Geek Answers Handbook

Updating MDT Media module through JEA endpoint does not allow adding BCD record

I am having trouble remotely updating offline MDT media on the JEA endpoint. The error is related to the permissions transferred to BCDEdit and the virtual account created by JEA (WinRM user ...). BCDEdit returns

An error occurred while attempting the specified create operation. This security identifier cannot be assigned as the owner of this object.

while trying to update the BCD file using the x64 boot configuration.

Team:

Invoke-Command -ComputerName $DeploymentServerName -ConfigurationName MDTUpdate -ScriptBlock { New-PSDrive -Name "DS002" -PSProvider MDTProvider -Root "$Using:LocalDeploymentShareFolder" -ErrorAction Stop Update-MDTMedia -Path "DS002:\Media\MEDIA001" -Verbose } -Credential $MDTCreds -ErrorAction Stop

The command executing the MDT module:

 'C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Deployment Tools\AMD64\BCDBoot\bcdedit.exe' -store "C:\MyVMs\MDT\USB\Content\Boot\bcd" /create "{f31cce1a-e314-4481-9ac9-e519f65dff65}" -d "Litetouch Boot [MEDIA001] (x64)" -application OSLOADER

Error in JEA transcript:

 VERBOSE: Error detected running command: 'C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Deployment Tools\AMD64\BCDBoot\bcdedit.exe -store "C:\MyVMs\MDT\USB\Content\Content\Boot\bcd" /create "{f31cce1a-e314-4481-9ac9-e519f65dff65}" -d "Litetouch Boot [MEDIA001] (x64)" -application OSLOADER' Exit code is: 1 VERBOSE: Error text is: An error occurred while attempting the specified create operation. This security ID may not be assigned as the owner of this object. Update-MDTMedia : BcdEdit returned an error. At line:5 char:9 + Update-MDTMedia -Path "DS002:\Media\MEDIA001" -Verbose + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : InvalidOperation: (MEDIA001:String) [Update-MDTMedia], DeploymentPointException + FullyQualifiedErrorId : BcdEditError,Microsoft.BDD.PSSnapIn.GenerateMDTMedia

Relevant information from the session configuration:

 @{ SchemaVersion = '2.0.0.0' SessionType = 'Default' ExecutionPolicy = 'Unrestricted' LanguageMode = 'FullLanguage' TranscriptDirectory = 'C:\JEA\Transcripts' RunAsVirtualAccount = $true RoleDefinitions = @{ 'ExampleDomain\ExampleUserOrGroup' = @{ 'RoleCapabilities' = 'MDTUpdate' } } }

Relevant content from role configuration:

 @{ ModulesToImport = 'C:\Program Files\Microsoft Deployment Toolkit\Bin\MicrosoftDeploymentToolkit.psd1' VisibleCmdlets = 'Get-Command','Out-Default','Exit-PSSession','Measure-Object','Select-Object','Get-FormatData','Start-Transcript','Stop-Transcript','Import-Module','Get-Module','New-PSDrive','Write-Output','Update-MDTDeploymentShare','Remove-Item','Update-MDTMedia','New-Item','Remove-PSDrive' VisibleProviders = 'FileSystem', 'MDTProvider' VisibleExternalCommands = 'bcdedit.exe' }

How can I provide BCDEdit with the correct permissions when working under a virtual account? Or do I need to reset JEA and provide local administrator rights to the service account and run it under PSSession by default?

+8
powershell mdt
source share
1 answer

What comes to mind is that the group the account is in has more than read-only permissions. I had a case where I could run any powershell command, but when it came to calling my own program other than powershell, this would give me permission problems.

The only thing besides this is to use runas in the script block, but that seems to be the whole purpose of the JEA.

+2
source share

More articles:


All Articles