Forum Discussion

mattyHip's avatar
mattyHip
Copper Contributor
Dec 28, 2021

Trying to copy files from network share while running a remediation script in Intune

I need to copy a file from the network share to the C:\windows\temp folder, then install the software on the local machine using the proactive remediation script. All of our software installation fil...
Intune
Mobile Application Management (MAM)
Software Management
mattyHip's avatar
mattyHip
Copper Contributor
Dec 28, 2021

Rudy_Ooms_MVP Ok so using psexec -s -i powershell, I tried navigating to the network share \\sharename and access denied. What exactly do you mean by adding credentials to custom remediation script? Is there a way to run script in SYSTEM context BUT retrieve the .exe from the network share and place it in the temp folder using other specified credentials? 

 

Could I use an invoke-command to run series of commands as specified user?

 

$password = ConvertTo-SecureString "hello1" -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential ("myUsername", $password)

$alternateUsers = [scriptblock]{
    Copy-Item -Path (Join-Path -Path "\\sh.com\util\software\FreshService\2.9 Agent" -ChildPath "fs-windows-agent-2.9.0.msi") `
    -Destination "$tempPath\fs-windows-agent-2.9.0.msi"
}
Invoke-Command -ScriptBlock $alternateUsers -Credential $Cred

 

Can something like this work? And the script still stays in the SYSTEM context just not the script block, yea?

Rudy_Ooms_MVP's avatar
Rudy_Ooms_MVP
MVP
Dec 28, 2021

Hi,

Need to check the script from my notebook to be sure… but as long as you supply the proper creds to access the share it would be okay.

Another possibility would be to split it up? Run one pro active as the user to copy the files and one pro active remediation run as systemto install them?

  • mattyHip's avatar
    mattyHip
    Copper Contributor
    Dec 28, 2021

    Rudy_Ooms_MVP Just to validate that this method works. Thanks for pointing out a user account to handle the network share permissions

        $password = ConvertTo-SecureString "p@ssw0rd" -AsPlainText -Force
    $Cred = New-Object System.Management.Automation.PSCredential ("domain.com\adminAccount", $password)

    $alternateUsers = [scriptblock]{
        Copy-Item -Path (Join-Path -Path "\\sharedDrive.com\util\software\FreshService\2.9 Agent" -ChildPath "fs-windows-agent-2.9.0.msi") -Destination "C:\windows\temp\fs-windows-agent-2.9.0.msi"
    }

    # https://www.itdroplets.com/run-a-command-as-a-different-user-in-powershell/

    $GetProcessJob = Start-Job -ScriptBlock $alternateUsers -Credential $Cred

    Wait-Job $GetProcessJob

    $GetProcessResult = Receive-Job -Job $GetProcessJob

    Write-Output $GetProcessResult
    
    #Will set timer/timeout function
    #if($GetProcessResult.state -eq "Completed"){
        Start-Process "C:\windows\temp\fs-windows-agent-2.9.0.msi" -ArgumentList "/i /qn"
    #}
    • Rudy_Ooms_MVP's avatar
      Rudy_Ooms_MVP
      MVP
      Dec 29, 2021
      Hi, So you managed it go get it to work? If so nice to hear. Like mentioned ealier, that password will show up plain text in your log files on the device itself. so be carefull with it 🙂
      If it's sensative info, maybe removing it from the log afterwards
      https://call4cloud.nl/2021/05/the-laps-reloaded/#third-part

Resources