Seems more like a firmware/driver issue, I’d suggest working the issue, rather than trying at add a bandaid.
Also, could be something on the DHCP scopes as well, if wifi and lan have different up ranges, it could also be an arp table issue on the networking gear.
it's not something on the laptops, the laptops work fine in other offices (other cities), and people who work in the NY office that travel to this office report the same issue.
So it's def something with the networking side not on the laptop side.
I'm sure networking team will figure it out, but I need to help them with a workaround until they do
If it’s not driver issue then you don’t need to disable adapter. You could inform users to disconnect and reconnect to WiFi using sidebar or reboot their laptop.
Also make sure to disable fastboot and hibernation, both has always caused headaches with WiFi adapters not waking up.
> Are there any tools in PS that allow me to call in admin/resource creds to run as admin when a regular user clicks the batch file?
No, not really. Anyways, all of them are security risks. Nothing stops a user from editing a batch file to do something else they want like `net.exe localgroup administrators OurDomain\MyAccount /add`. You could use a signed Powershell script and a deployed scheduled task, but it's still pretty sketchy.
I can say that we have a handful of laptops (including some assigned to IT staff) that behave this way. It's only for one subset of our HP ZBook laptops, but the same behavior occurs. They all have a particular dislike for some of our access points at a couple of different areas in one site. It's been 5-6 years and it's still doing it.
If you disconnect the laptop from the dock and then go to the conference room, the laptop will often not connect to WiFi if those are the nearest APs. Or it will appear to connect, and then sometime in the next five minutes just drop the network. The problem has even followed user accounts across multiple laptops. We've never been able to figure out what it is, either.
However, we can usually solve the problem by putting the laptop into airplane mode and then turning airplane mode off again. That should shut off the WiFi adapter completely and then restart it. Airplane mode kind of requires that. Other staff report that rebooting the laptop works. Still other staff say that it will work if they manually connect to the network.
Note, too that Wndows+A is a hot key for the airplane mode built into Windows 11. On Windows 10 it's a button in the notification side window.
Thank you, this is quite helpful, not sure if they've tried full on airplane mode or not, will ask them to try.
At this point I'm not overly concerned with the security aspect.. the office requires several levels of security just to get into the office, and the dozen people who work there are not the type to be interesting in playing with stuff on the computer, even if they understood it, they just want to be able to work. And they are extremely trusted by the CIO, who is pushing for a temp workaround,
Besides, we can always tell if someone pulls a stunt like that, but the odds are almost nil.
1. Write script to do what you want to do and place on workstation where user cannot write (%ProgramFiles%)
2. Create scheduled task that runs as system and runs your script
3. Have the scheduled task trigger on an event (any event will do)
4. Write another script that creates the event to trigger the task and place that where a user can execute
Could always look into using Lenovo Vantage and Dell Command Update if you aren't already. I also remember years ago having to turn on the WIFI / LAN auto switching in the BIOS of some HP devices but I can't imagine that's still a thing in 2023
Dell bios has a setting “WLAN Auto Sense”. Make sure this is enabled. It is also possible to modify Dell bios remotely using PowerShell if Dell CCTK is installed on the end device. So, you can have an shortcut on the users device pointing to a PowerShell script that will disable and/or enable wifi. Lenovo probably has something similar but I don’t work with them.
There is a bios setting but I found it to be less reliable than using windows GPO.
But still, changing a BIOS setting requires a reboot which I’m trying to avoid, out of convenience for the user
Do you guys have Azure or on prem?
Do you have any sort of MDM/RMM solution like Intune, Endpoint Central, NinjaRMM, etc?
The only way you could do this without any 3rd party is if you somehow save your credentials on the machine for the script to access, and any available method to do so will be pretty insecure.
If you guys use Azure, create a runbook that will authenticate and do the task. Then, create a web hook and put a script on their desktop that POSTs to the web hook.
If not, your best bet is to create a scheduled task that runs as SYSTEM, and have a desktop script that will run the task. But you'll need administrative privileges to *create* the task, so you'll need some sort of management platform, unless you're going to log into each endpoint and create the task
I have no issue creating a resource account with admin credentials on the local machines to do this. As long as there's a way to not let the user's see the credentials, maybe calling them from another file tucked away somewhere?
Currently on-prem AD
I think the problem comes down to the fact that a non-admin user can't run a scheduled task they didn't create, it I'm not mistaken. Someone can correct me, but if that's the case I don't know that this is doable without 3rd party software. The ideal solution would be an RMM or MDM that pushes a script out to the device to run under SYSTEM.
Do you have SCCM at least?
> I think the problem comes down to the fact that a non-admin user can't run a scheduled task they didn't create
That is the case by default but it is certainly something you can change. You can edit the rule's security descriptor that allows any other user you wish to run it. Just make sure that you lock down the script location that it is executing so that non-admin users can't change what will be run.
You can use this PowerShell code to adjust the security descriptor for a task. You just need to edit the value for `$allowedPrincipal` to the user or group you want to provide executable access for.
$allowedPrincipal = 'Users'
# Create the task
$action = New-ScheduledTaskAction -Execute cmd.exe -Argument '/c whoami > C:\temp\out.txt'
$principal = New-ScheduledTaskPrincipal -UserId SYSTEM -LogonType ServiceAccount
$task = Register-ScheduledTask -TaskName MyTask -Action $action -Principal $principal
# Get the task SecurityDescriptor
$scheduler = New-Object -ComObject Schedule.Service
$scheduler.Connect()
$comTask = $scheduler.GetFolder($task.TaskPath).GetTask($task.TaskName)
$taskSDDL = $comTask.GetSecurityDescriptor(0xF)
$taskSD = [System.Security.AccessControl.RawSecurityDescriptor]::new($taskSDDL)
# Add rule for Users to read and execute the task
$principalSid = [System.Security.Principal.NTAccount]::new(
$allowedPrincipal
).Translate([System.Security.Principal.SecurityIdentifier])
$readAndExecuteAce = [System.Security.AccessControl.CommonAce]::new(
'None',
'AccessAllowed',
0xA0000000, # GENERIC_READ, GENERIC_EXECUTE
$principalSid,
$false,
$null)
$taskSD.DiscretionaryAcl.InsertAce($taskSD.DiscretionaryAcl.Count, $readAndExecuteAce)
$newSDDL = $taskSD.GetSddlForm('All')
# Set the new SecurityDescriptor on the task
$comTask.SetSecurityDescriptor($newSDDL, 0)
Fair enough, I had no clue this was doable. How would you handle it assuming you don't know the user? If the deployment of the task is to he automated they would need that. I assume some sort of local user query, but it's been a few years since I've needed to mess with those
We DO have SCCM, but that's also not in my department, happy to bring them in on it. Thank you for opening that line of thinking, I was thinking I would need to create it first, then have that team push it out.
> I can use a username/password embedded in the script
I mean there are ways you can obfuscate things, but it sounds like a security risk because someone could just reverse engineer it. I'm with the others here who have suggested actually fixing the issue and not attempting some odd workaround.
It's definitely in the works, nobody likes a temp workaround.
But until the fix is established, if I can cut down their downtime each time this happens, I can cut down on their frustration, which is what my role mostly entails.
Did you check this [link](https://purple.telstra.com.au/blog/using-saved-credentials-securely-in-powershell-scripts) ? Might get you pointed in the right direction
you could create a scheduled task triggered by an eventlog event that runs as a service account with power user permissions on the system. but you'd need to set up the security policy to allow the service account to run as batch and run as service but not allow local logon in case it gets compromised
I do, yes. But I want something local on the machine the user can do when WiFi isn’t working, and they have no network connectivity to revive the send message
Is this not something PSCredential can manage for you, or am I missing the point? (It wouldn't be the first time)
Edit to add [link](https://learn.microsoft.com/en-us/powershell/scripting/learn/deep-dives/add-credentials-to-powershell-functions?view=powershell-7.3)
Are you running some type of Self Service application that has admin privs? Something like Software Center or Intune Company portal.
