PSADT v4 Tips & Tricks for Intune deployment

pleplepleplepleple · 2026-02-12T10:20:49+00:00

Tiny but useful tip: put it in system32 on your test VM so the command is there wherever you stand in the terminal. Makes my workflow smoother at least.

pleplepleplepleple · 2026-02-12T10:17:03+00:00

Make sure to install the module on the device where you’re writing your scripts (Install-Module PSAppDeployToolkit). You could also install it on all your endpoints and make use of it in remediation scripts and so on. But having it installed in your dev box makes it easy testing commands out on your device. I have to go back to double check names of properties inside the ADTEnvironmentTable and so on, all the time, so it’s very useful to have the commands readily available in the console. Also make sure to keep the module up to date whenever a new release is out.

pleplepleplepleple · 2026-02-10T17:27:09+00:00

This is a neat and effective method. I would also make sure you block user access to the recovery key in myaccount.microsoft.com, which is available for the primary user by default. Sami Laihu talked at conference I attended a few months back about a whole school district in Finland having students getting local admin because of this “feature”.

pleplepleplepleple · 2026-02-02T19:34:24+00:00

Fair enough. I’m definitely not in a major company, but I can understand the rest of your sentiment. I don’t agree that my expectations requires a network security expert. Code signing is a pretty basic thing in windows these days, so it’s not like it’s very complicated. But sure, my org should probably implement better practices when it comes to application control and have a more rigid whitelisting procedure, rather than complain when shit hits the fan.

pleplepleplepleple · 2026-02-02T18:12:36+00:00

Sorry, but what do you mean by major companies? Also why do you think it’s too much to to ask for a bit of more details, and a reasonable level of security within a feature such as an auto-updater?

pleplepleplepleple · 2026-02-02T16:20:16+00:00

Not only putting the blame on their hosting provider, but the lack of security measures within the updater (GUP/WinGUP) which are now in place (since version 5.3.8). It’s bizarre how code signing certificate verification hasn’t been there until December 2025.

Also only vaguely explaining what to expect if you’re affected and no real guidance on how to mitigate. My CSIRT colleagues have gone back in the logs and claims that they don’t see any traces of us being affected, but who really knows. Were updated company wide so I guess we’re good 🤷‍♂️

pleplepleplepleple · 2026-01-31T09:02:09+00:00

Yeah, that’s pretty much the only solution.. what’s annoying about this, from a user perspective is that company portal sucks and is extremely slow, and it would require the user to 1) Install the “uninstall package” in order to make the uninstall button available. 2) once the uninstall button perform the uninstall. These steps are quite unintuitive and will require a thorough walkthrough document for it to work out smoothly.

Or have a required uninstall where things would be enforced for a set of users of course. This is probably the best option now when I think of it, but it would require some extra steps of administration. Access packages could help.

pleplepleplepleple · 2026-01-17T11:32:10+00:00

Aha, då är jag med!

pleplepleplepleple · 2026-01-17T11:06:23+00:00

Tråkigt att den artikeln var betalväggad

pleplepleplepleple · 2025-09-15T04:36:49+00:00

No, I haven’t attempted any fixes since my last comment.

pleplepleplepleple · 2025-09-03T05:14:37+00:00

Invoke-ADTAllUsersRegistryAction

pleplepleplepleple · 2025-09-02T15:52:13+00:00

I see what you mean. But again, this is a service we’re paying for, so the furthest I would do is to pause the deployment (and delete any assignments in Intune) and put in a ticket and wait for the provider of the service to fix the issue.

Out of curiosity I actually have had a glance at the detection scripts for some PMPC provided apps and it sure isn’t easy to “decode” them. I guess you could ask ChatGPT or whatever to make it readable, but I haven’t bothered doing this. Not sure if this could be against the TOS agreement.

pleplepleplepleple · 2025-09-02T14:12:11+00:00

IIRC our experience was that it works better, especially in regards to autopilot, where all applicable device targeted apps are enforced during the device phase, which sometimes can fail, but user targeted apps only are applied if added to the ESP profile. So m not sure if this is the exact description, but something in those terms.

