SCCM2012 SP2 Scripted Deployment fails, running script manually succeeds though - powershell

I am installing a program through SCCM2012 SP2 with a PowerShell Script and it fails with an install shield ResponseCode -3, running the Powershell script manually from C:\windows\ccmcache#\ succeeds though...
This is my command line (it works for dozens of other scripts - including installshield packaged scripts)...
"%WINDIR%\sysnative\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy RemoteSigned -file .\InstallTigerpaw.ps1

If it's the system error code 3, it means 'File Not Found'. Running manually from cache is different with executing by CM agent. Below is something I will take into consideration when try to deploy a PowerShell Script using Program.
First,
To deploy a script using Configuration Manager, I always test it first by running it manually under System Context, which is the same context that CM deployments run under. I use PSExec tool to open a new command prompt under system context by running psexec /s cmd.exe in a common command prompt.
Second,
The command you use in the program. In your case, use Sysnative only when you intend to access system32 folder on a 64 bit operating system. If not, then don't need it.
Third,
The Execution Policy. Microsoft allows you to temporarily bypass the execution policy to get work done, that's a reason that I usually use Bypass. Example like:
PowerShell.exe -ExecutionPolicy Bypass -File ".\PowerShellScriptFileName.ps1"
Most of the time the deployment goes fine on clients. In case of problems, I will look at client side log, execmgr.log.
In some cases, we may need to set 'Only when a user is logged on', 'Run with administrative rights' for specific needs of running scripts.

Related

Silent bat file execute powershell command

We have an application server running as a service, when some configuration is loaded it starts a bat script which has to run the powershell command Stop-ClusterGroup DRMSERVICES and then start it again.
The bat file works flawless when I manually execute it by dobbelt clicking. But when the service is running the bat, it does not finish, or execute the powershell command.
Bat file looks as follows
#echo off
powershell -command Stop-ClusterGroup DRMSERVICES
powershell -command Start-ClusterGroup DRMSERVICES
The service runs the bat file in silent mode, as a main difference.
I have tried with various switches including the -ExecutionPolicy Unrestricted and START /wait etc
Creating a seperate ps1 file and have the bat execute this instead.
All with the same output:
Manually executing the bat works
When the service executes the bat, it does not work.
I know the bat file is executed by the service, as inserting NET STOP servicename is working correct.
In the powershell event viewer I can also see event of the powershell commands take place.
The difference between manually executing and have the service execute the command in the event viewer, is event id 800 which states info about 'execution pipe' this is not present when the service is executing the bat.
The service does not wait for the powershell, and thus it does not have time to stop the cluster before exiting.
I'm lost whether this is a permission issue, syntax error or whatever.
Hopefully somebody can help
UPDATE:
I have tried with all proposed solutions, all with same result, the bat file works when double clicked, but the service does not execute the powershell command. Pure cmd is executed, as I can pipe to a txt file. I even got to a point when trying runas that the output log text wrote "insert administrator password"
I even managed to have our software guy change our software to call a powershell directly instead of a bat, same result. Powershell won't execute the command, this tells me it probably is permission, but everything have been set to log in as admin and run as admin for the sake of success, but still nothing.
I solved the problem.
Because the service is a 32bit process, it will execute a 32bit powershell.
FailoverClusters module only exists as a 64bit module.
By using %SystemRoot%\sysnative\WindowsPowershell\v1.0\powershell.exe
The service is able to open a 64bit session, and thus use the failover cluster module.
As a side note, the sysnative folder is only visible from a 32bit session, therefore it cannot be found via browsing in a 64bit os.
I think i have dealt with this kind of issue before, after the,
powershell -command Stop-ClusterGroup DRMSERVICES
you need to have cmd wait for a certain number of seconds, and then test if the DRMSERVICES is now stopped, if it is stopped then to start the DRMSERVICES again. This way cmd will keep waiting, and then check if the service has stopped.
After a certain number of tries, maybe have a way to stop checking and exit the script, for example it is trying to stop the service, and has run into a problem.
There is a timeout command in cmd

