5:59 AM
  • Hello

     

    We have a task sequence for the replacing of the OS. Only the local 1 level support should available do run this task sequence when he is logged on.

    When I advertise the  task sequence to this usergroupe the task sequence fails because task sequences can only be advertised to Computers.

    How can I secure the task sequence that only a limited group of Users can run the task sequence?

    minou

    Why only allow a specific group of users to perform a refresh of a computer? Delegate rights i SCCM or AD to add the computers to a group that you advertise the TS to. Then only first level support technicians can "allow" the computer to perform a refresh, however the user can choose when to do it. Or, make it a mandatory assignment if the user "shouldn't be bothered".
    Monday, July 05, 2010 1:53 PM
  • Also the Way with the Password dont Work because the Dialogbox is not shown do the User

    Something is wrong then...  Certainly the dialog should be shown to the user otherwise things like the Modena OS deployment process could never work...and it does work...

    You absolutely can create a "front end" for a Task sequence and then prompt for all sorts of stuff before the process continues.

     


    Mike...
    Monday, July 05, 2010 2:04 PM
  • Modena and MDT 2010 Update 1 uses an executable (ServiceUI.exe) to launch the wizard in the correct context. You can use it to launch a custom HTA. Without it, or another similar utility, you can't interact with the logged-on user.
    Monday, July 05, 2010 5:19 PM
  • Both risc and Mike are correct here. If you are WinPE, then you can run a script or application that displays a UI. If you are in the deployed OS, then you have to do lots of detailed API "stuff" which is what ServiceUI in UDI does.

    You could thus move your password HTA/UI to after the first reboot to PE task. This will be disruptive but not destructive to the user who does not know the password. 


    Jason | http://myitforum.com/cs2/blogs/jsandys | http://blogs.catapultsystems.com/jsandys/default.aspx | Twitter @JasonSandys
    Monday, July 05, 2010 6:05 PM
  • Here are some examples to get you going if you want to use ServiceUI to display your frontend in Full-Windows. Looks like different versions of ServiceUI.exe either parses arguments differently or do/don't honour the Path variable.

    These are the best ones i've come up with so far (without starting ServiceUI from vbscript) that doesn't require you to hardcode paths. It uses the SCCM working directory with %CD%, but it might not work with run from DP.

    Modena RC2 version:
    cmd /c ServiceUI.exe -process:tsprogressui.exe mshta.exe %CD%\DeploymentWizard.hta

    MDT 2010 Update 1 Beta 1 version:
    cmd /c ServiceUI.exe -process:tsprogressui.exe %SYSTEMROOT%\System32\mshta.exe %CD%\DeploymentWizard.hta

    Put ServiceUI.exe and your HTA in the package that you reference in your Run Commandline Task.

    Monday, July 05, 2010 8:40 PM
  • Have you guys been able to utilize the ServiceUI.exe on Win7 clients?  I have been able to successfully call an exe or hta and present to the user when executing ServiceUI.exe on an XP system, but can't make it work on a Win7 client.  Trying to prompt a little password dialog to the user and ServiceUI keeps failing with an access denied return code in the smsts.log:

     API [CreateProcessAsUser] Error: [5]

    I've tried executing ServiceUI.exe directly as well as with cmd.exe /c in the Run Command Line action, but my task sequence continues to fail with a 0xFFFFFFFF error code.  I have tried the original ServiceUI.exe that came with Modena RC2 as well as the newer version of the exe that came with MDT 2010 Update 1, same results.

    Tuesday, October 19, 2010 5:08 PM
  • I have not tried it at all actually. I will see if I can track down Cameron's e-mail address and ask him (he was/is one of the PMs for UDI and is the one who orignally told me about using ServiceUI.exe).
    Jason | http://myitforum.com/cs2/blogs/jsandys | http://blogs.catapultsystems.com/jsandys/default.aspx | Twitter @JasonSandys
    Tuesday, October 19, 2010 6:28 PM
  • Here's some info I got back from Cameron:

    "For one thing make sure that the step is running as system (ServiceUI.exe only works in system). So if he has the “Run this step as the following account” set, make sure that he unselects this. Also how is this being deployed (via standalone media, SMS client etc.)? We would have to take a look at the SMSTS.log that shows ServiceUI.exe running to troubleshoot further. "


    Jason | http://myitforum.com/cs2/blogs/jsandys | http://blogs.catapultsystems.com/jsandys/default.aspx | Twitter @JasonSandys
    Tuesday, October 19, 2010 9:03 PM
  • I use it in Windows 7 successfully with previously posted commandline.

    Are you using applocker or some other security software that do application blocking, perhaps some antivirus-module? I think that some of the stuff that ServiceUI does could be seen as process tampering by such a software.

