Issues with logging the past week

Hi all,

I’ve used PSADT for a short while now, and have had no issues with it, everything working as intended - I’ve changed the template I build from to log directly to the intunemanagementextension\logs folder, and all has been well.

Now the last week to 10 days, all my new deployments have broken, I’m not getting any logging, and for the most part the script execution completely fails.

Just for testing purpose I downloaded it anew, version 3.10.2, changed the log location and simply had the script create a new file in C:\temp, and logging that.

The logging didn’t work, and neither did the file creation.
I thought it might be related to Win11 24H2, so I’ve tried on 22H2 and 23H2 as well, to no avail.
Apps that was created just 2 weeks ago work fine, on the same devices even.

I’ve tried multiple devices, multiple users, multiple tenants and multiple manufacturers of the devices
Other applications that I create outside of PSADT does work, and even the detection & requirement scripts I’ve tested on the PSADT apps works, even if the PSADT app it self doesn’t

Anyone experiencing something similar, or got any ideas?

If PSADT suddenly stops working in your network, then something has changed in YOUR environment.

Let me reiterate;

I’ve done testing on 6 different networks, including a hotspot, 4 different tenants, 3 different manufacturers/devices.

The networks have been a mix of different corporate networks, my private network as well as a hotspot.

None of these have had any issues until about 10 days ago.

Apps packaged and deployed outside of PSADT works with no issue.

I’m not sure where to even look, as even re-deploying applications that is deployed and working, doesn’t work either! (So reuploading the intunewin file)

It’s very wierd!

It seems like you are having a PowerShell or permission issue. If you think PSADT is the problem, prove it by writing a small PowerShell script that only creates a file in the PSADT log location. Then add more code to make it create another file in C:\temp

I suspect this small script will fall. either way, this will help you focus your efforts. Divide and conquer.

That works with no issue.

I’ve fallen back to simply packaging my own poweshell scripts directly with transcripting to the same mog location (intuneextensionmanagement\logs\app.log), with no issue.

When I deploy the PSADT package it never even creates any log file.
I can see it in the agentexecutor with an error code of 1, but nothing about what/where it broke

I’ve made sure to test for permissions, and that works with no issue.

I’m able to log, and to modify the system and/or install apps, as long as it’s not through PSADT

I hoped it was due to an issue with 24h2, but that’s not it either

It sounds like simplifying things will help.

1. Set the log path to be C:\Logs
2. Forget Intune - just run the app install locally and see what happens. If that doesn’t work there’s something drastic wrong. If it does, then the finger of blame moves to the Intunewin file or Intune. You’ve inferred you’re using Intune and not MECM.
3. Add powershell lines that output text to the console and/or a log file without using the PSADT function. Just use set-content.
4. To test, use a PowerShell console and dot source the main function: e.g. . .\AppDeployToolkit\AppDeployMain.ps1.
   This will let you use the functions direct - so you can run Write-log from the console. Use it with the log path changed and without. I suspect it is a path issue, but that’s just a wild guess.

Hi Mike,

Thanks for the suggestions, I’ve tried to use on of the example apps (VLC), and running it locally worked fine, I got logging, and the app was installed.

I then tried to deploy the app via Intune once again, as I had it working locally.
It then failed again, no loggin, no installation, only 1 log via the agentexecutor: Poweshell script ran successfully

It seems to be an issue with the combination of PSADT and Intune, though I have no idea where to even start looking for this issue

you are deploying it to run as system right?

