Access Denied on Powershell Start-Process within AzureDevOps task

Question

I have an Azure DevOps task which needs to execute a Powershell script on a VM. The inline script generates a credential which is used as a parameter for the Powershell process being started.

- task: AzureCLI@2
  inputs:
    azureSubscription: 'MySubscription'
    scriptType: 'ps'
    scriptLocation: 'inlineScript'
    inlineScript: |
      az vm run-command invoke --command-id RunPowerShellScript --name $(MyVmName) -g My-RG --scripts `
        "`$pw = ConvertTo-SecureString `"$(PasswordSecret)`" -AsPlainText -Force" `
        "`$cred = New-Object System.Management.Automation.PSCredential 'Vm1\localadmin',`$pw" `
        "Start-Process PowerShell -Cred `$cred -ArgumentList '-noexit','-File','C:\Users\localadmin\Documents\deploy.ps1'"

However, it appears that the Start-Process itself is getting Access Denied:

2021-04-21T22:15:29.6078202Z       "message": "Start-Process : This command cannot be run due to the error: Access is denied.\nAt C:\\Packages\\Plugins\\Microsoft.CPlat.Core.RunCommandWindows\\1.1.8\\Downloads\\script11.ps1:3 char:1\n+ Start-Process PowerShell -Cred $cred -ArgumentList '-noexit','-File', ...\n+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n    + CategoryInfo          : InvalidOperation: (:) [Start-Process], InvalidOperationException\n    + FullyQualifiedErrorId : InvalidOperationException,Microsoft.PowerShell.Commands.StartProcessCommand"

The inline script below can be found on the vm and executed successfully using the same credentials that are used to generated the $cred. But, I'm guessing that since the DevOps task is running under a different, less privileged account, it doesn't have access to the Start-Process cmdlet.

Is there a way around this?

(Note: for several reasons beyond the scope of this post, I can't use the Powershell on Target Machines task, but I have in fact tried that.)

Answer 1

Are you running as a hosted agent? Are you using a deployment pool?

What I've tried is setting the local deployment agent service credentials on the machine- the service has a name like Azure Pipelines Agent . You can configure a Log On As account in the services pane and restart the service to enable the agent to run as that account.

This isn't a full answer but I can revisit and update based on your response and maybe we can figure out our problems together.

Edit: ** After a couple hours of labor I've unblocked myself by using.cmd instead of powershell. I discovered though that because the agents are running as services the.exe is not being launched unless in interactive mode. The deployment will continually 'run' while the.exe is running, otherwise. Instead of doing this, I decided to just reboot the computer using cmd and having the start up task run what I need.

Maybe your answer could be similar: place the script with the agent into the startup task, then reboot the computer and allow it to run it on it's own.