Please help me understand how Snapins work (and why mine aren't working)
-
Hey awesome people of FOG! I have been experimenting and trying to understand how Snapins work but I have not been having very much luck. I have gone over the pages for Snapins and Snapin packs and was able to do the example Chrome MSI installation without any problem.
What I am struggling with is running Powershell or Batch scripts.
Let me give specific examples of what I am trying to do:
Enable Bitlocker Snapin:
I create a file called enableBitlocker.ps1 that contains the following codemanage-bde -protectors -add -RecoveryPassword C: manage-bde -protectors -add -TPM C: manage-bde -on C:
I am running this with the Powershell defaults
powershell.exe -ExecutionPolicy Bypass -NoProfile -File enableBitlocker.ps1
If I run these these commands in Powershell or Command prompt it works just fine but if I create a Snapin (Powershell or Batch) and run it, it does not seem to do anything at all. I did notice that if I try to run the ps1 file manually on the computer I get the error
"ebableBitlocker.ps1 cannot be loaded because running scripts is disabled on this system."
So is this an issue with how I am creating the Snapin or an issue with how my computer is setup?
Another example of what I am trying to do is install Chocolatey using a Snapin, then use another Snapin to update and install packages.
My file is installChocolatey.ps1
iex ((New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1'))
Then to install packages I have the Snapin installSoftware.ps1
cinst googlechrome -y cinst openvpn -y cinst vlc -y
The installChocolatey.ps1 Snapin does not work (presumably “because running scripts is disabled on this system”) however installSoftware.ps1 DOES work, but only if I have manually installed Chocolatey in Powershell.
I have tried doing all of this with Batch scripts as well but am not having any luck with that either.
Any ideas why these Snapins are not working?
Sorry for the long post and thanks in advance for any help or advice you might have!
PS - I have read all the other forum posts on Chocolatey (I think) and they did not have the info to help me to get this to work. I did follow this post that suggests creating a Snapin with this code:
# Adding the Chocolately repository. Install-PackageProvider chocolatey -Force # Installing the adobereader package from the Chocolatey provider. Install-Package -Name adobereader -Provider Chocolatey -Force
This does indeed work for me, but installing Chocolatey packages in this manner seems to be very limiting in which packages are available. Also, I have no idea why this Snapin would run this ps1 file but not my installChocolatey.ps1 file.
Thanks again!
-
I am running this with the Powershell defaults
powershell.exe -ExecutionPolicy Bypass -NoProfile -File enableBitlocker.ps1
If I run these these commands in Powershell or Command prompt it works just fine but if I create a Snapin (Powershell or Batch) and run it, it does not seem to do anything at all. I did notice that if I try to run the ps1 file manually on the computer I get the error
“ebableBitlocker.ps1 cannot be loaded because running scripts is disabled on this system.”
The first thing I notice is the “ExecutionPolicy” is set for enableBitlocker.ps1, but the error is saying an issue with ebableBitlocker.ps1, maybe a typo somewhere?
-
Wow. Fast reply. Thanks!
Just a typo in my post. Not a typo in the Snapin. Thanks for catching that though!
-
Powershell scripts are not allowed to be run by default on windows 10, especially custom ones.
You might be able to fix this with
Set-ExecutionPolicy -ExceptionPolicy Unrestricted
set-executionpolicy unrestricted
-
@mckay I suppose you could change the powershell to:
powershell.exe -ExecutionPolicy Unrestricted -NoProfile -File enableBitlocker.ps1
-
I will try that and see if that fixes anything. Thanks for being so speedy!
-
So I tried
powershell.exe -ExecutionPolicy Unrestricted -NoProfile -File enableBitlocker.ps1
but still no luck.
In order to help troubleshoot I have been using the “Run” app from the start menu. When I do this I use “-NoExit” to keep the Powershell window so I can view any errors. For example I will Run the command
powershell.exe -NoExit -ExecutionPolicy Unrestricted -NoProfile -File D:\enableBitlocker.ps1
When I do this, the error I am getting is “Error: An attempt to access a required resource was denied.”
If I try the same thing with my installChocolatey.ps1 file I get the error
“Installation of Chocolatey to default folder requires Administrative permissions. Please run from elevated prompt”I know that Snapins run as System so I assume(?) permissions should not be an issue when running Snapins. Other than permissions though, the commands I am running seem to work just fine. Do you think it is possible some commands need to be run as admin and not system?
-
I think the execution policy needs to be set first. I also believe it requires confirmation too. So once it’s set the Snapin shouldn’t have a problem running
-
Too run tests open admin Powershell
-
@Tom-Elliott, I am not fully sure what you mean by this. Are you saying that I should set the execution policy on the Windows 10 image itself so that when it is provisioned it already has the execution policy set? As far as requiring confirmation, my goal is that I can do administrative tasks with SnapIns without having to to do any manual confirmation.
-
@mckay Yes, I think even system user requires the Powershell policies to be preset
-
Thanks for your response @Tom-Elliott you have been a big help. I think I have realized that what I am trying to do is probably not possible with a FOG Snapin.
So just to clarify. Any script that requires elevated privileges will not work as a FOG Snapin, but any script that does not require elevated privileges will work just fine as a FOG snapin. Is that correct?
-
@mckay no. Fog Snapins run as system user. Powershell has a play in this.
-
Thanks again for your help. I will research more what the System User can do. It looks like I am out of luck to do things that require elevated permissions (such as enabling Bitlocker) using a SnapIn. I think I will start to evaluate other ways to do post-provisioning scripts/tasks.