Maybe make sure that even users have write perms to the logging location for now, JIC

Yea as system, did try in user context as well, but same issue

Tried creating a new folder (C:\Temp\Log) that i provided write for all users… same issue

you need to assume everything is FUBAR:

-Make sure the PS1 files are UTF8 encoded
-Recreate the Win32app in Intune.
-Make sure it doesn’t check if the PS1 files are signed.
-Make sure the files actually make it to the Intune Cache on the targeted PC

-Maybe try an IME Log file decoder

I can’t add anything more than what has already been suggested, other than: Are you using the latest Win32 Content Prep Tool v1.8.6 (to create the IntuneWin files)
FYI: The latest version can be downloaded from here: Release Fixing an issue where the Win32 content prep tool crashes · microsoft/Microsoft-Win32-Content-Prep-Tool · GitHub

@That-Annoying-Guy

This has been on hold as i’ve waited for v4, which i’ve switched to, i’m still having issues though.
What I’ve experienced:

Creating a new template (using Master Wrapper or manually) and deploying an Win32 Application with an MSI or EXE file in the dirFiles folder fails with the following errors in the AppWorkload.log:

EnforcementState: 5000
ErrorCode: -2147007662

From what I can see the .bin gets downloaded to incoming, moved to staging, decrypted but then doesn’t get run, and simply stops with the above.

If I zip to a .wim file and mount/dismount the application works.
I’ve tried with WinSCP (.msi) as well as with Global Secure Access (.exe)

Just to make sure it wasn’t something to do with the deployed configurations I’ve created a clean device with no configurations being enforced, and it still fails.

Do you have any ideas here?

I think we would need a little more useful info to help you troubleshoot this any further.
As we haven’t seen your code or Install command line, there are plenty more questions, so could you furnish us with a bit more info please?

• What is your Intune Install command line? This will help us understand if you are using ServiceUi.exe with your command, and whether youy are using the PSADT Deploy-Application.exe or Powershell with the Deploy-Application.ps1 script (Or the new v4 equivalents)
• Do you have any additional return codes configured in the Intune Portal for this deployment?
• Do you have any Intune Requirement rules configured? (I’m guessing not from what you have posted so far, but I have to ask).
• I know you have stated this issue is occuring on multiple tenants, multiple networks and multiple hardware devices… Is there anything that might be common between them all? (Same security settings / Same Anti-Virus or Anti-Malware, is App Locker in use? etc…)
• Can you supply a snippet of your Deploy-Application.ps1 script as it could highlight anything obvious, i’d suggest you only (at this stage) paste from between:

         ##*===============================================
        ##* PRE-INSTALLATION
        ##*===============================================

to just above:

} ElseIf ($deploymentType -ieq 'Uninstall') {

(Unless you have added many changes above this section)

On this forum, Remember to paste you code between two lines of 3 escape characters (i.e. ```) or use the pre-formatted text button above “</>” so the code formats correctly.

Hello Adrian

Let me provide some more info:

• What is your Intune Install command line? Invoke-AppDeployToolkit.exe -DeploymentType “Install” -DeployMode “Silent”
• Do you have any additional return codes configured in the Intune Portal for this deployment? No, I’ve not configured any outside the default created in Intune
• Do you have any Intune Requirement rules configured? Nope, and applicability only checks for x64, x86 and Win10 22H2
• I know you have stated this issue is occuring on multiple tenants, multiple networks and multiple hardware devices… Is there anything that might be common between them all? The only common parameter is that the creation of the PSADT scripts have been created via one of my 2 devices.

I’ve tried to create the apps via Master Wrapper and via the New-ADTTemplate.
Via Master Wrapper, it didn’t create all of the required files, eg. the PSADT.DLL was missing etc.

I’m able to install via the .exe and via the .ps1 locally, both in user and system context.

This is the snippet:

##================================================
    ## MARK: Pre-Install
    ##================================================
    $adtSession.InstallPhase = "Pre-$($adtSession.DeploymentType)"

    ## Show Welcome Message, close Internet Explorer if required, allow up to 3 deferrals, verify there is enough disk space to complete the install, and persist the prompt.
    ## Show Progress Message (with the default message).
    ## <Perform Pre-Installation tasks here>

    ##================================================
    ## MARK: Install
    ##================================================
    $adtSession.InstallPhase = $adtSession.DeploymentType

