/build/static/layout/Breadcrumb_cap_w.png

K2000 - Error in Post Install Task - Enable UAC

Hello All

So I'm at a loss here... 
For some reason there is an "Enable UAC" post install task which I cannot seem to get rid off.
When deploying a Windows 7 image through scripted installation, there is a 50% chance that it will work without problems, but another 50% chance that I will run into an error on that task:

Script: C:\KACE\Applications\12\enable_uac.vbs
Line 28
Char 5
Error: Invalid Root in Registry Key
"HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA"
Code: 8007005
Source: WshShell.RegWrite

What's baffling is that as I said, sometimes it works, and sometimes it doesn't... and I can't seem to get rid of this post install task at all.

I've tried calling Dell Support (24 hours Sunday - Friday) but I've been on hold for the last hour, and no one is picking up.

Can anyone help?

1 Comment   [ + ] Show comment
  • Also see https://support.software.dell.com/k2000-systems-deployment-appliance/kb/122254 for possible reason that the 'Invalid Root in Registry Key' could also be observed. - TheAustinDave 8 years ago
    • Hello. Our captured image was fine. In fact, after speaking to our contact at Quest (who sold us the product) he advised to re-capture, after showing me this link. So we did, and there is still the same issue.

      After working directly with Dell Support, they sent me a new post install task to import which they said bypasses this task. Unfortunately, that didn't work either, and I'm still waiting for them to come back with a working solution.

      What I have done in the mean time, is create a task which replaces the enable_uac.vbs with my own file, which contents include one line: "Wscript.Quit()" So it doesn't run the script at all.

      This works for the most part, but what I am finding is that the cleanup script doesn't delete the KACE folder found on the hard drive. So I'm guessing there are some file hash checks or something during that cleanup process, detecting that the VBS isn't the original one - Flappers 8 years ago

Answers (2)

Posted by: TheAustinDave 8 years ago
Third Degree Brown Belt
0
Hello,

The enable_UAC.vbs is a built in task for the K2000 appliance, it really isn't enabling the UAC but restoring it to the state before starting the post install tasks.

What version of the K2000 is currently running, sounds like a older version as I believe the working was changed in version 3.7 to better describe its function (see article below). Errors could be due to the system not being able to read/save/recall the status of UAC.

https://support.software.dell.com/k2000-systems-deployment-appliance/kb/121713

Support for K2000 is 24x5 which would include off-shore hours, verify the number being used is (888)522-3638 and then I believe its option 2.

TheAustinDave

Comments:
  • Hello

    We are using the latest version of K2000 + RSA.
    I have read through that FAQ extensively, and the resolution doesn't work for us.
    You are right to think that the System account doesn't have permission to change this, because if I run the script manually it works without any problems.

    The problem is here... Dell introduced this forced task in K2000. UAC is handled by Group Policy in our environment, so turning it on or even changing any setting to do with it, is completely not needed for us, this is why I just want to delete that task. As it is causing problems.

    I have asked Dell directly to either remove this task/ make it optional, or provide me access to the \\k2000\peinst folder to adjust the task list myself. Which I am still waiting for a response back. - Flappers 8 years ago
    • At which point do you join the domain, is this done through the unattend.xml file or do you have a post task to join domain?

      If its a post task, do you have it reboot to make the domain active? Could you put the join domain at the end of the post task and when it completes all tasks and the cleanup.vbs script the final reboot would have it join the domain and not interfere with the enable UAC (restore UAC) task. - TheAustinDave 8 years ago
      • We use a powershell script to join the domain, as there are custom parameters that must be set.

        Unfortunately though, there is a second post install task which requires the domain connection to be active, hence why the reboot is necessary for that second task to complete.

        Do you believe that the domain join is what maybe causing this problem then? - Flappers 8 years ago
Posted by: TheAustinDave 8 years ago
Third Degree Brown Belt
0
The group policy would be active as soon as it joined and the system is rebooted - meaning the Group Policies would then be active on the system. Since the task is a powershell script to join the domain I am assuming this is a post task item as well.

The best option for deployment would be to create post task which is not dependent on the GPO, and have the join domain task as one of the last items so the K2000 tasks can complete. Then when the system reboots the final time it would join the domain and run GPO on the system.

Another option might be to add a GPO to disable UAC for admins or perhaps the admin ID being used to deploy images.

The other method might be to have the system join the domain via the unattend.xml file, however this might not be possible since reporting there are specific parameters to be set in the process.

What post tasks do you have configured that rely on the domain to complete? 
If they are installed successfully, but need a reboot to just become active (such as the K1000 agent checking in), I would recommend not letting these enable till the final reboot. Observed if items such as the K1000 agent being made active and taking inventory, start running scripts or something like Symantec Endpoint Protection starting its scan upon install can cause issues with other tasks down further on the list.

Comments:
  • There is one post install task that requires active connection with the domain. It creates (if not exists) and adds security groups (which are created on a per-machine basis) from the domain into the local administrators. Then it adds other domain local security groups into that security group remotely via this script.

    This requires authorization with the domain, so a reboot after domain join is required if this second script is to run properly.

    Ultimately, I just want to get rid of this enable uac task entirely. But I can't. I've found that I don't even have write access to \\k2000\peinst - if I had write access to that I could manually remove that task. - Flappers 8 years ago
 
This website uses cookies. By continuing to use this site and/or clicking the "Accept" button you are providing consent Quest Software and its affiliates do NOT sell the Personal Data you provide to us either when you register on our websites or when you do business with us. For more information about our Privacy Policy and our data protection efforts, please visit GDPR-HQ