Tech Community Live: Microsoft Intune
Mar 20 2024, 07:30 AM - 11:30 AM (PDT)
Microsoft Tech Community

intune administrator

Copper Contributor

 

Good afternoon,

It is possible from Intune that without administrator permissions they can modify host and environment variables, some configuration so that they can do so.

thank you

9 Replies
Is your question asking if you can allow users on Intune enrolled devices to change computer and user environment variables? Users should be able to change the user environment variables. For the computer/system variables, you need administrator permissions.

Could you explain your use case?
I need a program or something that can be managed from Intune so that users can modify the computer's environment variables without having administrator permissions. I understand that, for example, it could be possible to create a rule with the endpoint manager privilege, but is there any other alternative?
Perhaps Endpoint Privilege Management (https://learn.microsoft.com/en-us/mem/intune/protect/epm-overview) is an option? It does require additional licensing, however.
Is that a viable option?
I have an idea... but maybe a stupid one :)

Step 1:
If you could create a powershell script with this content in it
rundll32 sysdm.cpl,EditEnvironmentVariables
Step 2: Create a scheduled task that will use the serviceui to bring the prompt to the user and make sure that scheduled task is launched as system. Give the user permissions to that task and create a shortcut to the desktop...

https://call4cloud.nl/2022/01/how-i-fell-in-love-with-app-updates/

I guess it should work something like this and its free :) ... If you need help with it ... i am here
Hello, thanks for the help but after performing the actions mentioned they are not useful for the action I want to perform :(

Mmm... but you want to be able to configure system environment variables as standard user, right? If i am getting the question wrong, could you try to explain a bit more what you want to accomplish :)

 

Because as not useful does that mean as in not working or?

I want users who need to modify the computer's environment variables to be able to do so without having to enter the administrator passwords, since each user has to modify different environment variables.

And the option i described wasnt working for you or you couldn't get it working like expected? Because when I deploy this with PowerShell script to my intune device i get a shortcut on my desktop to open the systemvariables as system... 

 

(you could manually deploy this script but you need to run it from system account with psexec)

 

#################################
#Configure encoded commands here#
#################################
 
$encodedcommand1 = "cgB1AG4AZABsAGwAMwAyACAAcwB5AHMAZABtAC4AYwBwAGwALABFAGQAaQB0AEUAbgB2AGkAcgBvAG4AbQBlAG4AdABWAGEAcgBpAGEAYgBsAGUAcwA="
 
 
##############################################################################################
#Download and install ServiceUT#
$path = "C:\program files (x86)\service"
New-Item -ItemType Directory -Force -Path $path
Invoke-WebRequest "https://call4cloud.nl/wp-content/uploads/2021/07/ServiceUI.zip" -OutFile "$path\ZippedFile.zip"
Expand-Archive -LiteralPath "$path\ZippedFile.zip" -DestinationPath "$path" -force
 
 
####################################################
####Install the Update task ! #
###################################################
 
$triggers = New-ScheduledTaskTrigger -Once -At (get-date).AddSeconds(-200); $triggers.EndBoundary = (get-date).AddSeconds(-100).ToString('s')
$Action = New-ScheduledTaskAction -Execute "c:\program files (x86)\service\ServiceUI.exe" -argument "-process:explorer.exe c:\Windows\System32\WindowsPowershell\v1.0\powershell.exe -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -encodedcommand $encodedcommand1"
$settings = New-ScheduledTaskSettingsSet -StartWhenAvailable
$Null = Register-ScheduledTask -TaskName "RunSystemVariables" -Trigger $triggers -User "SYSTEM" -Action $Action -Settings $Settings -Force
 
 
 
############################################################################
####Change Permissions for the task version 2 (need to test it first  ! #
###########################################################################
 
$scheduler = New-Object -ComObject “Schedule.Service”
$scheduler.Connect()
$task = $scheduler.GetFolder("\").GetTask("RunSystemVariables")
$sec = $task.GetSecurityDescriptor(0xF)
$sec = $sec + ‘(A;;GRGX;;;AU)’
###################################
#PLEASE NOTE GRGX --> 1179817     # 
###################################
$task.SetSecurityDescriptor($sec, 0)
 
 
####################################################
##### Create Shortcut to task on Desktop ! #
###################################################
 
if (-not (Test-Path "C:\Users\Public\Desktop\RunSystemVariables.lnk"))
{
$null = $WshShell = New-Object -comObject WScript.Shell
$path = "C:\Users\Public\Desktop\RunSystemVariables.lnk"
$targetpath = "C:\Windows\System32\schtasks.exe"
 
$Shortcut = $WshShell.CreateShortcut($path)
$Shortcut.TargetPath = $targetpath
$Shortcut.Arguments = '/run /TN "RunSystemVariables"'
$Shortcut.Save()
}