search

microsoft / winget-cli

WinGet is the Windows Package Manager. This project includes a CLI (Command Line Interface), PowerShell modules, and a COM (Component Object Model) API (Application Programming Interface).
https://learn.microsoft.com/windows/package-manager/
MIT License
23.31k stars 1.45k forks source link

WinGet can't be run by different user than Administrator #2721

Open AriLobster opened 1 year ago

AriLobster commented 1 year ago

Brief description of your issue

Hello,

I'm currently setting up an software deployment tool in our company. I'd like to use winget to install the newest software and deploy the configuration (if needed) of the requested software by script, but actually that doesn't matter right now.

If I'm the end user and start a installation, the context of the installation will be run by the "NT AUTHORITY\System" user. To get a normal and good connection to the Domain I'm using, I'm starting a PSSession with a specific user. (The user is a local Administrator)

`function Change-Active-User {
$user = "Domain-NET.int\my_user"

$Key = ** my decryption key here

$new_pass = Get-Content '\\SERVER01\Hidden_Share$\Files\Scripts\Helper\my_pass_file.txt' | ConvertTo-SecureString -Key $Key

$creds = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $user, $new_pass

Start-Service -Name WinRM

$loginstall_session = New-PSSession -Credential $creds

}`

After that I run the "Change-Active-User" in my main script. To now run the Installation of winget remotely I use the "Invoke-Command" cmdlet:

`Invoke-Command -Session $my_session{
param($winget_dir, $vclibs_uwpdesktop, $vclibs, $ui_xaml, $winget, $winget_license)

_some commands to mount a smb share_

Start-Sleep -Seconds 3

Add-ProvisionedAppxPackage -Online -SkipLicense -PackagePath L:\$vclibs_uwpdesktop

Add-ProvisionedAppxPackage -Online -SkipLicense -PackagePath L:\$vclibs

Add-ProvisionedAppxPackage -Online -SkipLicense -PackagePath L:\$ui_xaml

Add-AppxPackage -Register -Path $winget

Add-ProvisionedAppxPackage -Online -SkipLicense -PackagePath L:\$winget

Add-AppxProvisionedPackage -Online -PackagePath L:\$winget -LicensePath L:\$winget_license

net use L: /delete`

After all this code, winget is installed.

Steps to reproduce

Install Win-Get as Appx Package, and try to run it through a pssession or a invoke-command or even with the NT Authority\SYSTEM User.

Expected behavior

Now the problem is, If I am the normal Administrator logged in from my test-domain (DOMAIN-NET.int) I can normally run the winget command:

image

Actual behavior

If I try to run it in the SYSTEM-User context, I get following error: image

When I Enter the opened PSSession and am logged it with the domain user (as local admin), I get following error:

image

And yes the user is local administrator image

Environment

EXECUTED AS DOMAIN-NET\ADMINISTRATOR
EXECUTED AS DOMAIN-NET\ADMINISTRATOR
EXECUTED AS DOMAIN-NET\ADMINISTRATOR
EXECUTED AS DOMAIN-NET\ADMINISTRATOR
EXECUTED AS DOMAIN-NET\ADMINISTRATOR

PS C:\Users\Administrator> winget --info
Windows Package Manager v1.3.2691
Copyright (c) Microsoft Corporation. All rights reserved.

Windows: Windows.Desktop v10.0.19044.1288
System Architecture: X64
Package: Microsoft.DesktopAppInstaller v1.18.2691.0

Logs: %LOCALAPPDATA%\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\LocalState\DiagOutputDir

Links
---------------------------------------------------------------------------
Privacy Statement   https://aka.ms/winget-privacy
License Agreement   https://aka.ms/winget-license
Third Party Notices https://aka.ms/winget-3rdPartyNotice
Homepage            https://aka.ms/winget
Windows Store Terms https://www.microsoft.com/en-us/storedocs/terms-of-sale

-----
Get-AppxProvisionedPackage
DisplayName  : Microsoft.DesktopAppInstaller
Version      : 2022.927.3.0
Architecture : neutral
ResourceId   : ~
PackageName  : Microsoft.DesktopAppInstaller_2022.927.3.0_neutral_~_8wekyb3d8bbwe
Regions

-----

PS C:\Users\Administrator> Get-AppxPackage Microsoft.DesktopAppInstaller

Name              : Microsoft.DesktopAppInstaller
Publisher         : CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Architecture      : X64
ResourceId        :
Version           : 1.18.2691.0
PackageFullName   : Microsoft.DesktopAppInstaller_1.18.2691.0_x64__8wekyb3d8bbwe
InstallLocation   : C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.18.2691.0_x64__8wekyb3d8bbwe
IsFramework       : False
PackageFamilyName : Microsoft.DesktopAppInstaller_8wekyb3d8bbwe
PublisherId       : 8wekyb3d8bbwe
IsResourcePackage : False
IsBundle          : False
IsDevelopmentMode : False
NonRemovable      : False
Dependencies      : {Microsoft.UI.Xaml.2.7_7.2208.15002.0_x64__8wekyb3d8bbwe,
                    Microsoft.VCLibs.140.00.UWPDesktop_14.0.30704.0_x64__8wekyb3d8bbwe,
                    Microsoft.DesktopAppInstaller_1.18.2691.0_neutral_split.scale-100_8wekyb3d8bbwe}
IsPartiallyStaged : False
SignatureKind     : Store
Status            : Ok

EXECUTED AS DOMAIN-NET\ADMINISTRATOR
EXECUTED AS DOMAIN-NET\ADMINISTRATOR
EXECUTED AS DOMAIN-NET\ADMINISTRATOR
EXECUTED AS DOMAIN-NET\ADMINISTRATOR
EXECUTED AS DOMAIN-NET\ADMINISTRATOR
denelon commented 1 year ago

This is a part of the design of MSIX packages. We're developing a separate "in process" COM interface for remote execution under the system account. This is related to: