Do not require administrator permissions for hosted DevOps tasks

[vpodans]

We are using Advanced Installer to build installers using Azure DevOps and generally it works like charm!

However, we found a problem when we moved from cloud-hosted to self-hosted agents, when we run build agents on our VMs. We use least privilege principle and didn't grant the agent account administrator permissions, though agent service account has full permissions on working directory. This resulted in failed "https://marketplace.visualstudio.com/it ... -BuildTask" which fails with this error:

Code: Select all

==============================================================================
Task         : Advanced Installer Build
Description  : Build setup packages using Advanced Installer.
Version      : 3.0.0
Author       : Caphyon
Help         : 
==============================================================================
Downloading: https://www.advancedinstaller.com/downloads/updates.ini
Checking if a cached copy exists for this version...
Cache does not contains this Advanced Installer version. Will be downloaded and installed.
Downloading Advanced Installer. URL: https://www.advancedinstaller.com/downloads/22.5/advinst.msi
Downloading: https://www.advancedinstaller.com/downloads/22.5/advinst.msi
Extracting Advanced Installer
"C:\Windows\system32\msiexec.exe" /a "D:\a\_work\_temp\326a6673-5d4f-45da-b01d-b66d6bf1a2af" TARGETDIR="D:\a\_work\_temp\AdvancedInstaller\resources" /qn /l*v "D:\a\_work\_temp\AdvancedInstaller\advinst_install.log"
The Windows Installer Service could not be accessed. This can occur if the Windows Installer is not correctly installed. Contact your support personnel for assistance.

##[error]Failed to extract Advanced Installer.

We spent a fair amount of time to figure out where is the problem. As the test, we added service account to local administrators group and installer tool task succeeded. We removed service account from the group and it failed again. Right now, Advanced Installer is the only DevOps task that requires local administrator permissions which is quite challenging.

Of course, we can cache the tool, but then we will have to repeat this process every time we upgrade to a new version. It would be nice if you could provide installer version which could be installed as part of DevOps pipeline without requiring administrators permissions.

[Catalin]

Hello,

Please note that this is more of a chained behavior.

Advanced Installer is installed on the agent silently.

In turn, silent installations can only be done by an admin account - this is a security measure from Microsoft so the user is aware of what is going on on his machine.

For that reason, installing an MSI silently can only be done from an elevated command prompt - this you can test yourself by taking any msi and trying to install it silently from a command prompt that wasn't launched using "Run as administrator". It will not error out, since it was silent, but you will notice that nothing is installed. At most, you can find more details in the "Event Viewer".

Advanced Installer is also a product that is installed per-machine, which makes it available for all users accessing that machine. A per-machine installation also requires admin rights since it is installed by default in %programfiles% folder, which by default requires admin rights (e.g. creating a folder there will require admin rights).

That being said, I'm afraid that this request can not really be completed, despite the scenario being really valid.

Best regards,
Catalin

[vpodans]

Catalin, thanks for your response it explains some of my observations during testing. But I have a couple of other questions related to this.

Ok, Advanced Installer tool is per-machine and requires administrator permissions to install it. Then, I would expect the following workaround to work, which could solve my concern in a different way, but which doesn't work: install advanced installer on a machine manually, then let Advanced Installer Build task to skip tool installation part (it is already installed on a host), find already installed AI and go straight to building AIP project. However, existing task definition is not able to find already (manually) installed AI and still tries to silently install it.

Is it possible to update the task definition to discover manually installed AI (in Program Files) and use it. If not -- fallback to downloading and installing the tool silently?

[Catalin]

Hello,

I apologize for such a delayed reply on this!

Did you manage to get this to work?

Do you run the task on exactly the same machine you manually installed Advanced Installer on? If so, then the installation should indeed be skipped.

Best regards,
Catalin