5 Replies Latest reply on Sep 15, 2017 6:25 AM by Hugues

    Task scheduler issue

    Hugues Rookie

      Hello,

      We are currently configuring Ivanti patch for SCCM (ver 2.3 update 2) and we have a issue when we want to configure "Schedule Download and / or Publication" (Windows Task Scheduler) because we have a GPO that prevents password storage (GPO: Network Access: Do not allow storage of passwords and credentials for network authentication: Enable).

       

      We are not allowed to disable this GPO as a security measure. So this is not a possible avenue.

       

      In fact this GPO prevents to create any tasks planned "Run as ..." : Run wether user is logged on or not

       

      We want to planned a SCCM ADR but we don't want to manualy download and publish manually

       

      We are not the only ones to have encountered the problem:

      https://community.shavlik.com/docs/DOC-23623

       

       

      Does anyone ever encounter this problem?

      And what solution has been put in place?

       

      Shavlik 2.3 update 2

      Microsoft Windows 2008 R2

      WSUS 3.2

       

      Thanks

        • 1. Re: Task scheduler issue
          cwinning CommunityTeam

          Hello,

           

          That post was back in 2014, we since released a version that allows you to use Logged on user. If enabled, specifies that you will use the credentials of the currently logged on user to add the publishing task to Microsoft Scheduler. The User box is automatically populated so you only need to type the account password.  This is the workaround implemented since that document was written.

           

          There are no other options in the current versions of Patch for SCCM.  Can you confirm this doesn't work when using the Logged on user option?

           

          Thanks,

          Charles

          • 2. Re: Task scheduler issue
            Hugues Rookie

            Whether with the user currently logged in or a user defined it does not work because the task must run even if it is not connected, implying that the password must be kept and the GPO does not allow it .

            If I change the value of the GPO (in the registry) it is functional. Otherwise no

            When i type th password and click "OK" i got the same error message than the old post
            So i confirm it's doesn't work
            Thank,
            Hugues

            • 3. Re: Task scheduler issue
              Hugues Rookie

              Hello,

              Whether with the user currently logged in or a user defined it does not work because the task must run even if it is not connected, implying that the password must be kept and the GPO does not allow it .

              If I change the value of the GPO (in the registry) it is functional. Otherwise no

              When i type th password and click "OK" i got the same error message than the old post
              So i confirm it's doesn't work
              Thank,
              Hugues

              • 4. Re: Task scheduler issue
                cwinning CommunityTeam

                Due to your inability to use stored passwords, the workaround I will be outlining here is to ‘Run as’ the Network Service account.  Unfortunately, we don’t give the user that option in the UI so there are manual steps needed.

                 

                Generally, to get around the stored credential permission, you need to schedule the task to run as a built-in service, such as “NETWORK SERVICE”.  If you can do this, here are the additional steps needed:

                 

                1. Make the SCCM server machine account a member of the WSUS Administrator’s group on the WSUS server.

                2. On the SCCM server, make the local NETWORK SERVICE account an SCCM Administrator.

                3. Give the NETWORK SERVICE account full rights to the Shavlik Patch folder of the user that created the filter.  Typically, C:\Users\<account>\Shavlik\Shavlik Patch  This gives the account the right to read the Ivanti Patch configuration parameters and to write the log files.

                4. Schedule a Microsoft task to run as the NETWORK SERVICE with the following program and options:

                 

                “C:\Program Files (x86)\Microsoft Configuration Manager\AdminConsole\bin\ST.SCCM.AutoPublish.exe” -sccmserver "VM-SCCM2-SERVER.sccm2.local" -update -filter "filter-name" -revisions -sync -onBehalfOf  S-1-5-21-000000000-1111111111-333333333-444

                • Replace -sccmserver parameter with real SCCM server.
                • Replace -filter parameter with real filter name.  Found in Settings > Schedule > Publish the updates selected by this filter
                • The additional parameter, -onBehalfOf <sid>, is the SID of the account that created the filter. You can find the SID using this PowerShell command: (replace account name with account logged in to SCCM when the filter was created)

                gwmi -class win32_account -Filter 'name="account name"'

                 

                This is a bit outside of our support scope, but I'll attempt to help you work through this.

                 

                Thanks,

                Charles

                1 of 1 people found this helpful
                • 5. Re: Task scheduler issue
                  Hugues Rookie

                  When we have tested this solution, we will inform you of the result

                  Thanks for the support