Custom resource, runas user and restarting WMI

This topic contains 7 replies, has 2 voices, and was last updated by Profile photo of David O'Brien David O’Brien 2 years, 3 months ago.

  • Author
    Posts
  • #18309
    Profile photo of David O'Brien
    David O’Brien
    Participant

    Hi all,

    I have the following problems with my custom resource I am currently building:
    – I am installing an application that restarts the WMI service. Pretty stupid, because DSC doesn't like that. Setup continues, but when I run Start-DSCConfiguration -Wait -Verbose -Path %whatever% the whole thing stops as soon as WMI is restarted. I believe this is just an optical thing, DSC should, after a while check that everything is alright, right?

    – that same application needs to be installed as a user, not as system. How would I go and write my resource to impersonate a user? Can I use a Start-Process with credentials? Would that already be enough or is there a better way to do it?

    Thank you all!
    David

  • #18311
    Profile photo of Don Jones
    Don Jones
    Keymaster

    Yeah, eventually DSC will have another go at it. That said, you could mitigate the problem by using dependencies to make the WMI restart thing happen last in the config. WMI is the one thing DSC is sensitive about, since it basically requires it to run.

    DSC isn't really explicitly designed to impersonate people. If you're passing in a credential as part of the config, then you can certainly use that credential, and if using it to start a process solves your problem – then awesome. There isn't really a better way; keep in mind that **for right now**, DSC is really focused on server-side use cases, where you would rarely install something as a specific user. Anything involving client-side use cases is likely to be a little jinky right now, just because Microsoft hasn't focused on those, and so hasn't addressed some of those unique situations yet.

    Keep in mind that even using Start-Process might not work. It depends a lot on the application installer. Start-Process doesn't necessarily spin up enough of a unique user profile for some application installers. Again, this just isn't really a strong use case for DSC just yet – not that you can't do it, but expect it to be more complicated. Anything that needs access to a full user profile (e.g., to create Start menu icons), is going to have a rougher time of it.

  • #18327
    Profile photo of David O'Brien
    David O’Brien
    Participant

    Hi Don,

    thanks for your reply.

    In this case I'm writing a resource to install a ConfigMgr 2012 lab. ConfigMgr, during installation, restarts WMI by itself (I can't do anything about it) and it also wants to be run as a user, because the user running the installer is the first and only admin and for whatever reason you cannot add an admin during installation.

    So, it's not running on a client or installing a client application 😉

    I'll give it a try and report back with my results.

  • #18328
    Profile photo of Don Jones
    Don Jones
    Keymaster

    Crappy installer. In general, I haven't found DSC to be hugely successful at packages, due mainly to crappy packages. Once product teams start to get more on board it'll help.

  • #18336
    Profile photo of David O'Brien
    David O’Brien
    Participant

    So, Start-Process didn't really help here, because the setup.exe complains about elevation. DSC then stops working.

    I know that I can use Start-Process to execute a powershell which runs a Start-Process with -verb runas, but that will still prompt the UAC, which doesn't work in DSC.

    Kinda stuck now, very unfortunate, would've been cool to use DSC to deploy ConfigMgr in a lab.

  • #18340
    Profile photo of Don Jones
    Don Jones
    Keymaster

    It's going to take SCCM being complicit in this, meaning they're going to need a DSC-friendly installer. It may happen, who knows.

  • #18362
    Profile photo of David O'Brien
    David O’Brien
    Participant

    I already asked them if there's any way to install as SYSTEM.
    They do give you an .ini file to install unattended, but you need to run it all as a user.

    Thanks so far!

  • #18401
    Profile photo of David O'Brien
    David O’Brien
    Participant

You must be logged in to reply to this topic.