I created an Endpoint Manager Packaging Script which downloads the installer, packages it, uploads it to Intune and assigns it. But first things first, credits to Nickolaj Andersen and his module who made it all possible.
This is part 1, where I show you how the script works with 2 examples. Part 2 features the implementation of this script in an Azure DevOps pipeline, linked below: (need to write them still)
2. Part 2: Creating a packaging pipeline.
3. Part 3: Publishing the package as an artifact to a storage account
So, what does the script really do? The script downloads an application installer to a folder (C:\Packaging\(ApplicationName), created in the process). After that, if needed, installation scripts are build and the application is packaged as a Win32App file. Next, the upload starts for the Win32App file. Lastly, the assignment of the Win32App happens. This can be: “All Users, All Devices & Existing or New Azure AD Group”.
This is possible for .MSI files and .EXE files. I will show both in example with the script.
Prerequisites:
There are no prerequisites!
- The scripts creates the folders needed to package the application.
- Powershell Modules needed to create, upload and assign the package are installed automatically.
Endpoint Manager Packaging Script Syntaxis & Examples
I posted the script on my Github. Check out the link below:
Script Github Link
.EXE Example:
Firstly, save the script as a .ps1 file.
After that, we need to define some variables:
$PackageType = "EXE" $PackageName = "Greenshot" $DownloadURL = "https://github.com/greenshot/greenshot/releases/download/Greenshot-RELEASE-1.2.10.6/Greenshot-INSTALLER-1.2.10.6-RELEASE.exe" $TenantName = "TENANTNAME.onmicrosoft.com" $Assignment = "Greenshot" $InstallArgs = "/VERYSILENT /NORESTART" $UninstallArgs = "TASKKILL /F /IM Greenshot.exe; '%ProgramFiles%\Greenshot\unins000.exe' /VERYSILENT /NORESTART" $DetectionArgs = "Get-ChildItem 'C:\Program Files\Greenshot\Greenshot.exe'"
Let’s explain these variables:
PackageType: This is the type of application you want to install. In the case of Greenshot is an EXE type of application.
Package: This is the name of the application. This is the packaging foldername and this is the name of the Intune Application.
DownloadURL: The url where you can download the installer from.
TenantName: Name of your Microsoft 365 tenant. (Use accordingly)
Assignment: This can be All Users, All Devices or a Custom Name. Furthermore, when a custom name is used, a new or existing Azure AD Group is assigned to the application. In the example, we use a new custom group.
InstallArgs: Arguments to install the application silently.
UnInstallArgs: Arguments to remove the application silently.
DetectionArgs: Powershell code to detect the application. In addition, this script only needs to return a 0 for Intune to detect it as succesfully.
After that, add the following code to the code above:
PATHTOFILE\IntuneDevOpsPackaging.ps1 -PackageType $PackageType `
-PackageName $PackageName `
-DownloadURL $DownloadURL `
-TenantName $TenantName `
-Assignment $Assignment `
-InstallArgs $InstallArgs `
-UninstallArgs $UninstallArgs `
-DetectionArgs $DetectionArgs
This should be the result in your Powershell Editor:
After that, run the code!
Firsly, the folders appear:
After that, time to check the modules:
Next, the package process starts:
Input:
Process:
Output:
That package is uploaded to Microsoft Endpoint Manager. You get an authentication prompt for Microsoft Endpoint Manager:
After that, this is the output :
Lastly, the assignment part starts. You get an authentication prompt for Azure AD:
After that, the script detects if the group exists or not. If it does not, a new group gets created. Shown in the example:
This is assigned to the application in Intune.
Lastly:
A cleanup job removes the packaging folder, this way your Pc/Agent stays clean.
Intune Output:
And the assignment:
.MSI Example:
In addition, I will make this example shorter that the one before. The output is exactly the same, only the package name differs. We will package and upload the 7-zip application.
