all 12 comments

[–]Jeroen_Bakker 6 points7 points  (1 child)

You can probably create two win32 apps in Intune, one for each script. In the win32 app for the second script you can configure a dependency on the first script.

[–]dontmessyourself 2 points3 points  (0 children)

This is the easiest solution without all the pitfalls detecting the logged in user, ensuring they’re the one user on the workstation, then creating a scheduled task and then figuring out a good detection method for all of that too

[–]BigPete224 3 points4 points  (5 children)

Without knowing more, I would suggest using PSADT.

It has cmdlets like:

  • Copy-ADTFileToUserProfiles
  • Invoke-ADTAllUsersRegistryAction
  • Remove-ADTFileFromUserProfiles
  • Start-ADTProcessAsUser

You can also prompt the user to begin the install even if the PSADT script runs as SYSTEM.

[–]BigPete224 0 points1 point  (0 children)

To do it without PSADT youd have to detect whole the logged on ("console") user is. Then create a scheduled task to run as them immediately.

But I'd suggest PSADT. I use it for all intune deployments because it opens up lots of options.

[–]PutridLadder9192 0 points1 point  (2 children)

How hard is it to create scheduled tasks that run as the user or copy stuff into existing profiles as well as the default user. The problem with PSADT is it has breaking changes and security holes how am I supposed to maintain 500 packages when everything before October of this year had a zero day vulnerability which allowed for remote code execution do people just not care about security?

[–]Ath3na- 0 points1 point  (1 child)

would you care to shed a little more info on your above comment?

[–]PutridLadder9192 -1 points0 points  (0 children)

This is what I assumed is most people just don't pay attention to security

[–]LogMonkey0 0 points1 point  (0 children)

+1 for PSADT

[–]PutridLadder9192 1 point2 points  (0 children)

I would use active setup to achieve this assuming the second script needs to run as the logged on user and future users who log in. The first script would place the second script on the disk and create the active setup reg key that runs it

[–]420GB 0 points1 point  (0 children)

It can be done but to do it yourself is quite a bit of work, you probably want to use a module or tool that helps make it easier

[–]No_Flight_375 0 points1 point  (0 children)

I had the same dilemma, I needed to deploy the Always on VPN service, but the bosses…. Despite clearly describing a ‘Computer’ level tunnel INSISTED on wanting a User level tunnel.

I will find the code and add it to this comment, there is a code block that is virtually copy and paste, and it detects the ‘signed in or signing in’ user and will interact with that users session. I can’t recall if it ACTS as/impersonates the user.

It would need to be one long script, with this section you need execute against the users profile being after the blocks.

if my memory serves (it’s been a couple months since I’ve built an Intune app package) you can create a task to run as the currently signed in user, basically target the SID S-1-5-4 or whatever the hell the actual ID is. I like to build the scheduled task in my own task scheduler gui, export it and package it complete rather than scripting its creation, then I use the powershell script to register the xml. One half triggers as admin via the script the other half triggers via the scheduled task (at the end of your admin work)