Deployment script is running under machine account and not under test agent account

Recently one of the customer asked an interesting question that his test agent is running under a local account (machineName\myaccount) but the deployment script is not running under that account and is rather running under a machine account. This was happening because the deployment script is actually executed by the lab agent, a separate service named “visual studio lab agent” on the lab machine, and not by the test.agent. The lab agent on that machine was running under the default “system” account.

The reason for using lab agent and not test agent to execute the script is because the lab agent runs under a high privilege machine account while test agent runs under a very low privilege account and changing the privilege of the test account was not an option as it is used to execute code (read tests).