locked
pnputil.exe fails in Powershell when run as local system account RRS feed

  • Question

  • I have written a PS script to install print drivers. After copying the driver files locally, the script executes:

    Invoke-Command -ComputerName $pcname {pnputil.exe -a "C:\temp\XeroxPrintDriver\x3UNIVX.inf" }

    If I run the script as myself (with "-executionpolicy Bypass -nologo -noninteractive") - someone with local admin rights - it runs fine. However, if I run the script as the local system account or deploy via SCCM, it errors out at this line with:

    [<ComputerName>] Connecting to remote server <ComputerName> failed with the following error message : Access is denied. 
    For more information, see the about_Remote_Troubleshooting Help topic.
        + CategoryInfo          : OpenError: (<ComputerName>:String) [], PSRemotingTransportException
        + FullyQualifiedErrorId : AccessDenied,PSSessionStateBroken

    What is happening here? Does pnputil.exe require an accessible user profile to run? Does the PS session need to be configured further?

    Skip


    Wednesday, July 22, 2020 6:11 PM

All replies

  • The description for pnputil.exe says:

       PnPUtil (PnPUtil.exe) is a command line tool that lets an administrator perform actions on driver packages. 


    --- Rich Matheisen MCSE&I, Exchange Ex-MVP (16 years)

    Wednesday, July 22, 2020 7:07 PM
  • Thanks for the reply.

    The description of the local system account says:

    "Its token includes the NT AUTHORITY\SYSTEM and BUILTIN\Administrators SIDs"

    Is this not good enough?

    Skip

    Wednesday, July 22, 2020 7:12 PM
  • Sorry. I didn't look closely at the error message. I don't think you're getting anywhere near to running the pnputil program -- you're not able to connect to the remote system.

    If I understand what you're trying to do , you'd have to grant your machines local system account rights on the remote machine to log on. That's not usually a good idea.

    You might try the Add-PrinterDriver cmdlet and connect with an account that has permission to manage those drivers and to connect to the remote machine.


    --- Rich Matheisen MCSE&I, Exchange Ex-MVP (16 years)

    Wednesday, July 22, 2020 7:33 PM
  • That's one thing that confuses me. Why would it say "remote server" when the script is located on the same computer that it is trying to add a driver package to?

    Skip

    Wednesday, July 22, 2020 7:59 PM
  • The local system account and the local admin account do NOT have remote permissions with PS remoting.  You must either authenticate remotely or use a Domain Admin account to do this.


    \_(ツ)_/

    • Proposed as answer by jrv Wednesday, July 22, 2020 8:21 PM
    Wednesday, July 22, 2020 8:21 PM
  • So is PS Remoting being invoked because I am using the -computername parameter? Everything involved here is on one computer.

    Skip

    Wednesday, July 22, 2020 8:29 PM
  • So is PS Remoting being invoked because I am using the -computername parameter? Everything involved here is on one computer.

    Skip

    The is no point in using "Invoke-Command" to the local computer.  It serves no purpose in this case.  Just use the script as normal.

    It would be to you advantage to spend some time learning basic PowerShell from a legitimate training site or book.  You are missing most of the basic ideas required for using PowerShell.


    \_(ツ)_/

    • Proposed as answer by Vector BCO Wednesday, July 22, 2020 9:00 PM
    Wednesday, July 22, 2020 8:54 PM