Purpose:
You wish to understand the different run mode options within PDQ Deploy and how to use them.
Resolution:
There are four different run modes available to use in your packages, and each one can be set at either the package level to apply as a default for all steps within the package, or at the step level if an individual step of a package requires a different run mode than the rest of the steps included. You can also set a default run type globally to use as a default for all of your packages, if you find that the standard options don't work for most packages that you create. The global option can be found in the Deployments tab of the Preferences window.
There are many known vulnerabilities in how Microsoft uses and stores credentials in Windows, both in active memory and as service account Run As credentials. A variety of malware tools, including Mimikatz, take advantage of this inherent vulnerability in Windows in a manner that might allow a threat actor to steal credentials and move laterally within your network. For this reason, PDQ recommends respecting the principle of least privilege, and making use of technologies such as LAPS to prevent the lateral compromise of your network in the event that a single managed computer is compromised. For more information, see PDQ Deploy & Inventory on Security.
Run Mode | Uses |
Deploy User |
This is the most common run mode that most deployments will probably use. This will run in the background using the configured Deploy User credentials and allows software to be installed silently with no user interaction. Because this option works for a large majority of deployments, it is recommended to keep this as the default global setting in preferences. |
Deploy User (Interactive) |
This run mode allows you to install software that may not have silent install parameters. Installations will still run in the context of the Deploy User credentials, but any prompts will appear on-screen for whatever user is currently active on the target machine. This is good for installations that require administrative permissions to run, but which can't complete without some manual user input. These deployments do run more slowly because they need to interact with more processes than silent installations, so it's recommend that this setting only be used for packages or steps that absolutely need that user interaction to work. This option is only available in Enterprise mode. |
Local System |
This run mode lets the steps run as the Local System account on the target computer. The Deploy User credentials are still used to make the initial connection to the target machine, create the runner service, and copy files, but the runner service on the target is then set to log on as Local System before it executes those tasks. Tasks which require Local System permissions are very rare. This setting will allow for full unrestricted access to the target machine but will prevent access to network resources, so any files that need to be copied should still be copied to the target machine in a separate step with a different run mode selected. |
Logged on User |
This run mode is similar to the "Deploy User (Interactive)" option in that it will run an interactive session and allow for user input, but this will use the credentials of the currently logged-on user to start the runner service. Even though the runner service was started as the logged-on user, the commands will still run elevated regardless of whether or not the user has administrator permissions. This allows the deployment to access user-specific environments such as the HKEY_CURRENT_USER hive of the registry or the user's %APPDATA% folder. This also allows any user-specific environment variables to be referenced in scripts. If no users are currently logged into the target machine when a step runs with this mode selected, that step will fall back to running as Local System. If you would like to avoid this, you can use the Logged On State condition in the Conditions tab of either your package or an individual step to ensure that this only runs if there is a user logged on. This option is only available in Enterprise mode. |