MDT Module Updating Media through JEA Endpoint fails adding BCD entry

664 views Asked by At

I am running into an issue with remotely updating MDT offline media on a JEA endpoint. The error has something to do with permissions passed to BCDEdit and the virtual account created by JEA (WinRM User...). BCDEdit returns

An error occurred while attempting the specified create operation. This security ID may not be assigned as the owner of this object.

when trying to update the BCD file with the x64 boot config.

Command:

Invoke-Command -ComputerName $DeploymentServerName -ConfigurationName MDTUpdate -ScriptBlock { 
        New-PSDrive -Name "DS002" -PSProvider MDTProvider -Root "$Using:LocalDeploymentShareFolder" -ErrorAction Stop
        Update-MDTMedia -Path "DS002:\Media\MEDIA001" -Verbose
    } -Credential $MDTCreds -ErrorAction Stop

Command that MDT module runs:

'C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Deployment Tools\AMD64\BCDBoot\bcdedit.exe' -store "C:\MyVMs\MDT\USB\Content\Boot\bcd" /create "{f31cce1a-e314-4481-9ac9-e519f65dff65}" -d "Litetouch Boot [MEDIA001] (x64)" -application OSLOADER

Error from JEA Transcript:

VERBOSE: Error detected running command: 'C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Deployment Tools\AMD64\BCDBoot\bcdedit.exe -store "C:\MyVMs\MDT\USB\Content\Content\Boot\bcd" /create "{f31cce1a-e314-4481-9ac9-e519f65dff65}" -d "Litetouch Boot [MEDIA001] (x64)" -application OSLOADER' Exit code is: 1
VERBOSE: Error text is: An error occurred while attempting the specified create operation.  This security ID may not be assigned as the owner of this object.
Update-MDTMedia : BcdEdit returned an error.
At line:5 char:9
+         Update-MDTMedia -Path "DS002:\Media\MEDIA001" -Verbose
+         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (MEDIA001:String) [Update-MDTMedia], DeploymentPointException
    + FullyQualifiedErrorId : BcdEditError,Microsoft.BDD.PSSnapIn.GenerateMDTMedia

Relevant information from session config:

@{
    SchemaVersion = '2.0.0.0'
    SessionType = 'Default'
    ExecutionPolicy = 'Unrestricted'
    LanguageMode = 'FullLanguage'
    TranscriptDirectory = 'C:\JEA\Transcripts'
    RunAsVirtualAccount = $true
    RoleDefinitions = @{
        'ExampleDomain\ExampleUserOrGroup' = @{
            'RoleCapabilities' = 'MDTUpdate'  
        } 
    }
}

Relevant content from role config:

@{
ModulesToImport = 'C:\Program Files\Microsoft Deployment Toolkit\Bin\MicrosoftDeploymentToolkit.psd1'
VisibleCmdlets = 'Get-Command','Out-Default','Exit-PSSession','Measure-Object','Select-Object','Get-FormatData','Start-Transcript','Stop-Transcript','Import-Module','Get-Module','New-PSDrive','Write-Output','Update-MDTDeploymentShare','Remove-Item','Update-MDTMedia','New-Item','Remove-PSDrive'
VisibleProviders = 'FileSystem', 'MDTProvider'
VisibleExternalCommands = 'bcdedit.exe'
}

How can I give BCDEdit the proper permissions when running under the virtual account? Or do I have to drop JEA and give a service account local admin rights and run it under the default PSSession?

1

There are 1 answers

2
Alex On

The thing that comes to mind, is make sure that the group that the account is a part of, has more than just Read-Only permissions. I've had a case where I could run any powershell command, but when it came to invoking a non-powershell native program, it would give me permission issues.

The only other thing besides that is to use a runas within the script block, but that kinda goes against the whole purpose of JEA.