DSC script resource needs to run interactive setup.exe

Disclaimer: I know DSC is not supposed to depend on interactive user input, because the LCM might need to run apply the configuration at regular intervals etc. So please excuse this requirement and attempt an answer for my question

I have a requirement that DSC script resource needs to execute a random EXE file. (for ex: this could be setup.exe of some program that does not support MSI based installation nor supports Silent installation).
Note: because the setup.exe is not MSI and also since it does not have a productid that gets created in the registry’s uninstall key section, I cannot use Package resource

And also since the setup.exe does not support silent installation, I cannot use WindowsProcess resource with “/silent” switch etc.

So I have decided to code up this as a script resource as follows. For sake of breveity i am omitting other details
Script installsometing {
PSDscRunAsCredential=$mycred # i am passing the credential of a user who has admin privileges here
SetScript {
Start-Process -FilePath “c:\somesetup.exe” -Wait -WindowsStyle Normal

As you can see i took care of 2 things

  1. setup.exe should run as the user i want (who has admin privileges) and NOT as NTAuthority which is the user underwhich LCM runs
  2. Make sure setup.exe runs with Normal Window style (just to make sure it is not running in background or without a window). This is to make sure user can see the GUI of the setup.exe
  3. Wait until user completes the setup.exe by clicking Next–>Next–>Finish etc.

When I run the “start-dscconfiguration” command for the above configuration, I see that the setup.exe is being executed but its GUI does not show up. In task manager I see it running as a background process. As a result user is unable to click Next->Next->Finish buttons and this results in Start-DSC command waiting until I manually kill the setup.exe process from task manager.

Question:- how can i get the setup.exe to run as a foreground process so that user can interact with it while the LCM applies the configuration?

You can’t.

I know DSC is not supposed to depend on interactive user input, because the LCM might need to run apply the configuration at regular intervals etc.

The “because” here isn’t accurate, unfortunately. That’s not the reason you’re not “supposed” to depend on interactive input. The reason you “cannot” deal with interactive input is because the LCM runs under a different user identity. Windows is a multi-user operating system; it is designed from the core to rigidly separate user spaces. This is a basic security feature, and you can’t bypass it easily, nor is it safe to configure a system to allow this - you’d be enabling all kinds of malware.

If your Setup.exe can’t accept an input file, so that it can run silently and without interactive input, then you cannot use it in a DSC configuration, full-stop. You could consider trying to repackage it, using installer repackaging tools, to not need user input, but the answer here is to get the executable to not want interactive input.

Thanks for the quick reply.
However, script-resource has Credential property using which i can change “under what user should the script resource run”. This is exactly the reason why I showed Credential=$mycred in the sample code i posted. And in-fact, when the LCM runs, I am seeing the setup.exe process in taskmanager running under the user credentials i passed to the script. But as i mentioned it is running as a background process with no window.

while LCM runs under NTAuthority user credentials, my script resource can run under any crendentials I want. Does this still mean, I cannot get the interactive setup to happen during the DSC run?

However when i run the same script “Start-Process …” in powershell (outside of the DSC) i can see the setup.exe window popping up and giving me an option to interact with it.

Sorry if i am being naive here. I am new to powershell and DSC.


Unfortunately, providing credentials doesn’t change the wall-off architecture. Asserting an identity doesn’t merge the new process into an existing user space. You simply can’t do what you’re attempting.

Thanks Don. Appreciate your quick replies.

What you could do is this:

  1. Use autoit
    This will allow you to “record” screen interactions made by a user and the automate it.

  2. Use scheduled tasks as that allows you to use different credentials. So a user clicks a file (batch for that matter) that behind the scenes enable a job tjat already exists to start or simply creates the job completely ( you’ll have to sort permissions)

Now how to do all this in dsc…hmm I dare say you’re using the wrong technology. Dsc is state, what you’re looking is more policy. While dsc can replace policy to some extent, especially with machine settings, it’s a poor replacement for user settings, as is your case.

Good luck