chocolatey / boxstarter

Repeatable, reboot resilient windows environment installations made easy using Chocolatey packages
https://boxstarter.org/
Apache License 2.0
1.32k stars 162 forks source link

Boxstarter should only modify UAC level, never disable UAC completely #581

Open mwallner opened 1 month ago

mwallner commented 1 month ago

Checklist

Is Your Feature Request Related To A Problem? Please describe.

Whenever Boxstarter re-enables UAC after it triggered a reboot the UAC is in a 'foggy state' - ignoring ConsentPromptBehavior etc. In order to bring the host to a clean state again the host needs to be rebooted again. This 'final reboot' cannot be done from Boxstarter since the reboot would not be a fenced login/suspended bitlocker etc.

This default behavior is currently wanted, since we cannot assume the user has physical access to the machine that runs Boxstarter, therefore we can only do 'fenced reboots' that wind up in a session again. We could add an option to force a reboot in order to re-enable UAC to a clean state if Boxstarter ever did a reboot during its operation, but this should not be required when this issue is being implemented (and only ConsentPromptBehavior is modified while UAC stays enabled all the time).

Describe The Solution. Why is it needed?

In brief; iff UAC is enabled, set the property ConsentPromptBehaviorAdmin to 0. (!MIND @pauby 's comment below: if it's running on Windows Server 2016 or newer, this won't work on previous releases - we'll need to keep the current mechanism in place for those older OS versions)

This will cause Windows to allow privileged actions without prompting.

https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings#registry-key-settings

Then to be sure that your tasks are launched in an elevated shell you can do:

Start-process Powershell.exe -Arguments $yourargs -Verb runas

Related Issues

Idea Originally posted by @SuperFlue in https://github.com/chocolatey/boxstarter/issues/358#issuecomment-439362708

pauby commented 1 month ago

Just to be clear, this only applies to Windows Server 2016 and above. Chocolatey CLI and by extension Boxstarter, supports back to Windows Server 2012R2.

mwallner commented 1 month ago

NOTE: there may be edgecases where a installer/setup script can only be run when EnableLUA -eq 0 (though I don't hope so) => we'd break those cases even though Boxstarter always runs in an elevated state. ... And they'd be flaky anyway if they'd been run before Boxstarter triggered a reboot (and disabled LUA for that sake) ...

I really do hope this is a constructed example, not something that's out in the wild.