I'm trying to get a barcode font installed on machines for a enterprise application. The GPO is being served from a Windows Server 2019 Standard version 1809 OS build 17763.4252 server. The GPO in question uses computer preferences -> Scheduled Tasks to immediately run a script. Shown below.
#$fonts = (New-Object -ComObject Shell.Application).Namespace(0x14)
$Path = Test-Path \\DC\netlogon\font\
if($Path -eq $true)
{
Write-EventLog -Source Application -LogName Application -EventId 301 -EntryType Information -Message "The Network Path is True"
$fontFolder = "\\DC\NETLOGON\Font\ "
$fontItem = Get-Item -Path $fontFolder
$fontList = Get-ChildItem -Path "$fontItem\*" -Include ('*.fon','*.otf','*.ttc','*.ttf')
$RegPath =(Test-Path 'HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Fonts')
$objFont = New-Object System.Drawing.Text.PrivateFontCollection
}
foreach ($font in $fontList)
{
$objFont.AddFontFile($font.FullName)
$objTitle = $objFont.Families[-1].Name
$fontName = $font.Name
$objExtension = switch ($font.Extension)
{
.TTF {"(True Type Font)"}
.OTF {"(Open Type Font)"}
Default {
Write-EventLog -Source Application -LogName Application -EventId 305 -EntryType Information -Message "Font Extension not Found"
}
}
$FontTitle = $objTitle + " " + $objExtension
if (-not(Test-Path -Path "C:\Windows\fonts\$fontName" )) {
Write-EventLog -Source Application -LogName Application -EventId 302 -EntryType Information -Message "Font not Found, Installing font."
echo $fontName
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Fonts" /v $FontTitle /t REG_SZ /d DWBAR39.TTF /f
cp $font C:\Windows\Fonts
if (Test-Path -Path "C:\windows\fonts\$fontName")
{
Write-EventLog -Source Application -LogName Application -EventId 306 -EntryType Information -Message "Font Installed."
}
}
elseif (Test-Path -Path "C:\Windows\fonts\$fontName"){
Write-EventLog -Source Application -LogName Application -EventId 303 -EntryType Information -Message "Font Already Installed in C:\windows\fonts\"
}
}
The Script works well locally. I can run it and it works no problem. Whenever I refresh the group policy, I get Event 1202,SceCLI
0x5 : Access is denied. Advanced help for this problem is available on
https://support.microsoft.com. Query for "troubleshooting 1202
events".
Currently it's running as so in the GPO.
Name C - Font Installer
Author 'Me'
Description Installs fonts.
Run only when user is logged on S4U
UserId NT AUTHORITY\System
Run with highest privileges HighestAvailable
Hidden Yes
Configure for 1.2
Enabled Yes
Program/script
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Arguments -ExecutionPolicy Bypass -Command '&
\DC\netlogon\add-Font.ps1' Start in
C:\Windows\System32\WindowsPowerShell
Stop if the computer ceases to be idle Yes
Restart if the idle state resumes No
Start the task only if the computer is on AC power Yes
Stop if the computer switches to battery power No
Allow task to be run on demand Yes
Run task as soon as possible after a scheduled start is missed Yes
Stop task if it runs longer than 3 days force it to stop Yes
If the running task does not end when requested,
If the task is not scheduled to run again, delete it after Immediately
If the task is already running, then the following rule applies StopExisting
Going down the Permissions angle. I found by using PSEXEC64.exe -sid powershell. And running out the dir $font | %{$fonts.CopyHere($_.FullName)} There isn't any output.
This site https://eddiejackson.net/wp/?p=16137 Helps with why that may be. Seems the 0x14 shell variable is being overloaded and redirects to the user profile. Which I've seen happen when I ran the script locally.
*After additions to the script I still get the SceCLI errors, It doesn't appear the script even runs, because I do not get any of the event logging that I added. How/Why? I'm using the SYSTEM account to perform these actions.
I disabled windows firewall for domain scope, and now I no longer receive the SceCLI error. Still nothing applies.
Any help at all would be amazing.
thank you.
