Windows' ActiveSetup vs. Start-ADTProcessAsUser vs. Invoke-ADTAllUsersRegistryAction
NOTE: All the following methods are initiated from PSADT running as SYSTEM at installation time.
Some applications need changes to be done in the user profile or HKCU registry hive to make them work.
Sadly, most users of PSADT do not know how to use the different methods or when to use which.
Some methods can only make the user changes during installation AND need to have the user logged-on at installation time.
Below is a table showing what each solution have to offer and their limitations.
| Capabilities/features: | ActiveSetup | Start-ADTProcessAsUser | Invoke-ADTAllUsersRegistryAction |
|---|---|---|---|
| Works in Unattended installs (no user present) | Yes | No | Yes |
| Does file changes as the user | Yes | Yes | No |
| Does HKCU registry changes as the user | Yes | Yes | Yes |
| Can do HKLM registry changes | No | No | No |
| Can launch an exe, PS1 or CMD as the user | Yes | Yes | No |
| Updates current logged-on user (If logged in at install time) | Yes (See note 1) | Yes | Yes |
| Updates existing user profiles (logged-in at install time or not) | Yes | No | Yes |
| Updates new users created after application installation | Yes | No | No (See note 2) |
| Changes are triggered by | Registry value in HKLM | (Unknown at this time) | Invoke-AppDeployToolkit.ps1 at install time |
| Intended purpose of method | User changes for ALL Users | Interact with CURRENT user | Cleanup of user registry hives (one or many) |
| Shared Computer compatible ? | Yes | No | No |
| Limitations: | |||
| Target User MUST be logged-on at install time | No | Yes | No |
| Needs to create Scheduled Task behind the scenes to run as the user | No | (TBD) | No |
| Depends on PSADT functions to work | No | Yes | Yes |
| Can use call PSADT functions | No | No | Yes (See note 3) |
| Needs an external script/EXE to perform changes | Yes | Yes | No |
| External script or EXE must be user accessible | Yes | Yes | N/A |
| Cleanup needed at Uninstallation | Yes | No | No |
NOTES:
1 - Windows' ActiveSetup does not update the current user until next login but PSADT triggers the payload on the current user if logged-in.
2 - Invoke-ADTAllUsersRegistryAction can update user hives that do not yet exists but you must pollute the Default User hive to do this.
3 - Invoke-ADTAllUsersRegistryAction actually REQUIRES you to build a ScriptBlock that calls PSADT functions with a -SID parameter. This include: Set-ADTRegistryKey, Get-ADTRegistryKey, Remove-ADTRegistryKey, Test-ADTRegistryValue. The Invoke-ADTAllUsersRegistryAction function was created as a way to cleanup user profiles after an uninstall.
Some documentation will claim MSI can update user profiles/HKCU hives but it is tricky and unreliable. Especially to copy files into a user's profile. Many times it just doesn't work and when it does, the entire MSI file must be read to accomplish the task.
What about just modifying the Default user hive? Polluting the Default User hive is not a good idea since it is used as the User hive for Local System.
While ActiveSetup is my preferred choice, there are no examples of scripts used as the "payload" for ActiveSetup in these forums. I hope to publish my PowerShell version in an other post with instructions on how to use it.
New functions in PSADT V4
These are new functions introduced with V4.x. Since I have not used them, I will not cover them much.
| New in PSADT V4 | Notes |
|---|---|
| Copy-ADTFileToUserProfiles | Copy one or more files to each user profile on the system. The user profile(s) must exist at installation time. |
| Remove-ADTFileFromUserProfiles | Removes one or more files from each user profile on the system. |
| Start-ADTMsiProcessAsUser | Installs/uninstalls MSIs in the current user' profile. A user MUST be logged-on (Not sure). (DEPRECATED?) |
| Start-ADTMspProcessAsUser | Installs MSPs in the current user' profile. A user MUST be logged-on (Not sure) (DEPRECATED?) |