11 Replies Latest reply on Aug 2, 2016 11:22 AM by phoffmann

    Windows 10 - Silent Software Deployment - Current User - Registry/Folder Issue

    ecoidan Specialist

      -- Issue:

      Unable to deploy software as "Current User" silently with registry imports (HKLM and HKCU) and creating folders and/or copying files under "c:\Program Files" or "c:\Windows" folders with the current user as a local Admin of the system and the UAC set up one notch from bottom.

       

       

      Core Servers:

      LDMS 9.6SP2 SU0419 <OR> LDMS 2016 SU4

      (built new core servers for this test)

       

      Client System:

      Windows 10 Pro (clean install from ISO)

      Logged in user is part of local Administrators Group on Windows 10 Pro

      UAC is one notch up from the bottom

       

       

      Below are the Batch files and Registry Files used in this test.  Purpose of the 2 batch files is to compare the behavior difference between REGEDIT.EXE and REG.EXE

       

       

      Batch File #1

      c:\windows\regedit.exe /s exampleHKCU.reg

      c:\windows\regedit.exe /s exampleHKLM.reg

      MD "C:\Program Files\Win10Test"

       

      Batch File #2

      c:\windows\system32\reg.exe IMPORT exampleHKCU.reg

      c:\windows\system32\reg.exe IMPORT exampleHKLM.reg

      MD "C:\Program Files\Win10Test"

       

      Reg File #1:  "exampleHKCU.reg"

      Windows Registry Editor Version 5.00

      [HKEY_CURRENT_USER\SOFTWARE\AAA-Win10Test]

      "RegEdit"="Windows10RegTest"

       

      Reg File #2:  "exampleHKLM.reg"

      Windows Registry Editor Version 5.00

      [HKEY_LOCAL_MACHINE\SOFTWARE\AAA-Win10Test]

      "RegEdit"="Windows10RegTest"

       

       

      Scenario 1:

      Deploy Batch File 1 to Windows 10 client silently.

      - UAC pops up for approval to run regedit

      - approve the UAC

      Deployment Results:

      -No Registry Keys imported in either HKLM or HKCU

      -No Folder was created under "c:\Program Files"

       

      Scenario 2:

      Deploy Batch File 1 to Windows 10 client using LANDESK Notication popup before installation.

      - LANDESK Notication window pops up

      - Click on Deploy Now

      Verify Deployment:

      Deployment Results:

      -Registry Keys imported in both HKLM or HKCU

      -Folder was created under "c:\Program Files"

       

       

      At this point I believe that the LANDESK Notication popup seems to be elevating rights and by-passing the UAC. It was my understanding that the LANDESK Notication windows was just to allow the user to defer the install at a later time or be informative to the user that something was going to install.  But it seems that more is going on than just informing the user and giving choices.

       

      The next 2 scenarios use batch file #2 to see if REG.EXE behaves different than regedit.

       

      Scenario 3:

      Deploy Batch File 2 to Windows 10 client silently.

      - No UAC shows up and job finishes

      Deployment Results:

      -Registry Key imported into HKCU

      -No Registry Key imported in HKLM

      -No Folder was created under "c:\Program Files"

       

      Scenario 4:

      Deploy Batch File 2 to Windows 10 client using LANDESK Notication popup before installation.

      - LANDESK Notication window pops up

      - Click on Deploy Now

      Deployment Results:

      -Registry Keys imported in both HKLM or HKCU

      -Folder was created under "c:\Program Files"

       

       

      Scenario 3 and 4 shows the results are pretty much the same except REG.EXE doesnt cause the UAC to show (Scenario 3) and actually applies registry settings to the HKCU keys.

       

      Summary:

      I believe that there is an issue with the silent package deployment, as Current User, in regards to the UAC stopping actions where as those issues don't exist when using the LANDESK Notification window prior to installation.  I have built 2 new clean Core servers and client systems from scratch and can replicate this over and over.  If I disable the UAC in Windows 10, slide the UAC bar to the bottom, then the silent deployment works without issue but several features of Windows 10 will also not work if the UAC is disabled so thats just not an option.

       

      Anyone else out there seeing this or does anyone else deploy anything as Current User and silent with the UAC enabled?

        • 1. Re: Windows 10 - Silent Software Deployment - Current User - Registry/Folder Issue
          phoffmann SupportEmployee

          So about the following...

          At this point I believe that the LANDESK Notication popup seems to be elevating rights and by-passing the UAC. It was my understanding that the LANDESK Notication windows was just to allow the user to defer the install at a later time or be informative to the user that something was going to install.  But it seems that more is going on than just informing the user and giving choices.

           

          ... that depends on how you've configured the batch to run.

