Once you have a PowerShell script or deployment template ready to go, you will need to understand the command line required to deploy it in Intune.
This is the moment you have been building up to, pacing up and down like an expectant father. Like Doctor Frankenstein’s monster, it is time to give this thing life: it is time to deploy it using the Intune Management Portal, Win32 App creation.
In this chapter, you will learn how to construct the correct install commands that are input into the Intune Portal when creating a new Win32 application deployment.
Sys What Now?
The Intune Management Extension is a 32-bit application that executes PowerShell scripts or processes Win32 applications.
In most cases, whenever a 32-bit application attempts to access %windir%System32 or %windir% egedit.exe, the access is redirected to an architecture-specific path, for example, %windir%SysWOW64, where 32-bit versions of the file being accessed are used instead.
The management extension executes in the 32-bit context resulting in the deployed PowerShell script also executing in the 32-bit version of PowerShell running from SysWOW64.
This may not have the outcome you desire and could cause deployment failure, as some cmdlets require running in a 64-bit context. Other unexpected results may occur too: the cmdlet Get-Process, for example, will only get 64-bit processes in 64-bit PowerShell and 32-bit processes in 32-bit PowerShell which may or may not be what you are expecting. In general, you will always want your PowerShell script to run in the 64-bit version of PowerShell.exe
To avoid this situation, there is another folder, called Sysnative, and it can be used as a replacement for System32 in the path name.
Sysnative as a special alias is used to indicate that the file system should not redirect the access. When you specify C:WindowsSysnative in your code or application, it is diverted to C:WindowsSystem32 instead.
Solution
To ensure the PowerShell script executes using the 64-bit version of PowerShell, a small modification must be made to the “Install Command” and/or “Uninstall Command” fields in the Intune portal. You must reference the full path of the 64-bit version of PowerShell.exe using Sysnative in place of System32.
32-Bit PowerShell
In the Intune portal “Install command” field, you can reference powershell.exe directly, omitting the full path. This is because the Intune Management Extension will be running in a 32-bit process and will therefore call PowerShell.exe from a 32-bit process by default.
A screenshot of a window titled windows powershell. It has a code to run a 32-bit version of powershell.
Running 32-bit PowerShell from SysWOW64 directory
64-Bit PowerShell
Calling Your Script
Is it just a script that executes sequentially from top to bottom?
Does it have an entry point?
Does it have an entry point with parameters?
Is it a function?
Does the function accept parameters?
The script type determines which command line is used within the Windows Win32 App creation in the Intune Portal.
Standard Script (Top to Bottom)
A script that executes from top to bottom
Install Command
The install command for a standard script. (Top to Bottom)
Script with Entry Point
Like the Standard Script (Top to Bottom), the same command line is used.
This type of script allows for more flexibility as the entire code is encapsulated as a function. The very last line of code that is then outside of that function will call the function itself which may or may not accept parameters too.
Script with Entry Point (No Parameters)
A script containing an entry point and not using any parameters
Install Command
The command line for a script with an entry point. (No Parameters used)
Script with Entry Point (With Parameters)
A script with an entry point containing parameters
Install Command
The command line for a script with an entry point using parameters
Function
To directly reference a function in a script, a slightly different method must be used. To create the installation command line for scripts that include a specific function you wish to execute, you will use something called dot sourcing.
Normally, a script runs in the script scope meaning you do not have direct access to the functions, variables, etc., that it contains.
Dot sourcing allows you to run the script in the current scope, and all the commands in the script are available as if you had typed them at the command prompt.
To use dot sourcing, place a . (period) and a space before the script path.
You can read all about dot sourcing by typing in help about_scripts in a PowerShell console.
You will notice that the command line for functions includes an & sign (ampersand). This is known as a call operator, and you can use it to execute scripts using their filenames. You can find out more about operators by reading the built-in help: help about_operators.
Function (No Parameters)
A function containing no parameters. The script is saved as “Function.ps1”
Install Command
In this example, the script has been saved as “Function.ps1” and the name of the function to run is named “Do-Something.”
A sample function that does not contain parameters. The function has been saved as “Function.ps1”
Function Accepting Parameters
Like deploying a function without parameters, the command line used is the same, except you add the required parameters and respective values.
For this example, let us pretend you have a script named, myScript.ps1 and within this script, there is a function named, Show-Text. The function accepts a single parameter named, $textToDisplay. Based on the supplied parameter, the function then goes on to do something spectacularly amazing when executed.
A function that accepts parameters
Install Command
- Call the script named, myScript.ps1
Specifically execute within the script the function named Show-Text.
Supply the function parameter -textToDisplay with the value of “Important Text!”
The command line used to call a function using parameters
Example: Deploying a Script Containing Two Functions
There may come a time when you have a single script containing multiple related functions. For example, your script may include one function for installation and another function for uninstallation.
As Intune allows you to specify two command lines, one for installation and one for uninstallation, then this is a good reason to use two public functions in a single script.
This example does not walk you through the complete creation of the application, as you will learn this later in the book. Rather, it demonstrates the deployment of a complex script, that is only a script (no additional files are deployed to the endpoint), with the script containing two functions; each of which can be used independently within the same Intune application creation.
Remote Server Administration Tools
This example script deploys the RSAT1 (Remote Server Administration Tools) capabilities for Windows 10 and contains the code to uninstall it too if required. It is achieved using two functions in a single script saved as “ManageRSAT.ps1”.
Install-RSATCapabilities
Uninstall-RSATCapabilities
ManageRsat.ps1
When creating the Win32 application in the Intune portal, at stage two of the application creation wizard “Program,” you should enter the install command line for a function accepting parameters (as shown previously in this chapter in Listing 7-10).
Calling the Install-RSATCapabilities function from the ManageRSAT.ps1 script
Calling the Uninstall-RSATCapabilities function from the ManageRSAT.ps1 script
A screenshot of the windows app. It depicts 6 steps. Under the program step, it has options such as install and uninstall command, install behavior, and device restart behavior.
The install command and uninstall command have been completed
A screenshot of the win 32 application. It has an install and uninstall command under the program. The create button at the bottom is highlighted.
The full commands used can be seen in the application summary
The PowerShell script used for the RSAT deployment custom detection rule
Summary
In this chapter, you learned about the virtual folder Sysnative, and understood why it was important to use it when creating the script install or uninstall commands.
You then learned that not all scripts are the same; some have entry points, some have functions, and some are either of those types with parameters. You also learned how to build the correct install command line depending on which of those script types it was.
Finally, you saw an example of deploying the RSAT (Remote Server Administration Tools) that contained both an install and uninstall function, and what the install command lines would look like.
The next chapter looks at a fully functional deployment template that can be used as-is or modified for your own needs.