    Tuesday, October 19, 2010 9:41 PM
  • I can get it to run a batch file successfully.  I'm using the Modena dynamic background switching stuff in one of my task sequences.  That executes fine on a Win7 client.  When I try to execute an exe with ServiceUI on a Win7 client that's what fails with an access denied error.  I tested with a simple little SMS Installer exe and I also get the same error when calling mshta.exe and passing it the name of an HTA.  My TS is not specifying any alternate credentials so the ServiceUI.exe command line is definitely executing as SYSTEM.  I can see it's identifying the target session properly.  It goes through the 'Launch Process' step as seen in the smsts.log but still fails with the CreateProcessAsUser step.  I've tested this on a bare Win7 build without any anti-virus software and have the same issue.  I can manually execute ServiceUI.exe via psexec.exe -s and all these things execute properly.  It's only when calling ServiceUI from the task sequence that it's failing on any exe.
    Wednesday, October 20, 2010 3:51 PM
  • that last post was me as well.  Forgot I was logged on under a different Live ID.
    Wednesday, October 20, 2010 3:53 PM
  • Where are serviceui.exe and the hta at? Are they in a package?
    Jason | http://myitforum.com/cs2/blogs/jsandys | http://blogs.catapultsystems.com/jsandys/default.aspx | Twitter @JasonSandys
    Wednesday, October 20, 2010 4:06 PM
  • Yes, they're in a package and I'm copying them to a local directory in a preceding action in the task sequence.  When I execute ServiceUI I'm using a Run Command Line action and executing from the local path where it was copied.
    Wednesday, October 20, 2010 5:34 PM
  • Here's an excerpt of the smsts.log:

     

    Executing command line: smsswd.exe /run: ServiceUI.exe -process:explorer.exe  %SYSTEMROOT%\System32\mshta.exe c:\safefolder\zticonf.hta TSManager 10/20/2010 2:02:06 PM 3824 (0x0EF0)
    =======================[ smsswd.exe ] ======================= InstallSoftware 10/20/2010 2:02:06 PM 2908 (0x0B5C)
    PackageID = '' InstallSoftware 10/20/2010 2:02:06 PM 2908 (0x0B5C)
    BaseVar   = '', ContinueOnError='' InstallSoftware 10/20/2010 2:02:06 PM 2908 (0x0B5C)
    SwdAction = '0001' InstallSoftware 10/20/2010 2:02:06 PM 2908 (0x0B5C)
    Command line for extension .exe is "%1" %* InstallSoftware 10/20/2010 2:02:06 PM 2908 (0x0B5C)
    Set command line: Run command line InstallSoftware 10/20/2010 2:02:06 PM 2908 (0x0B5C)
    Working dir 'C:\SafeFolder' InstallSoftware 10/20/2010 2:02:06 PM 2908 (0x0B5C)
    Executing command line: Run command line InstallSoftware 10/20/2010 2:02:06 PM 2908 (0x0B5C)
    Process completed with exit code 4294967295 InstallSoftware 10/20/2010 2:02:06 PM 2908 (0x0B5C)
    InstallSoftware 10/20/2010 2:02:06 PM 2908 (0x0B5C)
     ======================= InstallSoftware 10/20/2010 2:02:06 PM 2908 (0x0B5C)
     Matched Processes InstallSoftware 10/20/2010 2:02:06 PM 2908 (0x0B5C)
     ======================= InstallSoftware 10/20/2010 2:02:06 PM 2908 (0x0B5C)
     Process Found: [explorer.exe] ID [1744] SESSION [1] InstallSoftware 10/20/2010 2:02:06 PM 2908 (0x0B5C)
    InstallSoftware 10/20/2010 2:02:06 PM 2908 (0x0B5C)
     ======================= InstallSoftware 10/20/2010 2:02:06 PM 2908 (0x0B5C)
     Logon Lookup InstallSoftware 10/20/2010 2:02:06 PM 2908 (0x0B5C)
     ======================= InstallSoftware 10/20/2010 2:02:06 PM 2908 (0x0B5C)
     [winlogon.exe] Session: [1] PID [436] [Target Session [1] = Match] InstallSoftware 10/20/2010 2:02:06 PM 2908 (0x0B5C)
    InstallSoftware 10/20/2010 2:02:06 PM 2908 (0x0B5C)
     ======================= InstallSoftware 10/20/2010 2:02:06 PM 2908 (0x0B5C)
     Launch Process InstallSoftware 10/20/2010 2:02:06 PM 2908 (0x0B5C)
     ======================= InstallSoftware 10/20/2010 2:02:06 PM 2908 (0x0B5C)
     Program to launch : [C:\WINDOWS\System32\mshta.exe] InstallSoftware 10/20/2010 2:02:06 PM 2908 (0x0B5C)
     Command line      : [C:\WINDOWS\System32\mshta.exe c:\safefolder\zticonf.hta] InstallSoftware 10/20/2010 2:02:06 PM 2908 (0x0B5C)
    InstallSoftware 10/20/2010 2:02:06 PM 2908 (0x0B5C)
     API [CreateProcessAsUser] Error: [5] InstallSoftware 10/20/2010 2:02:06 PM 2908 (0x0B5C)
    InstallSoftware 10/20/2010 2:02:06 PM 2908 (0x0B5C)
     ======================= InstallSoftware 10/20/2010 2:02:06 PM 2908 (0x0B5C)
     Exiting with [-1] InstallSoftware 10/20/2010 2:02:06 PM 2908 (0x0B5C)
     ======================= InstallSoftware 10/20/2010 2:02:06 PM 2908 (0x0B5C)
    Command line returned 4294967295 InstallSoftware 10/20/2010 2:02:06 PM 2908 (0x0B5C)
    Process completed with exit code 4294967295 TSManager 10/20/2010 2:02:06 PM 3824 (0x0EF0)
    !--------------------------------------------------------------------------------------------! TSManager 10/20/2010 2:02:06 PM 3824 (0x0EF0)
    Failed to run the action: Require Password Input.
    Unknown error (Error: FFFFFFFF; Source: Unknown) TSManager 10/20/2010 2:02:06 PM 3824 (0x0EF0)

