I am beating me head against the wall on this (hence it's friday night at 8:40pm and I am still trying to get this figured out).
Basically I want to use PSADT to install a msi as the logged on user context and push it out with Intune. I have tried v3 and v4.1.2.
Originally with v3 I tried leaving it as execute-msi and then change the xml to require admin to false. This worked fine locally but when uploaded to Intune and deploy as the user context, it failed.
Then I tried v4.1.2 and using Start-ADTMsiProcessAsUser and different configurations with that and no luck. I've search here, google, reddit and haven't found a sure fire way to accomplish this.
I've also tried launching the msi from within a bat file and didn't have any luck with that. If anyone has a way that has worked for them recently please let me know. I'm tapping out for the night lol.
Regardless, you need to make the MSI create a log file to see what is really going on. And you must make it create the log file in a folder where the user has permissions to create the log file.
This msi is meant to be installed as the user. It's a tax app that during the tax season has updates often and they offer a user install or a admin install. In the past we have used the admin install but when it needs to be updated, you have to enter admin creds for every time it needs updating. The thought is to install it with the user install msi that doesn't require elevation, so that way the user can run their own updates without needing IT.
And I have installed it by just double clicking the user install msi and going through the prompts without any elevation prompts so I know it works. That's what I was trying to accomplish with PSADT, to install this as the user context but haven't had any luck.
Then just scope the Intune app as user when uploading. If the system/user toggle is greyed out, then the MSI has ALLUSERS=1 set, in which case you'll need to amend the MSI if it truly can be installed as a non-privileged user, or contact the vendor and tell them to be better.
Then PSADT isn't likely going to be some magic pill that solves your issue. If the MSI can't be installed user-scoped, you'll need to modify it or contact the vendor as mentioned above.
Can the app be installed in user context without elevation? If not, then running Start-ADTMsiProcessAsUser from System won't help, since it ultimately still runs in user context.
If it can install in user context without elevation, make sure you have RequireAdmin = $false in your PSADT v4.1.x deployment script, and make sure the app is deployed in user context and not system.
If the user-context install does need admin rights, you can open your package in an MSI editor (like Master Packager) and inspect the Summary Information to see if UAC is required or not. If it does need UAC, but all the files go to the user profile, all the registries go to HKCU, and no custom actions need elevation, then this might have been set incorrectly by the vendor.
Still no luck. I don’t have a license of Master Packager, but I do have Orca installed. Inside of Orca, if I click View, Summary, UAC Compliant is checked off. But I will say, with this MSI, if I double click it on my machine locally, I can click through all the prompts and install without ever needed to elevate creds (my account does not have admin rights). If I uncheck that UAC Compliant box and save the MSI, when I go to run it, I get the UAC prompt immediately. Is there anything else inside of Orca I should look into? It just throws me off because again, if I install it locally going through the prompts, it installs it to “Users$CurrentUserName\AppData\Roaming\1099Express\1042Express Enterprise 2025 (Single User)\Bin\T42.exe”, so you would assume that everything I am trying would work as the user context. If I install the MSI with Intune without using PSADT, just the MSI, I have no problem to install it. The reason I’m trying to use PSADT, is because once you open the application you need to put in the license code and let it activate. I want to use PSADT to display the license code in a pop up for the user to continue the install once it’s installed. So the process would be install, Prompt the user that it was installed and give them the code, open up the application so the user can activate it.
This is my install line I’m using to install the package:
My package in Intune, install behavior is set to User. Install command is Invoke-AppDeployToolkit.exe -DeploymentType Install -DeployMode Silent
If you want to check out the MSI yourself, it’s from a small tax software company. Downloads - 1099 Express
The download doesn’t require you to purchase, and you can install without a license. When you open it up, it requires you to activate with a license. I’m trying to install the 1042-S Express for 2025 (the Just Me Column install). In the past we have done the “Everyone using the machine” install, which does work with PSADT. The problem is this software comes out with updates frequently (think of turbotax or any of that software), as new tax changes happen throughout tax season. If we install the “Everyone using the machine” version, it requires Admin creds every time it needs to be updated. If we install the “Just me” version, the user can update as updates come out without bothering IT.
If the MSI installs as a user without requiring elevation, then the solution here is simple. Use Start-ADTMsiProcess instead of Start-ADTMsiProcessAsUser.
The latter is only for use when you are running under the System account and need to force msiexec to run in user context.
Also, leave out the -ArgumentList /qn. We do all that for you including adding the logging switch, so all that achieves there is turning off the logging for the MSI. If you ever need to add properties, use -AdditionalArgumentList and it will append to the default MSI switches the toolkit uses.
BTW Master Packager has a free edition, and it wipes the floor with Orca. You are doing yourself a disservice by not using it!
I used what you said for the install and it still fails.
Start-ADTMsiProcess -Action 'Install' -FilePath 'T42Express2025SingleUser.msi'
Is there somewhere that would populate a error code or log that I could see? Because at this point I'm pretty stumped.
Also on master packager website (Master Packager) masterpackager_25.8.9487.msi that download link only installs a paid version. Master Wrapper opens up and works free but master packager wants a license code. So not sure if I'm just missing something or there is somewhere else to go and download it from.
Just to chip in here...
If you are wanting PSADT to Prompt the user, then the command line with -Deploymode Silent would be incompatible with this would it not?
I would NOT define the -Deploymode switch on the command line so it runs interactive (Default), see: How to Deploy · PSAppDeployToolkit
If you're testing via Intune/ConfigMgr, stop and test locally until you have it working.
Logs are written to C:\ProgramData\Logs\Software if running without admin rights, or C:\Windows\Logs\Software if running with admin rights. Or, just run Invoke-AppDeployToolkit.exe with the /debug switch to get the live log output on screen. If it got as far as executing the MSI, there will be an MSI log. If it started up but failed to find the MSI, you'd see that in the toolkit log. If it failed to execute the script because of a syntax error, you should see the error on screen if using the /debug switch (otherwise look in the event viewer).
You cannot remove it by machine and install it by user. This would only be possible if you create a replacement in SCCM/Intune.
in Intune or SCCM per user
RequireAdmin = $flase #$false Installation per User / $true Installation per Mashine