Run Task Scheduler as system

Question

Good afternoon,

I'm trying to use Task Scheduler as a means to pull down and install updates in a closed domain network.
We do not have a WSUS (they won't let us, not sure why)
It is not connected to the internet in ANY way.
I have to download the updates and sneaker them to the domain.
We cannot push updates due to how our network is configured
So my only choice is to have the workstations pull updates and install them.

Here is how I currently have our setup:
We have a task that any user can run.
The users only have the ability to run the task, they cannot modify it.
We also make use of batch files that users can run, but not modify.

Here's how it works:
The user runs a batch file that downloads the patches to their workstation from our domain share
The batch file then runs a task that installs the patches.
The task uses the SYSTEM account to install the patches.
After the patches are installed, the system reboots.

Here's my question:
I know that files can be downloaded to a computer from a domain share without a user account (it's how a GPO does it).
But I don't know how to do this manually (without a GPO).
The idea I have is to have a task that will download the patches, install them, and reboot as needed. Regardless if a user is logged in or not.
I'm guessing if I knew how the GPO does it, I could reproduce it for our task.

Thank you for all your help.

v/r

Joe

Answer 1

In an Active Directory environment, you can grant the computer account (system) access to share and NTFS permissions. That account is YourDomainName\TheComputerName$. Actually, if you have "everyone read" access on both the share and file/folder permissions I would think that it should work.

Try granting access to the AD group "domain computers".

https://learn.microsoft.com/en-us/windows/security/identity-protection/access-control/active-directory-security-groups#bkmk-domaincomputers

Answer 2

Hello @Joseph Hanchey ,

Thank you for posting here.

Hope the information provided by MotoX80 is helpful.

I know that files can be downloaded to a computer from a domain share without a user account (it's how a GPO does it).
A: Would you please tell us what gpo setting you mentioned?

Is it the following GPO setting (copy file from one location to the other location)?

Computer Configuration\Preferences\Windows Settings\Files
OR
User Configuration\Preferences\Windows Settings\Files

But I don't know how to do this manually (without a GPO).
The idea I have is to have a task that will download the patches, install them, and reboot as needed. Regardless if a user is logged in or not.
A: Do you want such a existing task Scheduler that can achieve your requirements?

I'm guessing if I knew how the GPO does it, I could reproduce it for our task.
A: Do you mean one GPO can download the patches, install them, and reboot as needed. Regardless if a user is logged in or not? If so, there is no such existing gpo settings to achieve your requirements.

However, as I mentioned above, you can copy file from one location to the other location via gpo, then if the update files are .msi files, you can install the .msi files via gpo setting below:

Computer Configuration\Software Settings\Software installation
OR
User Configuration\Software Settings\Software installation

After that, you need to restart every machine that apply the GPO above manually.

Reference
Use Group Policy to remotely install software
https://learn.microsoft.com/en-us/troubleshoot/windows-server/group-policy/use-group-policy-to-install-software

Hope the information above is helpful.

Should you have any question or concern, please feel free to let us know.

Best Regards,
Daisy Zhou

============================================

If the Answer is helpful, please click "Accept Answer" and upvote it.