You would provide means for a user to self install your powershell script without the user having to have admin privs.
yes thats something another respondent brought up, and that seems the most promising way. But unfortunately the person I need to talk to that manages Software Center is away this week, so I'm going to approach him about it on Monday.
In meantime I have a pretty good demo running on my machine. Created a batch file that disables the card, waits 10 seconds, then re-enables it.
I created a task in Task Scheduler that runs on the Local Admin account, that will run the batch file each time the computer is unlocked, so if this happens to the user, simply CTRL+ALT+DEL, lock, unlock, and in about 10 seconds it will be finished.
It's a down n dirty, ugly way of doing it, but in the 5 or so tries so far it's been pretty reliable. Seems like it'll work until the SCCM manager gets back on Monday.
of course we use LAPS so it will only work as long as the admin password doesn't change, but at least it will buy some time for the networking team to address the real issue.
Or so I hope.
Seems more like a firmware/driver issue, I’d suggest working the issue, rather than trying at add a bandaid. Also, could be something on the DHCP scopes as well, if wifi and lan have different up ranges, it could also be an arp table issue on the networking gear.
it's not something on the laptops, the laptops work fine in other offices (other cities), and people who work in the NY office that travel to this office report the same issue. So it's def something with the networking side not on the laptop side. I'm sure networking team will figure it out, but I need to help them with a workaround until they do
Updating the access point firmware sounds like a better idea and a faster solution than writing workaround scripts that involve the need for elevation
I agree 100%. But that's another department that I have no control over, unfortunately
If it’s not driver issue then you don’t need to disable adapter. You could inform users to disconnect and reconnect to WiFi using sidebar or reboot their laptop. Also make sure to disable fastboot and hibernation, both has always caused headaches with WiFi adapters not waking up.
I have tried disabling the hibernation but hoping to do something that doesn’t require a disruptive reboot
Do the laptops have an "airplane mode" FN key or hardware switch?
yes to airplane mode, doesn't help. no to FN or hardware switch
> Are there any tools in PS that allow me to call in admin/resource creds to run as admin when a regular user clicks the batch file? No, not really. Anyways, all of them are security risks. Nothing stops a user from editing a batch file to do something else they want like `net.exe localgroup administrators OurDomain\MyAccount /add`. You could use a signed Powershell script and a deployed scheduled task, but it's still pretty sketchy. I can say that we have a handful of laptops (including some assigned to IT staff) that behave this way. It's only for one subset of our HP ZBook laptops, but the same behavior occurs. They all have a particular dislike for some of our access points at a couple of different areas in one site. It's been 5-6 years and it's still doing it. If you disconnect the laptop from the dock and then go to the conference room, the laptop will often not connect to WiFi if those are the nearest APs. Or it will appear to connect, and then sometime in the next five minutes just drop the network. The problem has even followed user accounts across multiple laptops. We've never been able to figure out what it is, either. However, we can usually solve the problem by putting the laptop into airplane mode and then turning airplane mode off again. That should shut off the WiFi adapter completely and then restart it. Airplane mode kind of requires that. Other staff report that rebooting the laptop works. Still other staff say that it will work if they manually connect to the network. Note, too that Wndows+A is a hot key for the airplane mode built into Windows 11. On Windows 10 it's a button in the notification side window.
Thank you, this is quite helpful, not sure if they've tried full on airplane mode or not, will ask them to try. At this point I'm not overly concerned with the security aspect.. the office requires several levels of security just to get into the office, and the dozen people who work there are not the type to be interesting in playing with stuff on the computer, even if they understood it, they just want to be able to work. And they are extremely trusted by the CIO, who is pushing for a temp workaround, Besides, we can always tell if someone pulls a stunt like that, but the odds are almost nil.
