I see that v4.1.0 is likely going to make this question deprecated soon, but I was hoping to get one app packaged to use the Installation Prompts in Intune where the app installs in the SYSTEM context. I believe I am on the right track in needing ServiceUI, so I loaded those in:
This app is for GlobalProtect, and we currently have it set up so that GlobalProtect doesn’t connect while the user is in office. I was hoping to set this up to skip the prompts when this is the case by running an IF statement near the top of the Invoke-ServiceUI.ps1:
param (
[string[]]$ProcessName = @('explorer'),
[ValidateSet('Install', 'Uninstall', 'Repair')]
[string]$DeploymentType = 'Install',
[switch]$AllowRebootPassThru,
[switch]$TerminalServerMode,
[switch]$DisableLogging
)
# Check the status of the PANGP Virtual Ethernet Adapter
$AdapterStatus = (Get-NetAdapter | Where-Object { $_.InterfaceDescription -like "PANGP Virtual Ethernet Adapter*" }).Status
if ($AdapterStatus -eq 'Up') {
# Adapter is connected, proceed with the existing logic
Push-Location $PSScriptRoot
if ($env:PROCESSOR_ARCHITECTURE -eq 'AMD64' -or $env:PROCESSOR_ARCHITEW6432 -eq 'AMD64') {
$Architecture = 'x64'
} else {
$Architecture = 'x86'
}
if (Get-Process -Name $ProcessName -ErrorAction SilentlyContinue) {
if ([Environment]::UserInteractive) {
# Start-Process is used here otherwise script does not wait for completion
$Process = Start-Process -FilePath '.\Invoke-AppDeployToolkit.exe' -ArgumentList "-DeploymentType $DeploymentType -DeployMode Interactive -AllowRebootPassThru:`$$AllowRebootPassThru -TerminalServerMode:`$$TerminalServerMode -DisableLogging:`$$DisableLogging" -NoNewWindow -Wait -PassThru
$ExitCode = $Process.ExitCode
} else {
# Using Start-Process with ServiceUI results in Error Code 5 (Access Denied)
&".\ServiceUI_$Architecture.exe" -process:explorer.exe Invoke-AppDeployToolkit.exe -DeploymentType $DeploymentType -DeployMode Interactive -AllowRebootPassThru:"`$$AllowRebootPassThru" -TerminalServerMode:"`$$TerminalServerMode" -DisableLogging:"`$$DisableLogging"
$ExitCode = $LastExitCode
}
} else {
$Process = Start-Process -FilePath '.\Invoke-AppDeployToolkit.exe' -ArgumentList "-DeploymentType $DeploymentType -DeployMode Silent -AllowRebootPassThru:`$$AllowRebootPassThru -TerminalServerMode:`$$TerminalServerMode -DisableLogging:`$$DisableLogging" -NoNewWindow -Wait -PassThru
$ExitCode = $Process.ExitCode
}
Pop-Location
} else {
# Adapter is disconnected, run silent installation and exit
$Process = Start-Process -FilePath '.\Invoke-AppDeployToolkit.exe' -ArgumentList "-DeploymentType $DeploymentType -DeployMode Silent -AllowRebootPassThru:`$$AllowRebootPassThru -TerminalServerMode:`$$TerminalServerMode -DisableLogging:`$$DisableLogging" -NoNewWindow -Wait -PassThru
$ExitCode = $Process.ExitCode
}
exit $ExitCode
I might have this thinking wrong by putting it in the ServiceUI.ps1, but I figured that it would just install without the prompts. Basically, if the NetworkAdapter status shows as “Up”, push the prompts so that it warns the user and lets them hit the Update button in the Show-ADTInstallationPrompt.
I have my Pre-Install section set up like this:
function Install-ADTDeployment
{
##================================================
## MARK: Pre-Install
##================================================
$adtSession.InstallPhase = "Pre-$($adtSession.DeploymentType)"
Show-ADTInstallationPrompt -Message "We require your GlobalProtect VPN software to be updated. When ready, please hit the Update button to start. It should take 1-2mins to complete and come back up for you to re-connect." -ButtonMiddleText 'Ok'
Show-ADTInstallationProgress
# Uninstall previous version of Globalprotect
Uninstall-ADTApplication -Name 'GlobalProtect' -FilterScript {$_.Publisher -eq 'Palo Alto Networks'}
and, my for my install command in Intune, I pulled it from the example, since I didn’t change the names of the files:
%SystemRoot%\System32\WindowsPowerShell\v1.0\PowerShell.exe -ExecutionPolicy Bypass -NoProfile -File Invoke-ServiceUI.ps1 -DeploymentType Install -AllowRebootPassThru
I feel like it is close, but unfortunately, PSADT installs fine through testing in Powershell and shows the prompts in testing, but once I bump over to Intune and use the SYSTEM context, it installs but drops the prompts. Now, it is just failing to install, so I believe it to be an issue with either the install command or the Invoke-ServiceUI.ps1 changes that I made. It just just a pain to package and upload to Intune and find that it is failing to install. I am likely going to put another IF statement in that skips ServiceUI, if the environment is ARM64, since I have that working in my main PSADT file, but I don’t want to just add onto this mess until I have a better idea of what is breaking my install.
