Call4Cloud | MMP-C | Autopilot | Device Preparation

The non-admin user: The Battle of Restarting Services

Patch My Pc | install & update thousands of apps

This blog will show you how you could give regular users permission to restart some services. Sometimes, a user needs to restart a specific service, and they really don’t have the time to reboot the device itself.

1. Introduction

Some time ago, Oliver Kieselbach discovered a great new method for starting the IME sync process (Syncing the Apps not policies!) with just a simple command: “intunemanagementextension://syncapp.” To ensure users can perform this action, you could push a shortcut with a nice command to all your users’ desktops. This is an excellent new approach.

As Oliver mentioned, you could also restart the Microsoft Intune Management service, which also triggers the sync. However, this is not possible when your users lack admin privileges.

This got me thinking: Shouldn’t it be possible to restart some services for end-users, like installing printers/programs from the company portal? This would be a great addition to self-servicing users.

2. The Idea

It always starts with an idea. In this example, I have created a Win32 app to let end users restart the Microsoft Intune management service. Do you know what is beautiful? You could do the same with some other services, like the Print Spooler. Let me explain why.

How many times didn’t you (when working as a service desk engineer) get a call that there was something wrong with the Printer, and you needed to restart the Spooler Service?

Before we can do anything with the service, we need to change the service’s permissions because a regular user doesn’t have permission to do so. When we have changed the permission we still need to ensure the end-user could easily perform this action him/herself. To do so we are also going to publish a shortcut to an additional program to restart the service.

Below is a screenshot how it would be like when you are done

3. The Script

Let’s start with the easiest part: restartintune.exe. It is just a simple PowerShell script with 2 commands in it, converted to an EXE. I converted it to an EXE because I block PowerShell and the command line. Your standard users don’t need PowerShell access, Right?

I also placed it in the Program files folder to ensure Applocker won’t “kill” it. In a normal Applocker setup, the Program Files folders are excluded from the block! If you want to learn how to deploy Applocker to Intune, read my blog below.

Now we know what the very simple script would look like that I converted to an exe (restartintun.exe), here it is. Of course, when you want to do the same with the Printer Spooler.. don’t forget to change it.


net stop IntuneManagementExtension
Net start IntuneManagementExtension

And now the Windows10_restartservice.ps1 part. As you can see, you will need some modules, to begin with. After installing the modules, you just assign the proper service permission.

Looking at the script below, you will notice that after the service permissions are changed with the Grant-servicepermission command, the restartintune.exe and the corresponding icon file are copied to a new folder inside program files (x86). As mentioned earlier, this folder is excluded from my AppLocker policy.

$objSID = New-Object System.Security.Principal.SecurityIdentifier ("S-1-1-0")
$objUser = $objSID.Translate( [System.Security.Principal.NTAccount])
$everyone = $objUser.Value

#install and import module
install-packageprovider -name nuget -minimumversion 2.8.5.201 -force | out-null
Install-Module -Name 'Carbon' -AllowClobber -force | out-null
Import-Module 'Carbon'

#grant permission and restart service to take affect
Grant-CServicePermission -Name IntuneManagementExtension -Identity $everyone -QueryStatus -EnumerateDependents -Start -Stop

md "c:\program files (x86)\restartservice"
copy .\restartintune.exe "c:\program files (x86)\restartservice\restartintune.exe"
copy .\intune.ico "c:\program files (x86)\restartservice\intune.ico"

#Create Shortcut Desktops
if (-not (Test-Path "C:\Users\Public\Desktop\Restart-Service.url"))
{
$null = $WshShell = New-Object -comObject WScript.Shell
$path = "C:\Users\Public\Desktop\Restart-Service.url"
$targetpath = "c:\program files (x86)\restartservice\restartintune.exe"
$iconlocation = "c:\program files (x86)\restartservice\intune.ico"
$iconfile = "IconFile=" + $iconlocation
$Shortcut = $WshShell.CreateShortcut($path)
$Shortcut.TargetPath = $targetpath
$Shortcut.Save()

Add-Content $path "HotKey=0"
Add-Content $path "$iconfile"
Add-Content $path "IconIndex=0"
}

The only thing left to do is to create the intunewinapp and upload it to Intune and assign it to the users who need that power!

4 .The Results

After a while, the App is installed, and a new icon appears on the desktop. I opened the event log and services.msc as an admin user to check if it was working. So, clicking on the Restart Service button stopped and started the Intune Management Extension service as expected! 

restarting services without having admin permissions
the service is now restarted without being a local admin

Conclusion:

I guess the puzzle is almost complete now. We have some options to let end-users install apps and printers on their own, and now we can also let end users stop and start some services if needed.

You Need To Stop GIFs - Get the best GIF on GIPHY

Best of all, these actions can be performed without local admin permissions. Of course, maybe the Intune management service is not the best example… but you could use it for any service you like.

7 thoughts on “The non-admin user: The Battle of Restarting Services

  1. Could you do the same to grant permission to stop the print spooler, delete files in a folder and then restart the spooler after file deletion?

    1. Hi, everything is possible :).. I guess. In this (old blog… need to update it) I am only granting the permissions to restart this service. Maybe a way better idea would be to create a powershell script which does everything you say and create an available app for it. When configuring the detection rules, you could make sure the can (install –> read… run it) from the company portal app when needed. They can launch the app is an normal user.. but it will do everything you want as system… And maybe combining it with PSADT to show the enduser a little bit more information about the process?

      Let me know if it works for you… if so please send me a pm so we can transform this problem/issue/solution to a blog to help out others

    1. Thanx…that servicepermissions would be removed in next major version indeed… I changed it and also changed the everyone part to match the sid

  2. Looks exactly like something I’m needing now, thanks. Going to to try making some adjustments.
    A couple of questions though:

    How do your install and uninstall commands look?
    Also when deplying with Intune, what did you make your detection rules like?

    Thanks a bunch!

  3. if i want to make the win32 available and rerun when the user clicks on it from the company portal , what should my detection rule looks like ? cant figure out 😀

Leave a Reply

Your email address will not be published. Required fields are marked *

  +  48  =  58

Proudly powered by WordPress | Theme: Wanderz Blog by Crimson Themes.