PSAppDeployToolkit, SCCM 2012 & Avecto DefendPoint: Deploying applications as a Standard User

SCCM 2012 gives the option of installation an application as the currently logged in user, or as the LocalSystem account. There are differences in why you would choose one over the other – namely, easy access to current user paths and registry keys. Some Windows Installers have a lot of Per User components and if installed using LocalSystem, tend to be a pain in the ass to get installed when an actual user logs in. So running deployments as the currently logged in user can be very handy.

However, there is a limitation in the Application Model whereby if you chose to install an application as a User, it inherits their user privileges for the installation. This is a problem if your users are Standard Users as opposed to Local Administrators – more often than not, you won’t have the permissions to perform a full install.

If you’re lucky enough to have deployed Avecto DefendPoint (formerly Privilege Guard), you can very easily overcome this by granting Administrator Privileges to PSAppDeployToolkit installation scripts. Here’s how I have this working:

I created two Application Groups, and one Work-Style. The first App Group is for the SCCM Agent:


The second App Group is for the Deploy-Application.ps1 scripts themselves. It is set to match child processes of the first App Group. You can make this more secure by using a wildcarded path such as “%WinDirCCMCache*Deploy-Application.ps1”. Better still, ensure you code sign your Deploy-Application.ps1 scripts and add a match criteria against the Publisher:


Finally, the Work-Style is set to automatically add Admin Rights to any Deploy-Application.ps1 that gets run – provided it is a child process of the SCCM Agent. This ensures the PSAppDeployToolkit installation script only gets Admin Rights when called by the SCCM Agent:


And there you have it. Simples! 🙂


By | 2016-10-14T17:30:52+00:00 March 27th, 2015|PowerShell App Deployment Toolkit|2 Comments

Avecto Privilege Guard & McAfee ePO: Ensuring multiple policy editors don’t overwrite each other’s changes

In a large scale deployment of Avecto Privilege Guard in conjunction with a new OS rollout, it’s not uncommon to have multiple engineers working on adding new rules to auto-elevate applications and installers. The problem is, McAfee ePO doesn’t have any decent method of locking a policy that is being edited by someone. Consider the following:

  • Engineer #1 starts to edit the current policy and adds new rules
  • Engineer #2 starts to edit the current policy and few minutes later and adds new rules
  • Engineer #1 saves the policy
  • Engineer #2 saves the policy a few minutes later, wiping out the changes by Engineer #1

At my current client, I’m seeing this happen on a near daily basis due to the fact that it’s a massive deployment, with 5 dedicated engineers working on adding new Avecto rules and troubleshooting issues. Since we’re decentralised, it’s not as easy as shouting out ‘everyone stop editing, I’m making some changes’ and people don’t read emails in a timely enough manner for that to be effective either. So I looked into how we could solve this technically. Here’s what I’ve come up with…

The following PowerShell script will monitor Internet Explorer every 5 seconds for an open Avecto policy. If one is in use, it writes the current engineer’s username to a file which should be stored on a location that all of the engineers have read / write access to. If another engineer opens a policy, they are warned via a dialog on screen that a policy is already being edited by another engineer. When the original engineer closes the policy, the file is deleted and the warning message no longer appears.


To configure, modify the line $lockFile = “xxxxxxxxxxxxx” to point to a UNC path that all engineers have access to.

To run, set up a scheduled task on all the Privilege Guard engineer’s machines. It should run at every user login, and the command line is: PowerShell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -File “Monitor-AvectoPolicy.ps1”

It’s a crude solution but it works well. The only downside is that will create the lockfile / display warning on the editing of *any* Avecto policy. This is because there’s no way to match the URL to a specific policy name. Still, if all your engineers are working on the one policy this shouldn’t be a problem.

And here’s the script itself: Monitor-AvectoPolicy

Hope this helps 🙂


By | 2016-10-14T17:30:52+00:00 September 16th, 2014|Avecto DefendPoint|0 Comments

PSAppDeployToolkit: Get the benefits without writing a single line of PowerShell

Edit: Hey! We just made this obsolete with v3.6.1 of the toolkit. It’s all in-built now! 🙂

One of the primary goals of the PowerShell App Deployment Toolkit is to simplify complex scripting operations to deploy applications. It does however, require that you know PowerShell to some degree, even though a lot of the in-built functionality is going to shield you from a lot of the complexity. This applies to even the most basic of installations. You’re going to need to populate the template provided with a few basic details.