           

          If you've configured it to run as local system (default) then no elevation will be needed, as it's already running as local system - but the HKCU registry keys will end up being in HKLM (as expected in that scenario).

           

          If you've configured the package to run as the "logged on user" no elevation will take place, as we have to run in that users' context - and HKCU will be correct for that user.

           

          We can elevate *TO* Local System (or "a user your specify) - but we can't make "Joe Average who's logged on" have admin-level access generally.

           

          ... lemme play with the batches you've defined above, and see what we'll see (also - cudos for awesome explanation). Good example for how these things should be documented .

          • 2. Re: Windows 10 - Silent Software Deployment - Current User - Registry/Folder Issue
            phoffmann SupportEmployee

            Minor snag:

             

            Reg File #1:  "exampleHKCU.reg"

            Windows Registry Editor Version 5.00

            [HKEY_CURRENT_USER\SOFTWARE\AAA-Win10Test]

            "RegEdit"="Windows10RegTest"

             

            Reg File #2:  "exampleHKLU.reg"

            Windows Registry Editor Version 5.00

            [HKEY_CURRENT_USER\SOFTWARE\AAA-Win10Test]

            "RegEdit"="Windows10RegTest"

             

            ... those two are the same? Did you mean to test HKLM vs HKCU ? ... easily enough corrected .

            • 3. Re: Windows 10 - Silent Software Deployment - Current User - Registry/Folder Issue
              phoffmann SupportEmployee

              OK so ...

               

              This is tested with LD 2016 and SU4 (on that level since I was testing against other issues):

               

              <I am Logged in as an admin into Windows 10, but UAC is enabled at default - 1 notch from the top - on the Win-10 box>

              Win10_UAC.jpg

              <I've ammended the HKLM reg-key to actually point to the HKLM location >

               

              Test run 1 - running the batch files "as logged on user"

               

               

              Observations on running Batch 1 (the "reg.exe" based one) - as the "logged on user":

              • UAC window DOES NOT pop up!
              • HKCU key created correctly.
              • HKLM key NOT created (error accessing the registry - makes sense though)
              • Directory NOT created (access denied)

               

              Observations on running Batch 2 (the "regedit.exe" based one) - as the "logged on user":

              • UAC window DOES pop up!
              • HKCU key created correctly. (requires UAC approval though)
              • HKLM key created correctly. (requires UAC approval though)
              • Directory NOT created (access denied)

               

              =========

               

              Observations on running Batch 1 (the "reg.exe" based one) - as the "Local System":

              • UAC window DOES NOT pop up! (not expected to, seeing as we're running as local system)
              • HKCU key does NOT get created. (not expected to, seeing as we're running as local system)
              • HKLM key does NOT get created. <this goes against expectations>
              • Directory gets created fine.

               

              Observations on running Batch 2 (the "regedit.exe" based one) - as the "Local System":

              • UAC window DOES NOT pop up! (not expected to, seeing as we're running as local system)
              • HKCU key does NOT get created. (not expected to, seeing as we're running as local system)
              • HKLM key does NOT get created. <this goes against expectations>
              • Directory gets created fine.

               

              =====

               

              BONUS ROUND - checking the command prompt:

               

              • Ran a command prompt as the local admin (without running it "as administrator") to import the registry keys:
                • regedit.exe on HKLM - (PROMPTS FOR UAC) - but works
                • regedit.exe on HKCU - (PROMPTS FOR UAC) - but works
                • reg.exe on HKLM - Fails (no access)
                • reg.exe on HKCU - works (no UAC prompt)

               

              • Ran a command prompt "as admin" to import the registry keys:
                • regedit.exe on HKLM - works
                • regedit.exe on HKCU - works
                • reg.exe on HKLM - works
                • reg.exe on HKCU - works

               

              ... bit surprised around the inconsistency of UAC around using REG.EXE versus REGEDIT.EXE (I admit I expected them to behave consistently ...).

               

              Smells like Microsoft has changed some things (yay) ... here's what I would suggest you do.

               

              Log this as a defect (it may not be one, but hear me out) and have support / dev look into it. It's possible that there's some stuff that we need to fix. I'd certainly expect LOCAL SYSTEM to be able to write to HKLM (it's its own HKCU if nothing else historically). At least with dev looking into this, we should be able to tell apart how much of this is on us to fix & what of this is Microsoft changing the rules / needing to fix something or whatnot.

               

              Does that make sense?

               

              <Reason why I'd like you to open the ticket / defect with support is that - while I can log the defect - I've not got any node-count attached to me ... ... and you'd want to get notified with whatever the resolution to this is. Let us know what the defect # will be, in case there's other folks who'll want to be added to it. They can find the thread & just ask to be signed up to the problem ID rather than having to re-invent the wheel.>

               

              Lemme know if there's questions around what I've done / how that matches up with your results.