    Wednesday, October 20, 2010 6:09 PM
  • You want to show your HTA in the same context that tsprogressui.exe runs in.

    Use
    ServiceUI.exe -process:tsprogressui.exe %SYSTEMROOT%\System32\mshta.exe c:\safefolder\zticonf.hta

    Instead of
    ServiceUI.exe -process:explorer.exe %SYSTEMROOT%\System32\mshta.exe c:\safefolder\zticonf.hta

     

    If you want to hide the TS ProgressUI while your HTA is shown you can run this in your HTA...

    Set ProgressUI = CreateObject("Microsoft.SMS.TsProgressUI")
    ProgressUI.CloseProgressDialog

    The ProgressUI will automatically become visible on the next Task Sequence Step.

     

    Also I don't think that this will work at all if you have disabled "show task sequence progress" in you advertisment. Haven't tried but it could be that the process tsprogressui.exe doesn't start when the setting is disabled.

     

    Wednesday, October 20, 2010 10:14 PM
  • I tried with tsprogressui.exe too.  Both that and explorer.exe are running in the user's session (1).
    Friday, October 22, 2010 1:58 PM
  • OK,

    I'm out of ideas right now so a long shot...

    Are you running Windows 7 x64? in that case are you using the 64 or 32-bit version of ServiceUI. Could that together with or without the TS-option "Disable 64-bit file system redirection" do anything.

    Friday, October 22, 2010 4:56 PM
  • nope, running 32-bit windows 7.  At this point I can't get ServiceUI to execute anything other than the BG Info batch files that come with the Modena stuff on a Win7 system.  Tried executing cscript.exe, another batch file.  Anyone have a sample of something they're executing with ServiceUI while running in the OS on Win7 so I could try to mimic what you're doing?
    Monday, October 25, 2010 4:29 PM
  • I can get it to run a batch file successfully.  I'm using the Modena dynamic background switching stuff in one of my task sequences.  That executes fine on a Win7 client.  When I try to execute an exe with ServiceUI on a Win7 client that's what fails with an access denied error.  I tested with a simple little SMS Installer exe and I also get the same error when calling mshta.exe and passing it the name of an HTA.  My TS is not specifying any alternate credentials so the ServiceUI.exe command line is definitely executing as SYSTEM.  I can see it's identifying the target session properly.  It goes through the 'Launch Process' step as seen in the smsts.log but still fails with the CreateProcessAsUser step.  I've tested this on a bare Win7 build without any anti-virus software and have the same issue.  I can manually execute ServiceUI.exe via psexec.exe -s and all these things execute properly.  It's only when calling ServiceUI from the task sequence that it's failing on any exe.

    Hi Eric,

    I'm attempting to call a batch file using serviceui.exe, but am unable to do so. Can you post the command you're using to get it to function? I'm trying this on a Windows 7 64bit OS, but am using the 32bit version of serviceui.exe and am selecting the option to disable 64 bit redirection.

    Any advice appreciated.

    Thanks!

    Thursday, May 19, 2011 11:03 PM
  • AAAAARGGGH!!!!

    This thread has been staring me in the face all day as I try to figure out why I'm getting the same "API [CreateProcessAsUser] Error: [5]" when ServiceUI is run from a Task Sequence but works perfectly fine from a scheduled task running as SYSTEM.

    20+ task sequence revisions later I'm pretty sure I found the culprit. Uncheck the "Time-out (minutes)" box on the task sequence step. That simple.

    I've only run a few tests so far, but it looks like this is the problem. Hope this helps someone else out in the future.

    THANK YOU! GOODNIGHT!

     

    • Proposed as answer by MattJ29 Friday, March 09, 2012 4:19 AM
    Friday, July 15, 2011 10:46 PM
  • Wow. you are a life saver. I can't believe that this was the problem. thank you! it is such a PITA to test task sequences, always having to delete deployments and update packages then re deploy them and force the application deployment updates.... (should be a better testing solution)

    Monday, July 29, 2013 6:35 PM
  • Hi All,

    This ServiceUI works under Windows 7 x64 but I have a big problem !

    I can call my HTA with ServiceUI.exe but the task sequence stops when it launches the HTA. I need to use this as a background info during my deployment.

    How can i provide TS to continue after HTA step ?

    Thursday, November 28, 2013 3:04 PM