Powershell command to run for everyone

I am running into a problem with a PowerShell script. I want to add a Microsoft store app with a PowerShell command:
Add-Appxpackage -path C:\Temp\whiteboard.appx
The command is working fine, but only for 1 user not for everyone. It must be installed for everyone. How can that be done?
As #WafflesAndCustard already mentioned, the issue for executing the script is the ExecutionPolicy.
https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies?view=powershell-7
The PowerShell-Script Execution takes another road as you probably might think of ... PS-User-Policy takes precedence over PS-Computer-Policy, but Local- (gpedit) and Domain-Policies (gpmc) overrides anything and takes the final precedence (Domain policies have highest priority)
By default -> no PowerShell Script execution is allowed.
When you want to use your script for all users, without predefining the PS-executionpolicy, you should use the native command like
powershell.exe -ExecutionPolicy ByPass -Script ....
BUT, and that's really IMPORTANT when it comes to security:
Please don't use the temp folder as this is usual something everybody can write to!
E.g. a user/program can place a malicious executable file into that folder with same name and your task (or whatever) will execute it with high privileges.

Run a script to load commands into my main script

I have a powershell file that I have downloaded from ScriptCenter that allows me to control and query virtual desktops on my machine (https://gallery.technet.microsoft.com/scriptcenter/Powershell-commands-to-d0e79cc5).
Using their example, I can run that ps1 file at the start of my script to use those commands that the script creates. All fine here.
The only issue with this is that when I run my script, it asks to confirm to run it. This is something I don't want my script to do.
To work around this, I tried using the "PowerShell" command with "-ExecutionPolicy Bypass" set. This removes the prompt to approve the script, however it stops the script from being loaded into my scripts session as I can't use any of the commands it make available by running it.
How do I either run the script first, without it prompting, or execute the powershell command so that it is run in the session space of my script so that its commands are available?
Thanks

Powershell Script doesn't work when starting it by double-clicking

I got some strange behaviour when executing a powershell script.
When I run my script using the ISE it works just fine.
When I open Powershell.exe and run my script it works just fine.
When I open cmd, and start my script using powershell.exe -noexit
./myscript.ps1, myscript works just fine.
When I double-click myscript however, powershell opens for some milliseconds, I see that it shows some error (red font) and the powershell window closes. I'm unable to track down the error causing this problem since the powershell windows closes to fast.
I even tried one single big try-catch block around my hole script, catching any [Exception] and writing it down to a log file. However: the log file is not generated (catch is not called).
How can I track that issue? What could possibly be causing the trouble?
Please note that my execution-policy is set to unrestricted.
Before trying the suggestion invoke this to see your current settings (if you want restore them later):
cmd /c FType Microsoft.PowerShellScript.1
Then invoke this (note that you will change how your scripts are invoked "from explorer" by this):
cmd /c #"
FType Microsoft.PowerShellScript.1=$PSHOME\powershell.exe -NoExit . "'%1'" %*
"#
Then double-click the script, it should not exit, -NoExit does the trick. See your error messages and solve the problems.
But now all your scripts invoked "from explorer" keep their console opened. You may then
remove -NoExit from the above command and run it again or restore your
original settings.
Some details and one good way to invoke scripts in PS v2 is here.
Unfortunately it is broken in PS v3 - submitted issue.
by default, for security reason when you double clic on a .ps1 file the action is : Edit file, not Run file .
to execute your script : right-click on it and choose run with powershell
I also wasn’t able to run a script by double clicking it although running it manually worked without a problem. I have found out that the problem was in the path. When I ran a script from a path that contained spaces, such as:
C:\Users\john doe\Documents\Sample.ps1
The scipt failed to run. Moving the script to:
C:\Scripts\Sample.ps1
Which has no spaces, solved the problem.
This is most likely an issue with your local Execution Policy.
By default, Powershell is configured to NOT run scripts that are unsigned (even local ones). If you've not signed your scripts, then changing your default double-click 'action' in Windows will have no effect - Powershell will open, read the execution policy, check the script's signature, and finding none, will abort with an error.
In Powershell:
Help about_execution_policies
gives you all the gory details, as well as ways to allow unsigned scripts to run (within reason - you'd probably not want to run remote ones, only ones you've saved onto the system).
EDIT: I see at the tail end of your question that you've set Execution Policy to 'unrestricted' which SHOULD allow the script to run. However, this might be useful info for others running into execution policy issues.
If you would catch the error you will most likely see this
The file cannot be loaded. The file is not
digitally signed. The script will not execute on the system. Please
see "Get-Help about_signing" for more details.
Because you are able to run it from the shell you started yourself, and not with the right mouse button click "Run With PowerShell", I bet you have x64 system. Manually you are starting the one version of PowerShell where execution policy is configured, while with the right click the other version of the PowerShell is started.
Try to start both version x64 and x86 version and check for security policies in each
Get-ExecutionPolicy
I was in exactly the same situation as described in the question : my script worked everywhere except when double-clicking.* When I double-clicked a powershell windows would open but then it will close after a second or so. My execution-policy is also set to unrestricted.
I tried the selected answer concerning FType Microsoft.PowerShellScript.1 but it didn't change anything.
The only solution I found was a work around: create a bat file which start the powershell.
Create a file, copy this and modify the path : powershell.exe -File "C:\Users\user\script\myscript.ps1"
Save it as a .bat
Double-click the bat
I also used .ahk to start my powershell with a shorcut and it didn't work when pointing directly to the powershell. I had to point to the .bat