I wanted to see if I could remove the need for any editing of the provided template. What I’ve come up with will be really handy for PowerShell beginners looking to evaluate the toolkit’s functionality, and allow you to rapidly create an application deployment. To that end, I’ve created a customized version of the template which does the following:

  • Searches the Files subfolder for a Windows Installer installation (MSI) and any custom transform
  • Pulls Windows Installer properties from the MSI file and uses them for the deployment
  • Prompts to close any applications specified with the -CloseApplications parameter if they are open
  • Installs / Uninstalls the application

How to use the dynamic Deploy-Application.ps1:

  • Download a copy of the toolkit from here
  • Overwrite Deploy-Application.ps1 with this version from here
  • Drop your MSI (and MST if you have one) into the Files subfolder
  • Create a new SCCM Application / Package with these source files
  • Include the -CloseApplications parameter if needed, e.g.
    • Deploy-Application.exe Install -CloseApplications “iexplore,firefox,chrome”
    • Deploy-Application.exe Uninstall -CloseApplications “iexplore,firefox,chrome”

The benefits of using the toolkit without any customization are still quite apparent:

  • Consistent user experience for closing applications and displaying installation progress, all localized in numerous languages
  • Logging of all Windows Installer install / uninstall operations, as well as logging from the toolkit itself
  • Integration with SCCM 2007 / 2012 in terms of exit codes, reboot suppression and fast retry


By | 2016-10-14T17:30:53+00:00 May 14th, 2014|PowerShell App Deployment Toolkit, Tutorials|0 Comments

Enabling Intel Virtualization Technology (VT) on Lenovo hardware using an SCCM Configuration Baseline

I’ve been meaning to start posting some tutorials for a while and I’ve finally gotten around to my first. So here goes…

Intel VT is a requirement of any VM solution (Hyper-V, VMware, Virtualbox etc) as well as a number of emerging security products such as McAfee Deep Defender. By default, Lenovo hardware ships with Intel VT disabled in the BIOS. If you’re a large enough enterprise, you can probably agree to have this enabled in the BIOS from the outset but for smaller companies this can be costly. Luckily, you can access Lenovo BIOS settings using WMI. It’s fairly simple to put together a VBScript to enable this as part of your  OSD process. But what if you already have your machines deployed and need to make the change post-deployment?

Well, a nice way of handling this is to use an SCCM Configuration Baseline to enforce the setting. And I’m going to walk you through how to do it…

First, we’re going to open SCCM > Assets & Compliance > Compliance Settings > Configuration Items and create a new Configuration Item:


You’ll only want this running on client OSes so deselect anything server:


Create a new Setting and populate as follows:

  • Name: Intel Virtualization Technology Configuration
  • Setting Type: Script
  • Data Type: String
  • Discovery Script – Type: PowerShell:

gwmi -class Lenovo_BiosSetting -namespace rootwmi | Where-Object {$_.CurrentSetting.split(“,”,

[StringSplitOptions]::RemoveEmptyEntries) -eq “VirtualizationTechnology”} | Format-List CurrentSetting

  • Remediation Script – Type: PowerShell:

(gwmi -class Lenovo_SetBiosSetting -namespace rootwmi).SetBiosSetting(“VirtualizationTechnology,Enable”)
(gwmi -class Lenovo_SaveBiosSettings -namespace rootwmi).SaveBiosSettings()


Create a new Compliance rule for this Setting as follows:

  • Name: Intel Virtualization Technology Compliance Rule
  • Value: VirtualizationTechnology,Enable
  • Check “Run the specified remediation script when this setting is non-compliant”


Now create a second Setting and populate as follows:

  • Name: Intel VTdFeature Configuration
  • Setting Type: Script
  • Data Type: String
  • Discovery Script – Type: PowerShell:

gwmi -class Lenovo_BiosSetting -namespace rootwmi | Where-Object {$_.CurrentSetting.split(“,”,[StringSplitOptions]::RemoveEmptyEntries) -eq “VTdFeature”} | Format-List CurrentSetting

  • Remediation Script – Type: PowerShell:

(gwmi -class Lenovo_SetBiosSetting -namespace rootwmi).SetBiosSetting(“VTdFeature,Enable”)
(gwmi -class Lenovo_SaveBiosSettings -namespace rootwmi).SaveBiosSettings()

Create a new Compliance rule for this Setting as follows:

  • Name: Intel VTdFeature Compliance Rule
  • Value: VTdFeature,Enable
  • Check “Run the specified remediation script when this setting is non-compliant”

When finished, we should be left back in the original Wizard with two Settings and two Compliance items as follows:


Now that our Configuration Item is created, we need to Create a new Configuration Baseline for deployment. Navigate to Assets & Compliance > Compliance Settings > Configuration Baselines and create a new one as follows:


Once this is created, you can Deploy to any collection in either Monitor or Remediation mode. I would suggest Monitor first to get a handle of how many machines will be affected, and maybe start off in Remediation on a handful of machines to ensure it works as expected. Changes to the BIOS take effect when the machine is next restarted.

By | 2016-10-14T17:30:53+00:00 April 22nd, 2014|Tutorials|0 Comments

Workstation Migration Assistant 1.10 released

So I won’t make any fanfare about this, I’ve made just a few small changes and fixes to WMA as I’ve neglected it for quite a bit.

