Ensuring your GCE scripts that use Run As accounts continue to execute in Microsoft Virtual Machine Manager

~ Jeff Towarnicki | Software Engineer


Beginning with the February security patch for Windows (MS15-011) and Update Rollup 6 for System Center 2012 R2 Virtual Machine Manager (VMM 2012 R2), you may need to modify the way your GCE scripts are executed in order to ensure that those scripts continue to work after these security patches are applied.

The guest agent in VMM was updated in UR6 and later versions to accommodate the Windows security update and changed to use BATCH instead of INERACTIVE in order to successfully create processes. Because of this change, your Run As user account must be added to the local admin group, or be granted the Log on as a batch job privilege in the local group policy of the guest VM. If this is not done, your GCEs that use a Run As account will fail after VMM is updated to UR6 or later. Note that this applies to the Virtual Machine Manager Tech Previews as well.

If your Run As account does not have Administrator privileges in the guest VM, here are some options for making sure your GCE scripts continue to run:

Option 1: Manually give administrative privileges to the user account

If the Run As user account is not already a member of the local admin group on the guest VM, simply add the user account to the local admin group. To do this, open an administrative command prompt (Run as Administrator) on the guest VM and run lusrmgr.msc to open Local Users and Groups. From there, add the user that maps to your Run As account to the local admin group. In the example below I add the user mydomain\user which maps to my Run As account.


Option 2: Grant admin privileges to the user account using a service template script

Within your service template, create a Pre-Install script that runs before any scripts that require a Run As account, then use that script to add the users of those Run As accounts to the local admin group on the VM. In the example below I run the following command in my pre-install script:

cmd.exe /q /c net localgroup administrators mydomain\myuser /add

When this command runs as part of the Pre-Install script, the specified user (mydomain\myuser) is added to the local admin group and thus automatically has privileges to login as BATCH.


Option 3: Manually grant “Logon as a batch job” privileges to the user account in the local group policy of the guest VM

If you need finer granularity of the permissions for your users, you can simply grant the Run As user account Log on as a batch job privileges in the local group policy of the guest VM. This way you don’t have to add user accounts unnecessarily to the admin group. Here are the steps:

1. Open Local Security Policy from Windows Administrative Tools:


Under User Windows Settings/Security Settings/User Rights Assignment, right-click on Log on as a batch job and then add the Run As user (mydomain\myuser in this example) to the group:


That’s it. After these steps, the user in your Run As account will have the necessary privileges to run a GCE after the latest Windows and VMM updates are installed.

Jeff Towarnicki | Software Engineer | Microsoft

Get the latest System Center news on Facebook and Twitter:

clip_image001 clip_image002

System Center All Up: http://blogs.technet.com/b/systemcenter/

Configuration Manager Support Team blog: http://blogs.technet.com/configurationmgr/ 
Data Protection Manager Team blog: http://blogs.technet.com/dpm/ 
Orchestrator Support Team blog: http://blogs.technet.com/b/orchestrator/ 
Operations Manager Team blog: http://blogs.technet.com/momteam/ 
Service Manager Team blog: http://blogs.technet.com/b/servicemanager 
Virtual Machine Manager Team blog: http://blogs.technet.com/scvmm

Microsoft Intune: http://blogs.technet.com/b/microsoftintune/
WSUS Support Team blog: http://blogs.technet.com/sus/
The RMS blog: http://blogs.technet.com/b/rms/
App-V Team blog: http://blogs.technet.com/appv/
MED-V Team blog: http://blogs.technet.com/medv/
Server App-V Team blog: http://blogs.technet.com/b/serverappv
The Surface Team blog: http://blogs.technet.com/b/surface/
The Application Proxy blog: http://blogs.technet.com/b/applicationproxyblog/

The Forefront Endpoint Protection blog : http://blogs.technet.com/b/clientsecurity/
The Forefront Identity Manager blog : http://blogs.msdn.com/b/ms-identity-support/
The Forefront TMG blog: http://blogs.technet.com/b/isablog/
The Forefront UAG blog: http://blogs.technet.com/b/edgeaccessblog/

VMM 2012 R2