Furthermore, I will show you the input code:
$PackageType = "MSI"
$PackageName = "7-Zip"
$DownloadURL = "https://www.7-zip.org/a/7z1900.msi"
$TenantName = "TENANTNAME.onmicrosoft.com"
$Assignment = "7-Zip"
D:\GIT\NKO\PSScripts\Intune\_IntuneDevOpsPackaging.ps1 -PackageType $PackageType `
-PackageName $PackageName `
-DownloadURL $DownloadURL `
-TenantName $TenantName `
-Assignment $Assignment
A lot less variables and arguments needed because the metadata which holds the install information is extracted from the MSI/Intunewin file. This is the code which performs these actions:
Output:
I hope you enjoyed reading this post about the Endpoint Manager Packaging Script. Check out the other parts:
2. Part 2: Creating a packaging pipeline.
3. Part 3: Publishing the package as an artifact to a storage account
References
Again the link to the IntuneWin32App module.
Other Posts:
Deploy Single App via Company Portal App
[…] we create a packaging pipeline. If you have not read Part 1, please check it out in the link below:Part 1: Endpoint Manager Packaging Scriptif you want to skip to part 3 (publishing the packages as artifacts), check out the link below: […]
[…] you need to complete to other parts of this series:1. Part 1, Endpoint Manager Packaging Script2. Part 2, Create a packaging pipelineDownload and Install Azure CLINext, I have updated the script […]
[…] More information about security baselines:Security baselinesOther Posts:Endpoint Manager Packaging Script […]
[…] this script has come together with some help from others; First up, Niels Kok for his excellent Packaging Script which gave me inspiration for this oneAlso to Nickolaj Andersen and his Intune module which does a […]
Im having problem with graph :
Greenshot.intunewin
VERBOSE: Current authentication token expires in (minutes): 45
VERBOSE: Attempting to gather additional meta data from .intunewin file: C:\Packaging\Greenshot\Output\Greenshot.intunewin
VERBOSE: Successfully gathered additional meta data from .intunewin file
VERBOSE: Start constructing basic layout of Win32 app body
VERBOSE: Constructed the basic layout for ‘EXE’ Win32 app body type
VERBOSE: Detection rule objects passed validation checks, attempting to add to existing Win32 app body
VERBOSE: Retrieving default set of return codes for Win32 app body construction
VERBOSE: Adding array of return codes to Win32 app body construction
VERBOSE: Attempting to create Win32 app using constructed body converted to JSON content
VERBOSE: POST https://graph.microsoft.com/Beta/deviceAppManagement/mobileApps
WARNING: Request to https://graph.microsoft.com/Beta/deviceAppManagement/mobileApps failed with HTTP Status Forbidden and description: Forbidden
WARNING: Failed to create Win32 app using constructed body. Passing converted body as JSON to output.
could you help me?
regards
Hi Frank,
From what I can see in the logs it appears you have a permission issue. Could you check your permissions?
Thanks,
Niels
what kind of log do you need ? regards
Hi Niels,
your script is awesome, i have tested it with .EXE Files and it worked perfect.
But wehn I try it with .MSI files I get this Error Message:
VERBOSE: Current authentication token expires in (minutes): 13
VERBOSE: Attempting to gather additional meta data from .intunewin file: C:\Packaging\gchrome\Output\gchrome.intunewin
VERBOSE: Successfully gathered additional meta data from .intunewin file
VERBOSE: Start constructing basic layout of Win32 app body
WARNING: An error occurred while creating the Win32 application. Error message: Cannot index into a null array.
And then this:
WARNING: Query for Win32 app returned an empty result, no apps matching the specified search criteria was found
Add-IntuneWin32AppAssignmentGroup : Cannot validate argument on parameter ‘ID’. The argument is null or empty. Provide an argument that is not null or empty, and then
try the command again.
At C:\tmp\IntuneConverter.ps1:226 char:56
+ … Add-IntuneWin32AppAssignmentGroup -Include -ID $Win32App.id -GroupI …
+ ~~~~~~~~~~~~
+ CategoryInfo : InvalidData: (:) [Add-IntuneWin32AppAssignmentGroup], ParameterBindingValidationException
+ FullyQualifiedErrorId : ParameterArgumentValidationError,Add-IntuneWin32AppAssignmentGroup
Do you maybe have an soulution for this?
Hmm, it looks like the script can’t find the package you want to upload. You could try to run the script step by step. See where it goes wrong and what you need to adapt.
THanks,
Niels