Has anyone actually gotten these to work? I’ve tried all kinds of settings and I can’t get this to install. Anyone had any success with a user install over intune with PSADTK?
It works fine locally if I use psexec to install as system with ProcessAsUser but as soon as it triggers over intune it just fails with no error at all.
So I’ve found this in the logs:
Failed deployment over intune
[Initialization] :: The following users are logged on to the system: [DOMAIN\correctUser]. | PSAppDeployToolkit | 6/8/2021 9:30:14 AM | 28748 (0x704C) |
---|---|---|---|
[Initialization] :: Current process is running under a system account [NT AUTHORITY\SYSTEM]. | PSAppDeployToolkit | 6/8/2021 9:30:14 AM | 28748 (0x704C) |
Successful deployment as system triggered manually
[Initialization] :: The following users are logged on to the system: [DOMAIN\correctUser]. | PSAppDeployToolkit | 6/8/2021 9:16:46 AM | 10244 (0x2804) |
---|---|---|---|
[Initialization] :: Current process is running with user account [NT AUTHORITY\SYSTEM] under logged in user session for [DOMAIN\correctUser]. | PSAppDeployToolkit | 6/8/2021 9:16:46 AM | 10244 (0x2804) |
So it looks like when it deploys over Intune it recognizes the User as logged in correctly, but does not execute the process as it does when I trigger it manually.
Any ideas?
If I trigger this with ServiceUI.exe I get even further. It seems like everything SHOULD work, but it doesn’t successfully install. The log differences are below. The only difference I see are the exit codes. Anyone have any idea how I’d troubleshoot this further?
Successful Install (psexec.exe install as system)
[Installation] :: Trigger execution of scheduled task with command [C:\Users\correctUser\OneDrive - Company Name\Desktop\inTune Package Staging\Postman\Files\Postman-win64-8.5.1-Setup.exe -s] as the logged-on user [DOMAIN\correctUser]… | Execute-ProcessAsUser | 6/8/2021 9:17:06 AM | 10244 (0x2804) |
---|---|---|---|
[Installation] :: [C:\WINDOWS\System32\schtasks.exe] is a valid fully qualified path, continue. | Execute-Process | 6/8/2021 9:17:06 AM | 10244 (0x2804) |
[Installation] :: Working Directory is [C:\WINDOWS\System32]. | Execute-Process | 6/8/2021 9:17:06 AM | 10244 (0x2804) |
[Installation] :: Executing [C:\WINDOWS\System32\schtasks.exe /run /i /tn PSAppDeployToolkit-ExecuteAsUser]… | Execute-Process | 6/8/2021 9:17:06 AM | 10244 (0x2804) |
[Installation] :: PassThru parameter specified, returning execution results object. | Execute-Process | 6/8/2021 9:17:07 AM | 10244 (0x2804) |
[Installation] :: Execution completed successfully with exit code [0]. | Execute-Process | 6/8/2021 9:17:07 AM | 10244 (0x2804) |
[Installation] :: Waiting for the process launched by the scheduled task [PSAppDeployToolkit-ExecuteAsUser] to complete execution (this may take some time)… | Execute-ProcessAsUser | 6/8/2021 9:17:07 AM | 10244 (0x2804) |
[Installation] :: Exit code from process launched by scheduled task [0]. | Execute-ProcessAsUser | 6/8/2021 9:17:38 AM | 10244 (0x2804) |
[Installation] :: Delete scheduled task [PSAppDeployToolkit-ExecuteAsUser]. | Execute-ProcessAsUser | 6/8/2021 9:17:38 AM | 10244 (0x2804) |
Failure VIA intune using ServiceUI.exe
[Installation] :: Trigger execution of scheduled task with command [C:\WINDOWS\IMECache\d6243144-636e-4b64-bc00-c96ff480868f_1\Files\Postman-win64-8.5.1-Setup.exe -s] as the logged-on user [DOMAIN\correctUser]… | Execute-ProcessAsUser | 6/8/2021 10:55:43 AM | 28432 (0x6F10) |
---|---|---|---|
[Installation] :: [C:\WINDOWS\System32\schtasks.exe] is a valid fully qualified path, continue. | Execute-Process | 6/8/2021 10:55:43 AM | 28432 (0x6F10) |
[Installation] :: Working Directory is [C:\WINDOWS\System32]. | Execute-Process | 6/8/2021 10:55:43 AM | 28432 (0x6F10) |
[Installation] :: Executing [C:\WINDOWS\System32\schtasks.exe /run /i /tn PSAppDeployToolkit-ExecuteAsUser]… | Execute-Process | 6/8/2021 10:55:43 AM | 28432 (0x6F10) |