Launching .exe from PowerShell window SOMETIMES causes it to be run in separate window, so I can't see output or get $lastexitcode

I am by no means a PowerShell expert; I have spent a good while googling this, but haven't found an answer.
The basic idea of my script is to run a Microsoft tool called appcert.exe with command-line arguments. appcert.exe returns 0, 1, or -1; I am checking it with $lastexitcode.
appcert.exe only runs on Windows 7 and Windows 8, so I have run my script on both.
Everything works fine on Windows 7x64 (PS version = 2.0). I can manually run all the same steps. I see the output of appcert.exe in the same PS window.
Different story on Windows 8x64 (RTM), where PS version = 3.0, CLRVersion = 4.0.30319.17929.
Sometimes, appcert.exe runs "inline" (like it did in Win7); other times, a command window is launched, the appcert.exe output flies by, and command window closes. The PS window that called it can't check $lastexitcode (which, by the way, is not set at all).
I tried all PS versions on machine, and results are as follows:
appcert.exe is launched in separate window in these instances:
In PowerGUI 3.2.0.2237 (uses PS 2.0)
In regular PowerShell (non-admin)
In Windows PowerShell ISE (non-admin)
appcert.exe is launched inline in these instances:
Ran Powershell as administrator
Ran ISE as administrator
Behavior above is obtained whether I:
Launch script, which calls the appcert command like this: & $CertToolPath
cd to the home direcotry of the tool and type .\appcert.exe
Run this: Cmd /c appcert.exe
Run this: Invoke-expression –command appcert.exe
Run this: [system.diagnostics.process]::start("appcert.exe")
My colleagues are equally stumped by this.
My machine is in a test domain, not a workgroup. I log into the machine as an admin of the test domain, so theoretically, I'm already an admin.
I install the MS tool as that admin, too. In fact, I never do anything as the machine's local admin. Any ideas? :)
Many thanks in advance,
Tania
Can you repro this with any other exe? Do you have UAC prompts disabled?
Is it possible that appcert.exe requires to be run as Admin, and if not, it automatically re-launches itself as Admin (this should cause a UAC prompt, but if you've turned them off, it would appear to just spawn a new instance automatically)?