Best way to allow non-admin users to run MDT LiteTouch?

InterLinked

2/27/23, 2:03 PM

We are using Microsoft Deployment Toolkit + WDS for computer imaging in our organization. One problem we are trying to solve is how to allow users to install software, preapproved by the IT department, without granting users admin rights. We would like to use freely available (included) software to do this. We have AD, WDS, and MDT, but not SCCM.

One solution we have been using to a limited extent is Group Policy Software Publishing. We can add software as "available" for a user (rather than published), and the user can then install from Control Panel without admin rights. It works well, but the downside is that it only works with programs available with an MSI installer. We need to be able to support common EXE installers as well.

We are also using MDT to deploy Applications as part of the OS install task sequence, and I've been using a custom "Applications" task sequence that can be run within Windows to test that silent installation of programs is working correctly. I got to thinking that perhaps this task sequence could be used as a "poor man's Software Center", so to speak. The main issue is that launching LiteTouch.VBS requires admin rights, so in order to run a task sequence from within Windows, admin rights are required. I have done some research and not found any elegant way to allow this. GPP no longer allows Run As in scheduled tasks, limitations exist with PowerShell SecureString... etc.

What would be the best way to allow users to install applications in the Deployment Share without admin rights?

Another thing I have tried is booting into Windows PE via PXE boot and running the Applications task sequence from there. But, it only works in Windows and doesn't run on WinPE:

LiteTouch is trying to install applications. This cannot be performed in Windows PE. If booting from a USB Flash Disk, please remove all drives before restarting. Otherwise, ensure the hard disk is selected first in the BIOS boot order.

Any suggestions? Has anyone used MDT LiteTouch.vbs as a substitute for Software Center? It really does seem to work well, and we would like to be able to use that as it does the job well, except the tool requires admin rights to run.

0 + 0

sccm

mdt

InterLinked

2/28/23, 12:19 AM

@ElliotLabsLLC Thanks, we are a bit hesitant to try some of the EXE to MSI tools, just due to program integrity concerns, and the one you linked appears to be paid, at which point we may as well dole out the $$$ for Software Center. Apart from $, we already have everything else we need in MDT and don't really need SCCM for any other reason. I'm willing to spend some time writing scripts or some other custom solution, but not sure of the specifics for how a user can invoke. I guess we'll keep trying to figure this part out.

Elliot Labs LLC

2/28/23, 11:37 AM

I think the best bet is to have MDT run as a service (system user execution) as that will allow it to install apps without the user having admin rights (that is how software center and company portal works). FYI, MDT isn't meant to replace the above. It is a really nifty solution though and I like your thinking!

Elliot Labs LLC

2/28/23, 12:07 PM

It might be best to not re-invent the deployment wheel and use the existing software. Just re-package your `EXE`s into `MSI`s using a solution like "https://emcosoftware.com/msi-package-builder/convert-exe-to-msi". This will allow you to use your existing GPO methods but for pretty much all installers.

InterLinked

2/28/23, 12:45 PM

@ElliotLabsLLC Thanks! Could you elaborate more on your first suggestion, running as a service? I thought about adding a task or something to run it with system/admin rights, but how does the user actually invoke this? Furthermore, can it be done in a way that is deployable (e.g. Group Policy)? Methods like making a runas are obviously not possible for this reason since they are per user, per PC

Elliot Labs LLC

2/28/23, 5:05 PM

For method one, I don't actually know. It's just an idea that is technically possible, I've never tried it. I would personally go with company portal or software center myself or use the exe to MSI packaging tools. What you're asking for would require a lot of custom code that I'm not prepared to help with.

Elliot Labs LLC

3/3/23, 2:32 PM

You might want to try company portal with Endpoint Manager (Intune). Much easier to implement and use.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Best way to allow non-admin users to run MDT LiteTouch?

TH: วิธีที่ดีที่สุดในการอนุญาตให้ผู้ใช้ที่ไม่ใช่ผู้ดูแลระบบเรียกใช้ MDT LiteTouch?

RO: Cel mai bun mod de a permite utilizatorilor non-administratori să ruleze MDT LiteTouch?

RU: Лучший способ разрешить пользователям без прав администратора запускать MDT LiteTouch?

VI: Cách tốt nhất để cho phép người dùng không phải quản trị viên chạy MDT LiteTouch?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.