I have an installer, which runs from a network share and requires admin privileges to install. This doesn't work as SYSTEM, and it's ridiculous to expect our guys to enter admin creds for staff.
I have tried signing Invoke-AppDeployToolkit.exe with our own cert signing certificate, but it doesn't seem to run, and the exe icon in task manager doesn't show correctly. Is there a better way to create a new file hash for the exe? I can't leave it as-is, otherwise that allows any package to run elevated as the user. Otherwise, is there a way the PowerShell script could run without the module being installed, and not using the exe?
Am I trying too hard, and should maybe just call a basic PowerShell script and scrap trying with PSADT?
I don't think that is going to work. These aren't domain joined computers, they're Autopilot, Entra joined and InTune managed. The installer also does this stupid permission thing where it tries to give %userdomain%\loggedonuser full access to a file, but the logged on user is SYSTEM, it can't find %userdomain%\SYSTEM and screws the install up anyway. Needs to be a user based install, so I think need to just get the installer files copied and then instruct users to "Run with elevated access".
If you're working with Intune devices, just don't run stuff off a network share. It's 2026, and using file shares with your beautiful, shiny, new cloud management platform is the quickest way to gimp it.
Mixed bag at the moment unfortunately, and this software......easier said than done I'm afraid. I'm not disagreeing, but this wouldn't run on SharePoint
You can't pack it into a .intunewin file because of size limitations, or something else? I'm just wanting to better understand the lay of the land so I give meaningful responses
I can pack the files into a intunewin file and download them to a persistent location. From there, create a shortcut, which the user can click and select "Run with elevated access".
The issue I think is also how the file gets elevated, so running manually works, you need to have the rule set as "elevate as current user" so they then run, and asks for WHfB PIN or you mug shot on the camera. I'm not aware of any PowerShell capability to select the option.
There needs to be access to the share, as there are a bunch of ini files telling the installer what is on the server, and what software needs to be installed and database location etc.
Unsure if this helps,
We have a legacy application that until recently was run from a DFS share and required SQL connections to our on-premise SQL Server - This setup created numerous reliability issues when the end users network / VPN dropped, so we decided having the executables locally would resolve most of the network brown out issues.
So we downloaded the application files from the DFS folder structure to a local folder on our packaging machine, then wrapped in PSADT and finally created an Intunewin file
We then deploy this as a Win32 App from Intune directly to our Entra Joined machines installed as SYSTEM
This was done in part to get rid of the last remaining Hybrid Joined machines from our estate.
The result is a rock solid application that runs on the client device, and if the network connection to the SQL server is unavailable, it just retries at a later stage
@Chris0 although you haven't detailed what the app is you are trying to deploy (like I haven't), it should be possible to achieve what you are trying to solve.
I'm not sure that will work in all honesty. It's a really awkward application that has been installed like this for years. There's an application that runs on the local drive, but server elements that must run from the server, it won't work on multiple workstations like that.
The install itself, is easy, but getting it to run as a user without admin rights it horrendous.
I even tried dropping this with a transform, but no good, it wouldn't read a transform.
ah well, we will figure something.