Trying to copy files from network share while running a remediation script in Intune

New Contributor

I need to copy a file from the network share to the C:\windows\temp folder, then install the software on the local machine using the proactive remediation script. All of our software installation files are on a netowrk drive. Any way to access network drive via remediation script?

5 Replies
Hi

It depends on your setup :)
If the nas is accessible from the "system" account it could be possible. But I guess that is going to be the mayor issue here. So you have to add some credentials to th proactive remediations and thats not cool :) . You can remove them afterwards but.....

So my first advice, check if you could access the share from a system account (psexec) Another option would be to run the proactive rem as the current user, so you could access the nas, but than you also should have the proper permissions to start installing the app :)

@Rudy_Ooms Ok so using psexec -s -i powershell, I tried navigating to the network share \\sharename and access denied. What exactly do you mean by adding credentials to custom remediation script? Is there a way to run script in SYSTEM context BUT retrieve the .exe from the network share and place it in the temp folder using other specified credentials? 

 

Could I use an invoke-command to run series of commands as specified user?

 

$password = ConvertTo-SecureString "hello1" -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential ("myUsername", $password)

$alternateUsers = [scriptblock]{
    Copy-Item -Path (Join-Path -Path "\\sh.com\util\software\FreshService\2.9 Agent" -ChildPath "fs-windows-agent-2.9.0.msi") `
    -Destination "$tempPath\fs-windows-agent-2.9.0.msi"
}
Invoke-Command -ScriptBlock $alternateUsers -Credential $Cred

 

Can something like this work? And the script still stays in the SYSTEM context just not the script block, yea?

Hi,

Need to check the script from my notebook to be sure… but as long as you supply the proper creds to access the share it would be okay.

Another possibility would be to split it up? Run one pro active as the user to copy the files and one pro active remediation run as systemto install them?

@Rudy_Ooms Just to validate that this method works. Thanks for pointing out a user account to handle the network share permissions

    $password = ConvertTo-SecureString "p@ssw0rd" -AsPlainText -Force
    $Cred = New-Object System.Management.Automation.PSCredential ("domain.com\adminAccount", $password)

    $alternateUsers = [scriptblock]{
        Copy-Item -Path (Join-Path -Path "\\sharedDrive.com\util\software\FreshService\2.9 Agent" -ChildPath "fs-windows-agent-2.9.0.msi") -Destination "C:\windows\temp\fs-windows-agent-2.9.0.msi"
    }

    # https://www.itdroplets.com/run-a-command-as-a-different-user-in-powershell/

    $GetProcessJob = Start-Job -ScriptBlock $alternateUsers -Credential $Cred

    Wait-Job $GetProcessJob

    $GetProcessResult = Receive-Job -Job $GetProcessJob

    Write-Output $GetProcessResult
    
    #Will set timer/timeout function
    #if($GetProcessResult.state -eq "Completed"){
        Start-Process "C:\windows\temp\fs-windows-agent-2.9.0.msi" -ArgumentList "/i /qn"
    #}
Hi, So you managed it go get it to work? If so nice to hear. Like mentioned ealier, that password will show up plain text in your log files on the device itself. so be carefull with it :)
If it's sensative info, maybe removing it from the log afterwards
https://call4cloud.nl/2021/05/the-laps-reloaded/#third-part