powershell - MDT Module Updating Media through JEA Endpoint fails adding BCD entry -


i running issue remotely updating mdt offline media on jea endpoint. error has permissions passed bcdedit , virtual account created jea (winrm user...). bcdedit returns

an error occurred while attempting specified create operation. security id may not assigned owner of object.

when trying update bcd file x64 boot config.

command:

invoke-command -computername $deploymentservername -configurationname mdtupdate -scriptblock {          new-psdrive -name "ds002" -psprovider mdtprovider -root "$using:localdeploymentsharefolder" -erroraction stop         update-mdtmedia -path "ds002:\media\media001" -verbose     } -credential $mdtcreds -erroraction stop 

command mdt module runs:

'c:\program files (x86)\windows kits\10\assessment , deployment kit\deployment tools\amd64\bcdboot\bcdedit.exe' -store "c:\myvms\mdt\usb\content\boot\bcd" /create "{f31cce1a-e314-4481-9ac9-e519f65dff65}" -d "litetouch boot [media001] (x64)" -application osloader 

error jea transcript:

verbose: error detected running command: 'c:\program files (x86)\windows kits\10\assessment , deployment kit\deployment tools\amd64\bcdboot\bcdedit.exe -store "c:\myvms\mdt\usb\content\content\boot\bcd" /create "{f31cce1a-e314-4481-9ac9-e519f65dff65}" -d "litetouch boot [media001] (x64)" -application osloader' exit code is: 1 verbose: error text is: error occurred while attempting specified create operation.  security id may not assigned owner of object. update-mdtmedia : bcdedit returned error. @ line:5 char:9 +         update-mdtmedia -path "ds002:\media\media001" -verbose +         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~     + categoryinfo          : invalidoperation: (media001:string) [update-mdtmedia], deploymentpointexception     + fullyqualifiederrorid : bcdediterror,microsoft.bdd.pssnapin.generatemdtmedia 

relevant information session config:

@{     schemaversion = '2.0.0.0'     sessiontype = 'default'     executionpolicy = 'unrestricted'     languagemode = 'fulllanguage'     transcriptdirectory = 'c:\jea\transcripts'     runasvirtualaccount = $true     roledefinitions = @{         'exampledomain\exampleuserorgroup' = @{             'rolecapabilities' = 'mdtupdate'           }      } } 

relevant content role config:

@{ modulestoimport = 'c:\program files\microsoft deployment toolkit\bin\microsoftdeploymenttoolkit.psd1' visiblecmdlets = 'get-command','out-default','exit-pssession','measure-object','select-object','get-formatdata','start-transcript','stop-transcript','import-module','get-module','new-psdrive','write-output','update-mdtdeploymentshare','remove-item','update-mdtmedia','new-item','remove-psdrive' visibleproviders = 'filesystem', 'mdtprovider' visibleexternalcommands = 'bcdedit.exe' } 

how can give bcdedit proper permissions when running under virtual account? or have drop jea , give service account local admin rights , run under default pssession?

the thing comes mind, make sure group account part of, has more read-only permissions. i've had case run powershell command, when came invoking non-powershell native program, give me permission issues.

the other thing besides use runas within script block, kinda goes against whole purpose of jea.


Comments

Popular posts from this blog

ZeroMQ on Windows, with Qt Creator -

unity3d - Unity SceneManager.LoadScene quits application -

python - Error while using APScheduler: 'NoneType' object has no attribute 'now' -