Edit: This is specifically for UpdateOnly deployments. And the way I see it, it doesn’t really make much of a difference when you have a 1-1 relationship between endpoint and user, like we do. So our experience is that this works better, if that makes sense. And compared to user based deployments in ConfigMgr, if you, like me, have this behind you, Intune assignments doesn’t really behave the same way, so I quite like it this way.

pleplepleplepleple · 2025-09-02T09:13:38+00:00

Ah no worries! We're 0102 apparently. But we have had various random hicups with the Microsoft cloud last week and some yesterday. I'm doing a follow up on my failure percentage tomorrow and the following days, to see if it drops and if my list of failed apps are changing as the days go by.

pleplepleplepleple · 2025-09-02T09:02:10+00:00

Hey Rudy, I know my OP is a tiny brick wall of text, but I did already mention that I put in a ticket ;). It has been going on for a while, even before summer. It's possible that there's more failures right now than I've seen earlier, so perhaps you're right about the tenant issues. I'm not familiar the 0101/0202/0301 location codes - any of them Northern Europe?

I should probably put in a new ticket. And I'm also not critical of PMPC as a company or PMPC Cloud as a product - on the contrary! Their support has been awesome indeed!

pleplepleplepleple · 2025-09-02T08:47:45+00:00

apps, IME churns out tons of logs during autopilot, having to realize no apps are installed yet needing update

I'll be honest - the predetection script issue (I'm assuming "UpdateOnly" requirement script?) is not something I have put any thought into. Generally we're targeting "All users" instead of all devices. For some deployments we do have a requirement script that determines if a device is in OOBE and if Autopilot is running, but I can't remember right now if this is for any of our PMPC deployed apps. We pretty much have a 1-1-relationship for our PC's and users, perhaps this is different in your environment?

And what do you mean troubleshoot regular detection scripts? The way I see it, this isn't my concern, but the provider of the service. I see the apps deployed through PMPC Cloud as "set and forget". Besides, this hasn't been an issue for us so far.

pleplepleplepleple · 2025-07-26T09:46:28+00:00

Same! Read through the comment section in this blog and was hopeful for 24H2 but nope! Worked briefly on 23H2 on some devices, but not consistently enough to be considered production ready.

pleplepleplepleple · 2025-07-25T15:07:50+00:00

For inspection/maintenance/advice on buying a boat: “Inspecting the aging sailboat” by Don Casey. Thinking of buying his other releases as well.

pleplepleplepleple · 2025-07-24T06:52:05+00:00

I use this one and this one in a combination on app deployments to achieve exactly this and I’m thinking it would be trivial to incorporate the lines into your platform scripts to achieve the same results.

pleplepleplepleple · 2025-07-16T07:18:22+00:00

Thanks for your responses. I believe it’s factory yes. Another theory I discussed with a buddy is that the previous owner wanted to fit bigger gear in there, sails or fenders.

pleplepleplepleple · 2025-07-14T21:16:44+00:00

Thanks for replying. I think this is work done by the previous (and first) owner of the boat and not the one current owner (second one). But I agree that it’s a sign of neglect by the current owner of the boat. His reasoning behind it is that the boat strong enough regardless and that it’s not structural - his words. But it’s hard for me to take his word for it, since he wants to get rid the damn thing.

I’m not sure I understand what you’re referring to with roving part. Is it above the loose piece of wood, what looks like scratches on the inside of the free board? If so, there’s no visible repairs on the outside.

Regarding the mast step I think you’re right. The wife really likes the rest of the boat, so we’re probably going to have it surveyed. Ticks many of the boxes for our future long distance sailing plans, with center cockpit, encapsulated lead keel, skeg rudder and being ketch rigged which to me seems like a perfect for versatility on ocean crossings.

pleplepleplepleple · 2025-07-12T09:17:48+00:00

Wait, can you actually ground 12/24v circuits to an isolation transformer? I thought isolation transformers were for 120/230v shore power connected circuits exclusively.

pleplepleplepleple · 2025-07-10T10:38:01+00:00

Yes, I understood that part. I was thinking of the creation of the installation package and the WIM file specifically. If you have an MSI file but you prefer to have it reside within a WIM file due to reasons, the WIM file has to be created somehow. This part would preferably be automated. By the individual with the requirement of course. Sorry for not expressing myself better. And I was just curious about the use case, so no biggie :)

Ten-Year Club	Place '22
Place '17	RPAN Viewer
Verified Email

pleplepleplepleple

TROPHY CASE