Last Updated on June 7, 2022 by rudyooms

This blog will show you, how you could give regular users permission to restart some services… Why? because sometimes a user needs to restart a specific service and they really don’t have the time to reboot the device itself.

I will divide this blog into multiple parts:

1. Introduction
2. The Idea
3. The Script
4. The results

1.Introduction

Some time ago, Oliver Kieselbach discovered a very great new method to start the IME sync process with just a simple command: “intunemanagementextension://syncapp”.  To make sure users could perform this action. you could push a shortcut with a nice command to all your user desktops. An excellent new approach.

Like Oliver was mentioning, you could restart the Microsoft Intune Management service, which also triggers the sync. But when your users have no admin privileges, this is not possible.

This got me thinking, shouldn’t it be possible to restart some services for end-users? Just like the possibility to install printers / installing programs from the company portal. This would be a great addition to self-servicing users.

2. The Idea

It always starts with an idea… So In this example, I have created a Win32 app to let end users restart the Microsoft Intune management service. Do you know what is beautiful? You could do the same with some other services like for example the Print Spooler. Let me explain why…

How many times didn’t you (when working as a service desk engineer) get a call there was something wrong with the Printer and you needed to restart the Spooler Service?

Before we can do anything with the service, we need to change the permissions of the service itself because a regular user doesn’t have permission to do so. When we have changed the permission we still need to make sure the end-user could easily perform this action him/herself. To do so we are also going to publish a shortcut to an additional program to restart the service.

Below is a screenshot how it would be like when you are done

3. The Script

Let’s start with the easiest part, the restartintune.exe. It is just a simple PowerShell script with 2 commands in it and converted to an EXE. I converted it to an EXE because I am blocking PowerShell and the command line. It’s obvious your standard users don’t need PowerShell access.

I also placed it in the Program files folder, to be sure Applocker isn’t going to “kill” it. I am placing it in the Applocker folder because, in a normal Applocker setup, the Program Files folders are excluded from the block! If you want to read about how to deploy Applocker to Intune, read my blog below.

Now we know what the very simple script would look like that I converted to an exe (restartintun.exe), here it is. Of course, when you want to do the same with the Printer Spooler.. don’t forget to change it.

net stop IntuneManagementExtension
Net start IntuneManagementExtension

And now the Windows10_restartservice.ps1 part. As you can see, you will need some modules, to begin with. After installing the modules you just assign the proper service permission.

Looking at the script below, you will notice that after the service permissions are changed with the Grant-servicepermission command, the restartintune.exe and the corresponding icon file are copied to a new folder inside program files (x86). As mentioned earlier, this folder is excluded from my AppLocker policy.

$objSID = New-Object System.Security.Principal.SecurityIdentifier ("S-1-1-0")
$objUser = $objSID.Translate( [System.Security.Principal.NTAccount])
$everyone = $objUser.Value

#install and import module
install-packageprovider -name nuget -minimumversion 2.8.5.201 -force | out-null
Install-Module -Name 'Carbon' -AllowClobber -force | out-null
Import-Module 'Carbon'

#grant permission and restart service to take affect
Grant-CServicePermission -Name IntuneManagementExtension -Identity $everyone -QueryStatus -EnumerateDependents -Start -Stop

md "c:\program files (x86)\restartservice"
copy .\restartintune.exe "c:\program files (x86)\restartservice\restartintune.exe"
copy .\intune.ico "c:\program files (x86)\restartservice\intune.ico"

#Create Shortcut Desktops
if (-not (Test-Path "C:\Users\Public\Desktop\Restart-Service.url"))
{
$null = $WshShell = New-Object -comObject WScript.Shell
$path = "C:\Users\Public\Desktop\Restart-Service.url"
$targetpath = "c:\program files (x86)\restartservice\restartintune.exe"
$iconlocation = "c:\program files (x86)\restartservice\intune.ico"
$iconfile = "IconFile=" + $iconlocation
$Shortcut = $WshShell.CreateShortcut($path)
$Shortcut.TargetPath = $targetpath
$Shortcut.Save()

Add-Content $path "HotKey=0"
Add-Content $path "$iconfile"
Add-Content $path "IconIndex=0"
}

The only thing left to do is to create the intunewinapp and upload it to Intune and assign it to the users who need that power!

4 .The Results

After a while, the App is installed and a new icon appears on the desktop. I opened the event log and services.msc as an admin user to check out if it was working. So clicking on the Restart Service button, stopped and start the Intune Management Extension service as expected! 

Conclusion:

I guess the puzzle is almost complete now, we have some options to let end-users install apps on their own, install printers on their own and now we can also let end users stop and start some services if needed.

Best of all, these actions can be performed without local admin permissions. Of course, maybe the Intune management service is not the best example… but you could use it for any service you like.