scloud by Florian Salzmann
ende

RunAsRob & Intune - The Part-Time Admin

It’s quite clear that no enduser should have local administrator rights on their device. Unfortunately, there are still programs out there which can’t be installed without admin rights or with a silent parameter, and also don’t offer any update routine. Often CAD or other drawing programs are candidates for this kind of situation. But to still be able to guarantee a reasonably secure environment, the tool “RunAsRob” is a good option. It can be distributed via Intune and lets you run a directory or program as admin, without having admin rights everywhere.

What is “RunAsRob”?

The tool “RunAsRob” is installed as a service and enables the granting of administration or system rights on predefined areas or files. This way a user can run data in a directory or a specific application as admin.

The program is free for private use. For companies, the price starts at 48 $ for 10 devices, and every additional device costs 1.80 $ (per 5 years). (Order RunAsRob (robotronic.de))

Security standard and risk

Whenever a new tool is used, especially when it concerns admin and system rights, it’s important to also look into the topic of security. I contacted the developer Oliver from “Oliver Hessing IT Service” about this, who immediately gave me information and sent me a few articles. I’ve summarized them for you here:

Both articles nicely show the risks and points that should be considered.
For me, the most important thing is that these functions are used with moderation and only where really necessary. Of course, it’s always more secure to not give the user any admin rights at all and lock down the system as much as possible. But that ultimately hinders the user in their work, and they’ll find a workaround or work on a private device - and all the security precautions are for nothing.

Configuring RunAsRob

The three essential functions can be configured via GPO or also via the registry. These define which paths or files are executed as admin or system, what the default value for the execution is, and which applications should be run as a service in the system context.

The settings are stored in the registry here:

HKEY_LOCAL_MACHINE\SOFTWARE\RunasRob

Under this path you’ll already find the entries if you’ve already installed the tool - if not, you can also create them manually. The values are always of the type “REG_EXPAND_SZ”.

Registry RunAsRob

You can pre-configure these three values as follows:

ValueDescriptionExample
LogonFlagDefault value for paths under “AllowPath”.
asservice or asadminasadmin
AllowedPathDirectory(-ies) and application(s) that are allowed to be run as admin or system.
The paths are strung together and separated with a semicolon (;).
If the startup behavior should differ from the default (LogonFlag), this can be specified with /asservice or /asadmin.C:\Windows\System32\cmd.exe;\\s-xx-app01\XYZ\;C:\CAD\XYZ.exe /asservice
ServiceModeApplication that should be started as a service in the system context, such as a monitoring agent, for example.C:\System\monitoring.exe;C:\Program Files\Agent\agentXY.exe;

Installing RunAsRob and distributing it with Intune

To get the program onto our devices managed with Endpoint Manager / Intune, we install the service “RunAsRob” on one hand, and on the other hand set the registry entries with the desired configuration.
I’ve put the template for the complete package on GitHub for you:

Download package

The package consists of the EXE, an installation and uninstallation routine, a validation file and the configuration data with the registry entries.
Of all these files, we actually only need to adjust the configuration file “RunAsRob_Policies.ps1”. This contains the three configuration options described above and stores them in the Windows registry.

$AllowedPath = ""           #   exp. C:\Windows\System32\cmd.exe;\\s-xx-app01\XYZ\;
$ServiceMode = ""           #   exp. C:\System\monitoring.exe;C:\Program Files\Agent\agentXY.exe;
$LogonFlag = "asadmin"      #   asservice or asadmin

$PolicyPath = "HKLM:\SOFTWARE\RunasRob"

if(!(Test-Path $PolicyPath)){New-Item -Path $PolicyPath -Force}
if($AllowedPath){Set-ItemProperty -Path $PolicyPath -Name "AllowedPath" -Value $AllowedPath -Type "ExpandString"}
if($ServiceMode){Set-ItemProperty -Path $PolicyPath -Name "ServiceMode" -Value $ServiceMode -Type "ExpandString"}
if($LogonFlag){Set-ItemProperty -Path $PolicyPath -Name "LogonFlag" -Value $LogonFlag -Type "ExpandString"}

Once you’ve adjusted the file to your needs, you can turn the whole package into a Win32 app (intunewin). I’ve documented how you can do this here:
Create Win32 App / .intunewin | scloud

Have you created the intunewin file?
Then we just need to register and upload it in Endpoint Manager under “Apps > Windows apps” as a Windows app (Win32).
Then we assign at least a name, a description, and the publisher.

Intune, new win32 app

Win32 App, RunAsRob, settings

For the install and uninstall commands, you can insert the two lines below. We leave the execution context as System.

Install command%SystemRoot%\sysnative\WindowsPowerShell\v1.0\powershell.exe -windowstyle hidden -executionpolicy bypass -command .\install.ps1
Uninstall command%SystemRoot%\sysnative\WindowsPowerShell\v1.0\powershell.exe -windowstyle hidden -executionpolicy bypass -command .\uninstall.ps1

RunAsRob, Intune install and uninstall command

For the requirements, only x64 is required, the Windows version doesn’t matter. In the next step you still need to upload the Detection Rule (check.ps1).

RunAsRob, requirements

RunAsRob, Intune detection Rule

The program has no dependencies. Finally, you just need to assign it to the desired group.

Updating the RunAsRob configuration

To define new paths or behavior for the program, you have two options:

  1. Rebuild and redistribute the package like during the initial creation.
  2. Only adjust the configuration file (RunAsRob_Policies.ps1) and distribute it as a PowerShell script.
    • You can upload the script under “Devices > Windows > PowerShell scripts”.
    • Here you simply assign a name, select the script (RunAsRob_Policies.ps1) and assign it to the target group. All default settings can be left as they are:

PowerShell Script, RunAsRob Policies