Skip to main content

We're running BT EPM Cloud. We have some users that need to be able to install some PowerShell modules that require administrative rights. They can successfully run powershell.exe or powershell_ise.exe via the on-demand. When the run the commands for like

`install-module ExchangeOnlineManagement -force -verbose`

it appears to do all the file downloading of the module, but does NOT actually copy the downloaded modules into `C:\Program Files\WindowsPowerShell\Modules directory`.


 

We have rules for allowing the various modules.

For example:

- Type: Executable

- File/Folder Name: matches contains *powershell*.exe

- Command Line: matches contains *module *ExchangeOnlineManagement*

- Publisher: matches contains Microsoft Windows

- Production Description: matches contains Windows PowerShell*

- Application Requires Elevation (UAC)

 

We have tried with and without the option

- Treat child processes in the same way if the child process: matches <Any Application>

 

The allowed powershell modules are in their own application group and just for our High Flex users.

 

I've even gone as far as creating a COM class exeception for {3AD05575-8857-4850-9277-11B85BDB8E09} (file operations)

 

The issue only seems to be for the modules that REQUIRE that they run as administrator. As I can, for example, get `install-module ImportExcel' working, without even needing a BT EPM rule.

 

I found this, https://docs.beyondtrust.com/epm-wm/docs/epm-for-windows-core-scripting, but that appears to be more so for the legacy on-prem solution. I can't find anywhere in EPM Cloud manage scripts or anything.

Hello ​@HillaryZ,

The issue you are seeing is because elevation cannot be retrospectively applied to a process that is already running.

However, I do not recommend simply allowing your users to be able to elevate PowerShell, so instead create a digitally signed script that contains the commands that require elevation and use EPM to elevate the script.

 


Hi ​@HillaryZ,

When it comes to PowerShell, unfortunately you cannot use an executable definition for a specific command. You can use the executable definition to elevate PowerShell itself, however once it’s open there is no way for EPM to know what commands are being executed within it. Meaning, EPM will see that PowerShell is launched, but it will not match the definition since the command line is not present at the initial launch. 

In that regard, if you test that definition using ‘Run’, it should work as expected. However, this is not how most users will be running PowerShell commands.

Therefore, the next best option would be to use the PowerShell Script definition. During my tests, when I ran the script (elevated with full admin) that used the command you mentioned, it completed successfully. I could also see the folder was downloaded to the correct location.


Reply