DSC Configuration unable to install some choco packages requiring elevated privs

Hey all,

I’m a first time poster and am having some DSC beginner issues seemingly related to permissions.

Firstly some context:

  • I have WMF 5.1 and the latest choco client installed
  • I’m trying to install Sophos Endpoint Security using Choco and DSC
  • I’ve created a Sophos Choco package and it installs w/ no problem as a local admin running ‘choco.exe’
  • I’ve installed the latest cChoco DSC Module
  • Installation of the package via DSC push + cChoco fails
  • When I modify the Sophos Choco package to output the current user (during DSC application), it outputs ‘NT Authority/System’
  • Logging in as ‘NT Authority/System’ and executing 'choco install ’ produces the same error (return code 4) as observed from DSC push + cChoco
  • Server: Windows 2012 R2 from base AWS AMI
  • Administrative user is simply the default one created by ec2utils upon instance launch
  • Server has been joined to a new AD domain (in case that effects permissions)
  • UAC temporarily disabled for troubleshooting ‘NT Authority/System’ unable to use ‘runas.exe’ to do simple things like ‘whoami’ or ‘ping’ due to permissions

I have some other ideas that i’ve started down but I’m really after guidance on what’s best practice for configuring DSC/Windows to be able to run installers that require elevated privileges. My windows permission fundamentals are a bit lacking, so assuming it’s more my lack of understanding than a fault, plus it seems like something that would be encountered frequently by everyone managing their fleet with DSC.

Hi Leon,

I’ve seen similar issues dealing with certain MSI installations running under System started by DSC. I’ve come to believe its due to the System account lacking some of the attributes a normal user might have (Like my documents path, etc). If its an MSI use something like Orca to inspect it to see what its actually trying to do. Something I’ve not tested yet but you might want to try is running that part of the configuration as another user by using the PsDscRunAsCredential property in the config block. This might give you a better outcome.

Hi Luke,

I actually had no idea PsDscRunAsCredential existed, but it sounds purpose built for what I’m trying to do. I’ll give it a shot, and fall back to digging deeper with Orca.

Will report back, thanks!

PsDscRunAsCredential worked a charm. You’re a champion Luke, thanks!