WinBatch Tech Support Home

Database Search

If you can't find the information using the categories below, post a question over in our WinBatch Tech Support Forum.

TechHome

UAC

Can't find the information you are looking for here? Then leave a message over on our WinBatch Tech Support Forum.

Installation Scripts

 Keywords: Setup Install Installation Script UAC Vista Win7  

Question:

I am a registered user of Winbatch. Shortly we will be moving to Windows 7 (we for the most part avoided Vista). We write a lot of automation scripts for installing software. I have been begun to test Winbatch scripting with UAC and have been unable to avoid the "approval" dialog boxes. I have read your help on Manifests, Certs and Group Policy.

The question I have is "Any way to script an installation that requires elevation so that the user is not required to respond" - in other words a silent install. Thanks for any help you can give.

Answer:

UAC definitely introduces some difficult scripting implications. Especially for processes that need to run elevated.

Note, we have found the most consistently reliable option for WinBatch script installs is to use the Windows Task Scheduler to run an install as a logon task. Basically this causes the script to run as a service and you will not receive any UAC prompts when running from the task scheduler.

You will need to familiarize yourself with the Windows Task Scheduler. Here is a link to the Windows Task Scheduler application: http://technet.microsoft.com/en-us/library/cc721871.aspx

When setting up a task, first decide what will trigger that task to start. In this case you will want to specify 'at log on:'

At log on 
This trigger causes the task to run when a user logs on to the computer, and the trigger's settings allow you to specify that
the task should be triggered when any user logs on the computer or when a specific user logs on.

Here is a little background on UAC: User Account Control (UAC) is a set of tools built into Windows Vista and Windows 7 that helps to protect your system. UAC uses the "least privileges" rule. Which states that all users and software run with the least privileges possible at all times. Any time a user or software needs administrative privileges a consent prompt appears. When a consent prompt appears, your screen is locked except for the consent prompt. In the world of scripting, UAC can sometimes cause great headaches when attempting to automate something and the user is always getting prompted.

Prior to Windows Vista and 7, standard users often had the option of installing applications. The key difference then was that, although administrators could create Group Policy settings to limit application installations, they did not have access to limit application installations for standard users as a default setting. In a UAC environment, they do, and administrators can still use Group Policy to define an approved list of devices and deployment. There are a few Group Policy object (GPO) settings that can be configured for UAC. You might consider looking into these group policy settings: http://technet.microsoft.com/en-us/library/ee732416(WS.10).aspx

Here is a definitive Microsoft article that explains all of your options: http://technet.microsoft.com/en-us/library/cc709628(WS.10).aspx Specifically see the section titled: 'UAC Deployment Scenario'. This section of the article is intended to help IT departments scope potential issues that may arise from running in a Windows environment with UAC enabled.

NOTE: The IT department should assume that standard users will generally not be able to install any applications and 
that they will have a minimum set of user rights added to their access token. The users will no longer have the 
ability to run as an administrator and will instead need a service running as an administrator to alter the system 
state for them. 

Article ID:   W18314
Filename:   Installation Scripts.txt
File Created: 2014:05:13:10:22:56
Last Updated: 2014:05:13:10:22:56