[Installation] :: PassThru parameter specified, returning execution results object. | Execute-Process | 6/8/2021 10:55:43 AM | 28432 (0x6F10) |
[Installation] :: Execution completed successfully with exit code [0]. | Execute-Process | 6/8/2021 10:55:43 AM | 28432 (0x6F10) |
[Installation] :: Waiting for the process launched by the scheduled task [PSAppDeployToolkit-ExecuteAsUser] to complete execution (this may take some time)… | Execute-ProcessAsUser | 6/8/2021 10:55:43 AM | 28432 (0x6F10) |
[Installation] :: Exit code from process launched by scheduled task [-2147024891]. | Execute-ProcessAsUser | 6/8/2021 10:55:44 AM | 28432 (0x6F10) |
[Installation] :: Delete scheduled task [PSAppDeployToolkit-ExecuteAsUser]. | Execute-ProcessAsUser | 6/8/2021 10:55:44 AM | 28432 (0x6F10) |
So I think this is an Access is Denied error?
Just a thought, but try these things.
1.) After it is executing the Execute-ProcessAsUser line runs, add a long “Start-Sleep -Seconds 90” or longer. While it is in its sleep section, open the task scheduler and find the scheduled task it created, and review the history tab. This may help diagnosis the true issue.
2.) Review the scheduled task command line to see if it translated properly. Sometimes it doesn’t play nice with syntax.
3.) If you don’t already, add the “-Wait” switch to the end of the Execute-ProcessAsUser command.
4.) Try modifying the following line in AppDeployToolkitConfig.xml. “<Toolkit_RequireAdmin>True</Toolkit_RequireAdmin>” Change it to False, and see if that works.
Hopefully, one of those does the trick. Sorry, I don’t have the exact answer, but might point you in the right direction.
Thanks for the tips. I’ll definitely give the wait period a pause to check the scheduled tasks - great idea!
I’ve just been systemically testing a combination of settings and hoping to get lucky:
As SYSTEM in INTUNE
ProcessAsUser without service UI with admin set to true
-returns access is denied error
ProcessAsUser without service UI with admin set to false
-returns access is denied error
ProcessAsUser with service UI with admin set to true
-returns access is denied error
ProcessAsUser with service UI with admin set to false
-returns access is denied error
Process without serviceui with admin set to true
-Fails with no error.
Process without serviceui with admin set to false
-Fails with no error
Process with serviceui with admin set to true
-Fails with no error
Process with serviceui with admin set to false
-Fails with no error
As USER in INTUNE
ProcessAsUser without service UI with admin set to true
-
ProcessAsUser without service UI with admin set to false
-
ProcessAsUser with service UI with admin set to true
-
ProcessAsUser with service UI with admin set to false
-
Process without serviceui with admin set to true
-
Process without serviceui with admin set to false
-
Process with serviceui with admin set to true
-
Process with serviceui with admin set to false
-
So this was helpful. It seems like it is extracting it to this directory:
C:\Windows\IMECache
Which the user doesn’t have permission to access, so the setup never starts. My day is over so I’ll have to pick this up again tomorrow, but at least I know what is happening now.
I honestly don’t know if there is a better way of handling this, but I was able to fix this with the below code thrown into Deploy-Application.ps1 right before the relevant Execute-ProcessAsUser
## Permissions $permissionPath = Split-Path (Split-Path $($ExePath64.FullName) -Parent) -Parent $Acl = Get-Acl $permissionPath $Ar = New-Object System.Security.AccessControl.FileSystemAccessRule("everyone", "FullControl", "ContainerInherit,ObjectInherit", "None", "Allow") $Acl.SetAccessRule($Ar) Set-Acl $permissionPath $Acl
If you don’t want to grant users permissions to that folder, copy the contents to a folder under programdata or similar. I do that for Autodesk products with sccm to aid in repairs for users who travel and may have spotty internet and so the ccmcache isn’t so ginormous. Perhaps similar would work for your use-case.