1

I have set up an Azure VM with Windows 10 Pro for our custom DevOps build Agent. The user that I've created is Administrator and is in the Administrators group too.

However, if I do:

  1. RDP to VM via that user with admin privileges
  2. Run PowerShell (not with Administrator privileges)
  3. Try to run e.g. Import-Certificate command

In PowerShell, I get an Access Denied error.

Is there any chance that all my PowerShell instances will automatically have admin privileges?

The solution would serve for that hosted DevOps Agent. Now I am not able to run any script in our DevOps pipeline which would eventually need admin privileges.

krs
  • 131
  • 1
  • 4

2 Answers2

2

So I figured it out without any third-party tool.

The original command for starting the custom build agent was:

C:\windows\system32\cmd.exe /D /S /C start "Agent with AutoLogon" "C:\agent\run.cmd" --startuptype autostartup

The above produced non-admin Command Prompt through which the DevOps doesn't have admin/elevated privileges.

You can use Start-Process PowerShell command to start the above with -Verb RunAs to gain elevated privileges:

powershell -Command "Start-Process powershell -ArgumentList 'C:\windows\system32\cmd.exe /D /S /C start C:\agent\run.cmd --startuptype autostartup' -Verb RunAs"

However, this approach sacrifices title of the Command Prompt as I did not figure out how to properly escape double quotes that are needed for it.

krs
  • 131
  • 1
  • 4
0

If you want to run tasks in your pipeline that require admin elevation then you need to make sure that your Agent service is running using an account that is an administrator. This will only work for self-hosted agents. If you are using Microsoft hosted agents you will not be able to elevate to administrator.

Sam Cogan
  • 38,736
  • 6
  • 78
  • 114
  • These are 3 processes that are run by a custom Agent. All of them run under an account that has administrator access. However, if I run PowerShell (without explicitly stating "as Administrator") locally on that PC under the same user I still get Access Denied e.g. for Import-Certificate command. From that, I assume that there could be something wrong with that admin user in general, but maybe not - really don't know. – krs Jan 22 '21 at 11:52
  • Ok, so I ended up using NirSoft util with Elevate command. Going from 'C:\windows\system32\cmd.exe /D /S /C start "Agent with AutoLogon" "C:\agent\run.cmd" --startuptype autostartup' to 'nircmd elevate "C:\agent\run.cmd" --startuptype autostartup'. That start the Agent within Administrator cmd and hence my DevOps PowerShell commands just run with elevated permissions. – krs Jan 22 '21 at 15:30