              • 4. Re: Windows 10 - Silent Software Deployment - Current User - Registry/Folder Issue
                JoeDrwiega SupportEmployee

                What is your setting for this feature?  "User Account Control: Virtualize file and registry write failures to per-user locations" https://technet.microsoft.com/en-us/library/jj852189(v=ws.11).aspx

                • 5. Re: Windows 10 - Silent Software Deployment - Current User - Registry/Folder Issue
                  ecoidan Specialist

                  I corrected original post about the HKLM registry file, thanks for catching that.  I created a ticket with support on July 7th, just thought I get some community input.  I rewrote this issue and then copied this posted it here and into the ticket.  My first attempt to explain wasn't very clear.  

                   

                  The reason I am going through all this is because my customer has 20+ distribution packages configured as "Current User's Account" installs and those packages have all kinds of customization's with copying additional files to folders and adding registry keys. Current environment is all Win7 with the UAC off and everything works smooth but they will be moving to Windows 10 and all these packages failed. Software would install but all those custom reg keys and file copies failed.

                   

                  My UAC is set like this:

                  SNAG-0527.jpg

                  Excluding the Bonus round testing,<GRIN>  I want to focus on the first two tests (logged on user). Have you tried to deploy the batch with "Distribution and Patch" settings configured like shown below. Everything is successful if you do this.  Regardless if the LANDESK Notification Window shows or not, the result should be the same but its not.

                   

                  SNAG-0529.jpg

                  SNAG-0530.jpg

                   

                  In my schedule task I selected the above "Distribution and Patch" Settings.

                  • 6. Re: Windows 10 - Silent Software Deployment - Current User - Registry/Folder Issue
                    phoffmann SupportEmployee

                    ... really ? That then works?

                     

                    <cross-checking against your settings - the only thing that's different is this ... - I hadn't had the "Display full package interface" enabled because it was a batch ...>

                    1_DistAndPatch_Notification.jpg

                     

                    ... I can try to re-run the tests next week with that enabled to see what changes. I've usually got most / all of the feedback options enabled anyway, as I usually want/need the visual feedback during my testing of this & that.

                     

                    The "Bonus round" stuff was just as sanity check ... can't say I'm terribly happy that the two binaries behave quite so differently .

                     

                    Hmmm ... in regards to "is successful" ... are we talking about "the task status is successful" or are we talking about "the task function magically works as intended"?

                     

                    Task status can be an "interesting" thing, based on what ran last - but if the task itself magically starts to work just by displaying more of the UI ... yeah - that's odd.

                     

                    It could be a weird sort of Windows 10 doing weird stuff sort of odd, but yeah ... certainly not wrong in having raised that as a ticket ...

                    • 7. Re: Windows 10 - Silent Software Deployment - Current User - Registry/Folder Issue
                      ecoidan Specialist

                      Successful as in the settings are applied to the workstation.  The Scheduled Task also shows successful but I really wasn't paying much attention to the Schedule Task results, just focused on the actually settings.  I will reach out to support today, I did not inform them I had the "Display Full Package Interface" checked.

                       

                       

                      Joe, the "User Account Control: Virtualize file and registry write failures to per-user locations" is set to Enable.  Thats the default.

                      • 8. Re: Windows 10 - Silent Software Deployment - Current User - Registry/Folder Issue
                        phoffmann SupportEmployee

                        Yeah ... seems to be having quite the effect ... which one wouldn't think should be able to have quite such drastic different effects.

                        • 9. Re: Windows 10 - Silent Software Deployment - Current User - Registry/Folder Issue
                          ecoidan Specialist

                          I unchecked the "Display Full Package Interface" and my results are exactly like yours. With it checked, the batch file is able to modify the file system and registry.

                          • 10. Re: Windows 10 - Silent Software Deployment - Current User - Registry/Folder Issue
                            ecoidan Specialist

                            I feel like I am spamming this thread.  I just created a new "Distribution and Patch" behavior and the only setting I changed from default was to checked "Display Full Package Interface".   The batch deployed completely SILENT and WAS ABLE to modify both the HKCU and HKLM and create folders under c:\program files".  I tested it with both REGEDIT and REG.

                             

                            So what exactly does "Display Full Package Interface" do??

                             

                            • 11. Re: Windows 10 - Silent Software Deployment - Current User - Registry/Folder Issue
                              phoffmann SupportEmployee

                              In the context of Windows 10, it would appear that we'll need to hear back from Dev on that one ... since we're not going to have changed much between Win 7 & Win 10 (same files), odds are that certain things around batch-es are responding differently in Win 10 specifically that used to be fine in eons past, I'd suspect.