PSAppDeployToolkit, SCCM 2012 & Avecto DefendPoint: Deploying applications as a Standard User

SCCM 2012 gives the option of installation an application as the currently logged in user, or as the LocalSystem account. There are differences in why you would choose one over the other – namely, easy access to current user paths and registry keys. Some Windows Installers have a lot of Per User components and if installed using LocalSystem, tend to be a pain in the ass to get installed when an actual user logs in. So running deployments as the currently logged in user can be very handy.

However, there is a limitation in the Application Model whereby if you chose to install an application as a User, it inherits their user privileges for the installation. This is a problem if your users are Standard Users as opposed to Local Administrators – more often than not, you won’t have the permissions to perform a full install.

If you’re lucky enough to have deployed Avecto DefendPoint (formerly Privilege Guard), you can very easily overcome this by granting Administrator Privileges to PSAppDeployToolkit installation scripts. Here’s how I have this working:

I created two Application Groups, and one Work-Style. The first App Group is for the SCCM Agent:


The second App Group is for the Deploy-Application.ps1 scripts themselves. It is set to match child processes of the first App Group. You can make this more secure by using a wildcarded path such as “%WinDirCCMCache*Deploy-Application.ps1”. Better still, ensure you code sign your Deploy-Application.ps1 scripts and add a match criteria against the Publisher:


Finally, the Work-Style is set to automatically add Admin Rights to any Deploy-Application.ps1 that gets run – provided it is a child process of the SCCM Agent. This ensures the PSAppDeployToolkit installation script only gets Admin Rights when called by the SCCM Agent:


And there you have it. Simples! 🙂


By | 2016-10-14T17:30:52+00:00 March 27th, 2015|PowerShell App Deployment Toolkit|2 Comments

PSAppDeployToolkit: Get the benefits without writing a single line of PowerShell

Edit: Hey! We just made this obsolete with v3.6.1 of the toolkit. It’s all in-built now! 🙂

One of the primary goals of the PowerShell App Deployment Toolkit is to simplify complex scripting operations to deploy applications. It does however, require that you know PowerShell to some degree, even though a lot of the in-built functionality is going to shield you from a lot of the complexity. This applies to even the most basic of installations. You’re going to need to populate the template provided with a few basic details.

I wanted to see if I could remove the need for any editing of the provided template. What I’ve come up with will be really handy for PowerShell beginners looking to evaluate the toolkit’s functionality, and allow you to rapidly create an application deployment. To that end, I’ve created a customized version of the template which does the following:

  • Searches the Files subfolder for a Windows Installer installation (MSI) and any custom transform
  • Pulls Windows Installer properties from the MSI file and uses them for the deployment
  • Prompts to close any applications specified with the -CloseApplications parameter if they are open
  • Installs / Uninstalls the application

How to use the dynamic Deploy-Application.ps1:

  • Download a copy of the toolkit from here
  • Overwrite Deploy-Application.ps1 with this version from here
  • Drop your MSI (and MST if you have one) into the Files subfolder
  • Create a new SCCM Application / Package with these source files
  • Include the -CloseApplications parameter if needed, e.g.
    • Deploy-Application.exe Install -CloseApplications “iexplore,firefox,chrome”
    • Deploy-Application.exe Uninstall -CloseApplications “iexplore,firefox,chrome”

The benefits of using the toolkit without any customization are still quite apparent:

  • Consistent user experience for closing applications and displaying installation progress, all localized in numerous languages
  • Logging of all Windows Installer install / uninstall operations, as well as logging from the toolkit itself
  • Integration with SCCM 2007 / 2012 in terms of exit codes, reboot suppression and fast retry


By | 2016-10-14T17:30:53+00:00 May 14th, 2014|PowerShell App Deployment Toolkit, Tutorials|0 Comments

PowerShell App Deployment Toolkit

Myself and my good friend Sean Lillis have been working on a neat project for the last few months. Here’s a bit of the blurb:

The PowerShell App Deployment Toolkit provides a set of functions to perform common application deployment tasks and to interact with the user during a deployment. It simplifies the complex scripting challenges of deploying applications in the enterprise, provides a consistent deployment experience and improves installation success rates.

We’ve set up a CodePlex site for the project and have published the initial public release, along with some very extensive documentation. Head on over to the link below to take a look!

By | 2016-10-14T17:30:53+00:00 August 7th, 2013|PowerShell App Deployment Toolkit|0 Comments