Puppet, Windows, and UAC

Question

Is it possible to use Puppet on Windows where UAC is enabled? Does Puppet have any method for automatically saying yes to UAC prompts for a software install? My module does the following workflow:

Downloads an MSI file locally from the Puppetmaster

Creates a local batch file using template function which does cmd.exe /c msifile.msi /i /quiet ....

Runs bat file in an Exec.

Unfortunately, it fails due to UAC, I am wondering how people are working around UAC in their Windows Puppet environments. The Puppet documentation seems to only talk about Puppet's own executable in regards to UAC.

score 2 · Accepted Answer · answered Jun 05 '14 at 21:46

2

If UAC is active and configured to require manual approval for administrative actions, there is no way to bypass it; this is by design. Your only option is to configure it in a different way.

You can manage UAC either using Group Policies or each system's local security policy; this way, you can allow administrative users to perform administrative actions without being prompted by UAC each time. This can be set separately for the built-in Administrator account and for all other administrative users; unfortunately, there is no way to bypass UAC only for a specific user (unless that user is the built-in Administrator), thus you can't create an UAC-bypassing user account in order to use it for your deployment.

Your best option here is to configure UAC for auto-approval before starting your deployment, run your Puppet deployment, and then re-enable UAC; the easiest way to accomplish this is to create an Active Directory OU for staging computers, link an appropriate GPO to that OU, place computers inside the OU during deployment and move them back to where they belong after the deployment is completed.

answered Jun 05 '14 at 21:46

Massimo

70,200
57
200
323

All the computers that I am running this module on are already in production. – usedTobeaMember Jun 05 '14 at 21:57
Any way to temporarily disable UAC with puppet and then reenable? – usedTobeaMember Jun 05 '14 at 22:00
There's no way to manage UAC from the command line, it can only be configured by the security policy, either local or via GPO. However, you can use the OU trick I described in my answer on already running systems; just move them to the OU with the UAC-disabling GPO and then move them back after running Puppet on them. – Massimo Jun 05 '14 at 22:35
If you disable and reenable UAC via GPO, is a reboot required for either? – usedTobeaMember Jun 05 '14 at 22:54
Unfortunately, yes. – Massimo Jun 05 '14 at 23:10
You can try changing the registry values and then changing them back. It may or may not work without a reboot. – ferventcoder Jun 06 '14 at 20:17

Puppet, Windows, and UAC

1 Answers1