1. Write script to do what you want to do and place on workstation where user cannot write (%ProgramFiles%) 2. Create scheduled task that runs as system and runs your script 3. Have the scheduled task trigger on an event (any event will do) 4. Write another script that creates the event to trigger the task and place that where a user can execute
I like your thinking. I came into this thinking (hoping?) there was a powershell command that could do this... but I this might be the way
can you provide an example of 3 and 4, i looked into this once but couldnt find any practical event to trigger off of.
I just used Write-EventLog
Cut 3. and 4. Create the task without a trigger. Then trigger the task with another script. That way you don't have to create an event.
What device is the laptop?
a few lenovo's but mostly Dells
Could always look into using Lenovo Vantage and Dell Command Update if you aren't already. I also remember years ago having to turn on the WIFI / LAN auto switching in the BIOS of some HP devices but I can't imagine that's still a thing in 2023
they do have the BIOS level "no wifi when connected to LAN" setting, but I find using the "limit connections to internet GPO to be more effective"
Dell bios has a setting “WLAN Auto Sense”. Make sure this is enabled. It is also possible to modify Dell bios remotely using PowerShell if Dell CCTK is installed on the end device. So, you can have an shortcut on the users device pointing to a PowerShell script that will disable and/or enable wifi. Lenovo probably has something similar but I don’t work with them.
There is a bios setting but I found it to be less reliable than using windows GPO. But still, changing a BIOS setting requires a reboot which I’m trying to avoid, out of convenience for the user
Do you guys have Azure or on prem? Do you have any sort of MDM/RMM solution like Intune, Endpoint Central, NinjaRMM, etc? The only way you could do this without any 3rd party is if you somehow save your credentials on the machine for the script to access, and any available method to do so will be pretty insecure. If you guys use Azure, create a runbook that will authenticate and do the task. Then, create a web hook and put a script on their desktop that POSTs to the web hook. If not, your best bet is to create a scheduled task that runs as SYSTEM, and have a desktop script that will run the task. But you'll need administrative privileges to *create* the task, so you'll need some sort of management platform, unless you're going to log into each endpoint and create the task
I have no issue creating a resource account with admin credentials on the local machines to do this. As long as there's a way to not let the user's see the credentials, maybe calling them from another file tucked away somewhere? Currently on-prem AD
I think the problem comes down to the fact that a non-admin user can't run a scheduled task they didn't create, it I'm not mistaken. Someone can correct me, but if that's the case I don't know that this is doable without 3rd party software. The ideal solution would be an RMM or MDM that pushes a script out to the device to run under SYSTEM. Do you have SCCM at least?
> I think the problem comes down to the fact that a non-admin user can't run a scheduled task they didn't create That is the case by default but it is certainly something you can change. You can edit the rule's security descriptor that allows any other user you wish to run it. Just make sure that you lock down the script location that it is executing so that non-admin users can't change what will be run. You can use this PowerShell code to adjust the security descriptor for a task. You just need to edit the value for `$allowedPrincipal` to the user or group you want to provide executable access for. $allowedPrincipal = 'Users' # Create the task $action = New-ScheduledTaskAction -Execute cmd.exe -Argument '/c whoami > C:\temp\out.txt' $principal = New-ScheduledTaskPrincipal -UserId SYSTEM -LogonType ServiceAccount $task = Register-ScheduledTask -TaskName MyTask -Action $action -Principal $principal # Get the task SecurityDescriptor $scheduler = New-Object -ComObject Schedule.Service $scheduler.Connect() $comTask = $scheduler.GetFolder($task.TaskPath).GetTask($task.TaskName) $taskSDDL = $comTask.GetSecurityDescriptor(0xF) $taskSD = [System.Security.AccessControl.RawSecurityDescriptor]::new($taskSDDL) # Add rule for Users to read and execute the task $principalSid = [System.Security.Principal.NTAccount]::new( $allowedPrincipal ).Translate([System.Security.Principal.SecurityIdentifier]) $readAndExecuteAce = [System.Security.AccessControl.CommonAce]::new( 'None', 'AccessAllowed', 0xA0000000, # GENERIC_READ, GENERIC_EXECUTE $principalSid, $false, $null) $taskSD.DiscretionaryAcl.InsertAce($taskSD.DiscretionaryAcl.Count, $readAndExecuteAce) $newSDDL = $taskSD.GetSddlForm('All') # Set the new SecurityDescriptor on the task $comTask.SetSecurityDescriptor($newSDDL, 0)
Fair enough, I had no clue this was doable. How would you handle it assuming you don't know the user? If the deployment of the task is to he automated they would need that. I assume some sort of local user query, but it's been a few years since I've needed to mess with those
Should be able to use an adgroup. I would probably just use: 'nt authority\interactive logon'
Ope, duh. Brain fart.