  • Added support for Windows 8 / 8.1
    • Copy the amd64 and x86 folders from USMT 5 as subdirectories of the WMA folder, ie.
      • MigAssist.exe
        • amd64
        • x86
  • Fixed issue where maximum migration size couldn’t be disabled
  • Fixed issue where progress wasn’t updating correctly
  • Fixed issue where Health Check wouldn’t always run
  • Removed support for Windows XP (USMT 3)
  • Removed branding – looks better with Windows 8 / 8.1 theme

This should help out a few people who have been trying to use it lately. Download is in the Applications section. Enjoy.

By | 2016-10-14T17:30:53+00:00 December 13th, 2013|Workstation Migration Assistant|0 Comments

PowerShell App Deployment Toolkit

Myself and my good friend Sean Lillis have been working on a neat project for the last few months. Here’s a bit of the blurb:

The PowerShell App Deployment Toolkit provides a set of functions to perform common application deployment tasks and to interact with the user during a deployment. It simplifies the complex scripting challenges of deploying applications in the enterprise, provides a consistent deployment experience and improves installation success rates.

We’ve set up a CodePlex site for the project and have published the initial public release, along with some very extensive documentation. Head on over to the link below to take a look!

By | 2016-10-14T17:30:53+00:00 August 7th, 2013|PowerShell App Deployment Toolkit|0 Comments


As usual, I’ve been sidetracked with work and personal life so I haven’t been nearly as busy on here as I’d like to be. I have however, taken some time to bring EncodeHD up to date and bring it out of beta.

A fairly sparse change log since the beta:

  • FFmpeg updated to git-00b1401 (2013-07-06)
  • MediaInfo updated to 0.7.64
  • Fixed up some FFmpeg command-line parameters

The newest releases of FFmpeg are pretty darn fast at re-encoding video though

Download is in the EncodeHD section.

By | 2016-10-14T17:30:53+00:00 July 10th, 2013|EncodeHD|7 Comments

Software Compliance Tool Released

It’s been a while since I’ve updated SCT, mainly because it does what it says on the tin so bloody well!

That being said, I recently ran into a few issues which strongly indicated to me that it should run in Report Mode by default. If you have it dropped locally onto your systems and use just for reporting, an inquisitive user could be in for a shock when they run this without the Report Only command-line parameter – so I discovered for myself 🙂

For that reason, I’ve implemented the following changes – along with some other minor changes:

  • CHANGE: Default to Report Only Mode (use /REMOVALMODE to actually remove unwanted apps)
  • CHANGE: Default to Silent Mode when in Report Only Mode (use /DEBUGMODE to show status in the UI when in default Report Only Mode)
  • CHANGE: Exclude matched apps containing Microsoft KB numbers, “Cumulative Update”, “Security Update” or “Hotfix” – we’ll never want these removed as we might compromise security and stability
  • CHANGE: Updated ReadMe file with new instructions, including how to deploy using Group Policy Preferences and use Scheduled Tasks

As always, the download is in the SCT section.

Cheers, Dan

By | 2016-10-14T17:30:57+00:00 March 22nd, 2013|Software Compliance Tool|0 Comments

EncodeHD (let’s call it a beta shall we?)

I’ve been beating this around a bit and it’s been pretty solid. That being said, I’m working best guess on a number of the profiles, and I haven’t been keeping up to date with FFmpeg in quite some time so there’s every possibility there’s broken stuff in here. For that reason I’m not updating the main page until I get some positive feedback from people on what’s there right now.

So, feel free to give the new version a whirl and let me know how it goes.

What’s New…

  • Added profiles for
    • AppleTV 3
    • iPad 3 / 4
    • iPhone 5
    • Nexus 4
    • Nexus 7
    • Lumia 920
    • Galaxy S2
    • Galaxy S3
  • Fixes to iPad 1 / 2 profile for AC3 audio in TV mode
  • Added support for progress in task bar for Win 7 / 8
  • Updated H.264 encoding parameters to improve quality
  • Updated to work with latest FFmpeg builds
  • Changed all the profile names to be more descriptive
  • Try to handle files with no frame rate details
  • Removed Snarl support
  • Updated Ffmpeg to git-26c531c (25th Nov 2012)
  • Updated MediaInfo to 0.7.61 (22nd Oct 2012)
[bra_button text=’Download EncodeHD Beta’ url=’’ target=’_self’ size=’medium’ style=’rounded’ color=’grey’]

By | 2016-10-14T17:30:57+00:00 December 17th, 2012|EncodeHD|9 Comments

EncodeHD & libav

So I’ve fixed up EncodeHD to work with libav (avconv) in place of FFmpeg. To be honest though, I don’t know if anyone is still using EncodeHD.

Drop a comment if you think I should publish a new version. I should probably add some profiles for newer hardware too (if there’s demand).

By | 2012-12-03T16:02:32+00:00 December 3rd, 2012|EncodeHD|21 Comments