Something strange happened and I need your help.
In March, I created an app X that installs in user context (in Intune) with the parameter $RequireAdmin = $false (in the script). In Intune, I see 20 successful installations with no errors.
This week I prepared another application Z with exactly the same logic, but I was never able to install it after publishing it (if I run it manually on the local machine, it works fine).
I noticed two events in the Event Viewer, which I am sharing attached. What’s interesting is that if I now run that first app X through the Company Portal, it also fails.
Since it worked before, I started thinking about what might have changed recently (updates). I also tried with older Windows builds, with no success. I also tested without our antivirus/EDR, still no success.
The only thing I can think of is the Company Portal version, but I don’t see how that would be related.
Can someone help me?
Can you please post the portion of the PSADT log file with the error?
Because you used $RequireAdmin = $false, it should be in C:\ProgramData\Logs\Software
It's set in \Config\Config.psd1
Yeah, so… there is no log. We are one step behind. The only thing I have are these Event Viewer entries.
As you've mentioned, there won't be any such logs on the disk as this issue has occurred too early in the process.
Do you use any kind of application control in your environment? AppLocker? WDAC? Typically this is what would caue it.
It's not an unrecognised issue, there's lots of Google hits for such a problem: Google Search
Applocker, yeah… how did I miss that? I will try that with Applocker out of the picture. Thanks
I'm aware you have realised AppLocker may be the cause, but I thought it might be worth sharing with others the other thing to consider (that may have slightly similar behaviour) is if you have any Attack Surface Reduction (ASR) rules.
These are Microsoft Defender endpoint security settings designed to prevent malware and suspicious behaviors (such as unauthorized script execution, ransomware payloads, or malicious Office macros) from compromising your devices. So could be kicking in preventing the app from running - You can configure exclusions in this that may help.
It still doesn’t work even with AppLocker out of the picture. I’m completely out of ideas.
I tried changing the command to this and it worked:
%SystemRoot%\Sysnative\WindowsPowerShell\v1.0\powershell.exe -ex bypass -file Invoke-AppDeployToolkit.ps1 -DeploymentType Install -DeployMode Interactive
Any idea what is going here?
I’m going to run some tests with a clean enrollment profile, without anything corporate, just to see what happens…
Are users allowed to see what's in the Intune cache?
So, I thought the same, but why does it work when I call Invoke-AppDeployToolkit.ps1, and fail when I call Invoke-AppDeployToolkit.exe from the Intune side?
Maybe it says in the Intune IME log file:
C:\ProgramData\Microsoft\IntuneManagementExtension\Logs