    ## Handle Zero-Config MSI installations.
    if ($adtSession.UseDefaultMsi)
    {
        $ExecuteDefaultMSISplat = @{ Action = $adtSession.DeploymentType; FilePath = $adtSession.DefaultMsiFile }
        if ($adtSession.DefaultMstFile)
        {
            $ExecuteDefaultMSISplat.Add('Transform', $adtSession.DefaultMstFile)
        }
        Start-ADTMsiProcess @ExecuteDefaultMSISplat
        if ($adtSession.DefaultMspFiles)
        {
            $adtSession.DefaultMspFiles | Start-ADTMsiProcess -Action Patch
        }
    }

    ## <Perform Installation tasks here>

    Start-ADTProcess -FilePath 'GlobalSecureAccessClient.exe' -ArgumentList "/quiet"

    ##================================================
    ## MARK: Post-Install
    ##================================================
    $adtSession.InstallPhase = "Post-$($adtSession.DeploymentType)"

    ## <Perform Post-Installation tasks here>


    ## Display a message at the end of the install.
    if (!$adtSession.UseDefaultMsi)
    {
    }

    ## Master Wrapper detection
    Set-ADTRegistryKey -Key "HKLM\SOFTWARE\InstalledApps\PS-Microsoft Corporation_Global Secure Access Client_2.8.45"
}

I’ve not changed any code in the config.psd1 or any other dependency

OK so basically a vanilla deployment

As you have confirmed in an earlier post you are running this as System in a deployment (where it doesn’t work) and have had success running this locally (using a local account (with or without Admin rights?))
I’m wondering if (for some unknown reason) the executable is not being found or the command line is incorrect.
Based on the PSADT Reference (Start-ADTProcess · PSAppDeployToolkit) You could try changing the Install command line in the script to the actual path, from this:

Start-ADTProcess -FilePath 'GlobalSecureAccessClient.exe' -ArgumentList "/quiet"

to this:

Start-ADTProcess -FilePath "$($adtSession.DirFiles)\GlobalSecureAccessClient.exe" -ArgumentList "/quiet"

I am also wondering if when you launch the GlobalSecureAccessClient.exe from the PSADT script locally, whether you see the installer launch (and it asks any questions, e.g. Install, Uninstall, Repair etc?). The reason for asking is that the guidance I have found for that installer, is you may be missing the /install switch.

So I think your install command should probably be:

Start-ADTProcess -FilePath "$($adtSession.DirFiles)\GlobalSecureAccessClient.exe" -ArgumentList "/quiet /Install"

My Guidance:

and

In his script he has the following install command on line 149 (N.B. I have replaced the extra double quotes with a pair of escaped quotes):

Execute-Process -Path "$ExePath" -Parameters "/install /quiet /norestart /log "`$configToolkitLogDir\GlobalSecureAccess-Install.log`"" -WindowStyle Hidden

P.S. If you haven’t used The Silent Install HQ before, it is an invaluable source for many applications as it provides the silent install switches required for deploying many, many applications silently (and always includes an example (working) PSADT script - albeit for v3.8.4) - I understand Jason Bergner (the author) hangs out on this forum and works for Patch My PC.

Sorry, it looks like /install is not a required switch (it uses this by default if not specified):

image470×291 11.3 KB

I have just tried GlobalSecureAccessInstaller_2.8.45.exe /quiet in my sandbox and as a sandbox admin user it installs fine, GlobalSecureAccessInstaller_2.8.45.exe /uninstall /quiet also works nicely. I can’t work out how the script works for you locally and then not via a System deployment
The only thing that’s different is the executable name is different to your command.

It’s very weird, and the thing is it’s not specific to just one application. I haven’t tried with a script in PSADT v4, but it’s the same issue for WinSCP with a completely vanilla setup akin to the above

I’ll give it a try with a directly calling it instead

As mentioned it works fine if i call it after mounting the file via a .wim file and then running it from there

I’ve tried both as system, standard user and administrator with same result

Running locally gives me an UAC prompt which is expected.

I’d love to dig deep into the intune logs, but it doesn’t provide anything useful