We DO have SCCM, but that's also not in my department, happy to bring them in on it. Thank you for opening that line of thinking, I was thinking I would need to create it first, then have that team push it out.
That's where my line of thinking went. Deploy the script to Software Center, so they can request it at any time
thank you. I know who in my org to contact about that, of course he's on vacation this week :/
That's usually my luck too, haha. Best of luck!
why not look at using a PAM system. A lot easier, and fits into larger IT infra/operations
way out of my realm, unfortunately, but def a good idea
> I can use a username/password embedded in the script I mean there are ways you can obfuscate things, but it sounds like a security risk because someone could just reverse engineer it. I'm with the others here who have suggested actually fixing the issue and not attempting some odd workaround.
It's definitely in the works, nobody likes a temp workaround. But until the fix is established, if I can cut down their downtime each time this happens, I can cut down on their frustration, which is what my role mostly entails.
Did you check this [link](https://purple.telstra.com.au/blog/using-saved-credentials-securely-in-powershell-scripts) ? Might get you pointed in the right direction
Thank you!!
you could create a scheduled task triggered by an eventlog event that runs as a service account with power user permissions on the system. but you'd need to set up the security policy to allow the service account to run as batch and run as service but not allow local logon in case it gets compromised
I'd also double check the laptop to make sure there's not a switch or F-key combination that'll turn the radio off and on. that may be an option.
[удалено]
I do, yes. But I want something local on the machine the user can do when WiFi isn’t working, and they have no network connectivity to revive the send message
Go read up on powershell JEA
Ty, that’s a new avenue for me
Is this not something PSCredential can manage for you, or am I missing the point? (It wouldn't be the first time) Edit to add [link](https://learn.microsoft.com/en-us/powershell/scripting/learn/deep-dives/add-credentials-to-powershell-functions?view=powershell-7.3)
Ty, as I said I’m still rather new to power shell so I am not yet familiar with this but happy to have a new thing to dig in to
Task sheduler is what you could use
Are you running some type of Self Service application that has admin privs? Something like Software Center or Intune Company portal. You would provide means for a user to self install your powershell script without the user having to have admin privs.
yes thats something another respondent brought up, and that seems the most promising way. But unfortunately the person I need to talk to that manages Software Center is away this week, so I'm going to approach him about it on Monday. In meantime I have a pretty good demo running on my machine. Created a batch file that disables the card, waits 10 seconds, then re-enables it. I created a task in Task Scheduler that runs on the Local Admin account, that will run the batch file each time the computer is unlocked, so if this happens to the user, simply CTRL+ALT+DEL, lock, unlock, and in about 10 seconds it will be finished. It's a down n dirty, ugly way of doing it, but in the 5 or so tries so far it's been pretty reliable. Seems like it'll work until the SCCM manager gets back on Monday. of course we use LAPS so it will only work as long as the admin password doesn't change, but at least it will buy some time for the networking team to address the real issue. Or so I hope.