Skip to content
Home » RunAsRob & Intune - The Part-Time Admin

RunAsRob & Intune - The Part-Time Admin

RunAsRob Intune

Clearly, no end user should have local administrator rights on their device. Unfortunately, there are still programs that cannot be installed without admin rights or with silent parameters and also do not offer an update routine. Often CAD or other drawing programs are candidates for these circumstances. However, in order to be able to guarantee the safest possible environment, the tool «RunAsRob" on. This can be distributed via Intune and enables a directory or program to be run as admin without having admin rights everywhere.

Table of Contents

What is «RunAsRob»?

The "RunAsRob" tool is installed as a service and enables administration or system rights to be assigned to predefined areas or files. So a user can run data in a directory or a specific application as admin.

The program is free for private use. For companies, the price starts at 48 $ for 10 devices and each additional one costs 1.80 $ (per 5 years). (Order RunAsRob (robotronic.de))

Security standard and risk

Whenever a new tool is used, especially when it comes to admin and system rights, it is important to also deal with the issue of security. I asked the developer Oliver from "Oliver Hessing IT Service", who immediately sent me information and a few articles. I have summarized them for you here:

The two articles show very nicely the risks and points that should be considered.
The most important thing for me is that the functions are used in moderation and only where really necessary. Of course, it is always safer not to give the user any admin rights at all and to lock down the system as much as possible. But this ultimately prevents the user from doing his or her work and if he looks for a detour or works on a private device, all security precautions are useless.

Configuration of RunAsRob

The three main functions can be configured via GPO or registry. These define which paths or files are run as admin or system, what the default value is for execution and which applications are to be run as a service in the system context.

The settings are stored in the registry here:

HKEY_LOCAL_MACHINE\SOFTWARE\RunasRob

If you have already installed the tool, you will find the entries under this path. If not, you can also create them manually. The values are always of the "REG_EXPAND_SZ" type.

Registry RunAsRob

You can preconfigure these three values as follows:

valuedescriptionexample
LogonFlagDefault value for paths under «AllowPath».
asservice or asadmin
asadmin
AllowedPathDirectory(s) and application(s) allowed to run as Admin or System.
The paths are lined up and separated with a semicolon (;).
If the start behavior should deviate from the standard (LogonFlag), this can be specified with /asservice or /asadmin.
C:\Windows\System32\cmd.exe;\\s-xx-app01\XYZ\;C:\CAD\XYZ.exe /asservice
ServiceModeApplication that is started as a service in the system context, such as a monitoring agent.C:\System\monitoring.exe;C:\Program Files\Agent\agentXY.exe;

Install RunAsRob and deploy with Intune

In order to bring the program to our devices managed with the Endpoint Manager / Intune, we install the "RunAsRob" service on the one hand and set the registry entries with the desired configuration on the other.
I put the template for the complete package on GitHub for you:

The package consists of the EXE, an installation and deinstallation routine, a validation file and the configuration data with the registry entries.
Of all these files, we actually only have to adapt the «RunAsRob_Policies.ps1» configuration file. This includes the three configuration options described above and stores this in the Windows registry.

$AllowedPath = "" # exp. C:\Windows\System32\cmd.exe;\\s-xx-app01\XYZ\; $ServiceMode = "" # exp. C:\System\monitoring.exe;C:\Program Files\Agent\agentXY.exe; $LogonFlag = "asadmin" # asservice or asadmin $PolicyPath = "HKLM:\SOFTWARE\RunasRob" if(!(Test-Path $PolicyPath)){New-Item -Path $PolicyPath -Force} if($AllowedPath){Set-ItemProperty -Path $PolicyPath -Name "AllowedPath" -Value $AllowedPath -Type "ExpandString"} if($ServiceMode){Set-ItemProperty -Path $PolicyPath -Name "ServiceMode" -Value $ServiceMode -Type "ExpandString"} if($LogonFlag){Set-ItemProperty -Path $PolicyPath -Name "LogonFlag" -Value $LogonFlag -Type "ExpandString"}
Code language: PowerShell (powershell)

Once you have adjusted the file to your liking, you can turn the whole package into a Win32 app (intunewin). I have documented how you can do this here:
Create Win32 App / .intunewin | scloud

Did you create the Intunewin file?
Then we only have to do this in the Endpoint Manager under «Apps > Windows apps» as «» and upload.
Then we assign at least a name, a description, the publisher.

Intune, new win32 app
Win32 App, RunAsRob, settings

For the install and uninstall instructions, you can add the two lines below. We leave the execution as a system as it is.

Install command%SystemRoot%\sysnative\WindowsPowerShell\v1.0\powershell.exe -windowstyle hidden -executionpolicy bypass -command .\install.ps1
Uninstall command%SystemRoot%\sysnative\WindowsPowerShell\v1.0\powershell.exe -windowstyle hidden -executionpolicy bypass -command .\uninstall.ps1
RunAsRob, Intune install and uninstall command

The requirements only require x64, the Windows version is irrelevant. In the next step you still have to upload the detection rule (check.ps1).

RunAsRob, requirements
RunAsRob, Intune detection Rule

The program has no dependencies. Finally, all you have to do is assign it to the desired group.

Update RunAsRob configuration

To define new paths or behavior of the program, you have two options:

  1. Rebuild and distribute package as in initial build.
  2. Just adjust the configuration file (RunAsRob_Policies.ps1) and distribute it as a PowerShell script.
    • You can upload the script under «Devices > Windows > PowerShell scripts«.
    • Here you simply assign a name, select the script (RunAsRob_Policies.ps1) and assign it to the target group. The default settings can all be left:
PowerShell Script, RunAsRobPolicies

2 thoughts on “RunAsRob & Intune – The Part-Time Admin”

  1. Hello Florian,

    You have a nice and informative website. I was trying to add your website rss feed to my collection but there seems to be some problems downloading it. Could be permissions or something like that. Every download stucks at failed state.

    BR
    haru

Leave a Reply

Your email address will not be published.