How-To: Deploy PSADT with Workspace ONE as System breaking through Session 0
Updated: Jul 6, 2022
As I found some spare time during holidays I wanted to finally publish this post.
Hope you find it useful.
As usual we start with the "Why"
In one of my recent projects we need to deploy/install Win32 applications running in System-Context but require the ability to interact with the User.
For two main reasons:
Prompt User to close a running application
Allow the User to postpone the installation
As some of you might already be familiar with Powershell App Deployment Toolkit (PSADT for short); just to highlight some of its incredible capabilities which made it the #1 choice to address our challenge:
Provides a set of functions to perform common deployment tasks, such as installing or uninstalling applications, prompting users to close apps, setting registry keys, copying files, etc.
Provides user interaction through customizable user interface dialogs boxes, progress dialogs, deferral options or balloon tip notifications.
UI is localized in several languages
Works with VMware Workspace ONE UEM (more about the integration below)
Community-driven and Open Source
All good, so why writing a blog post you may ask - because there is one challenge PSADT does not address: the ability to launch an application installation/uninstallation in System-Context while still be able to interact with the User-Context. Microsofts security control prevents user processes interference with system processes.
Session 0 hosts System processes which includes system app install process
Session 1 hosts User logon and user-initiated processes
Session 2-99 hosts user-initiated processes on multiuser environments
ServiceUI.exe to the rescue
To get around this issue, Microsoft created a little tool called ServiceUI.exe a decade ago, which is packed into the Microsoft Deployment Toolkit (aka MDT) which can be downloaded here.
It´s sole purpose:
Execute program interactively in target session. Must run from SYSTEM context. If no session is specified, program will run in session connected to keyboard/mouse (console).
After installing MDT you will find the x86 and x64 binary under
C:\Program Files\Microsoft Deployment Toolkit\Templates\Distribution\Tools\x64, and
C:\Program Files\Microsoft Deployment Toolkit\Templates\Distribution\Tools\x86
Bring it all together
Unfortunately during my tests a simple execution of
using WS1 UEM did not run reliable enough plus our packaging team wanted to have a template structure to repeatable create and test future applications; therefore I've added another long-time friend into the kit: PSExec from Sysinternals. I will explain later why.
The Template Folder Structure
1. PSADT Core Files - Used the Standard PSADT Files and Folders plus
Added custom AppDeployToolkitBanner.png and AppDeployToolkitLogo.ico
Modified AppDeployToolkit.xml to serve our needs (eg. dialog positioning, default log-paths, balloon-tip behavior, etc)
2. WS1 Kick-Off Files - these two are executed by Workspace ONE UEM (or Intune, or ...)
3. Detection Details - is used to document how to detect the application is being installed
4. Helper Tools - provide both versions (x64 and x86) in case needed
Copy/Rename PSExec.exe downloaded from Microsoft Sysinternals
Copy/Rename ServiceUI.exe from MDT Templates\Distribution\Tools folders
The content of the two Kick-Off Files are simple and only need to be changed in case x86 is required for execution. The command instruct PSExec to launch a ServiceUI process in System Context (-s), being Interactive (-i) and accepts the EULA.
ServiceUI will then call DeployApplication.exe which executes/displays whatever specified in Deploy-Application.ps1.
@Echo off PSExecx64.exe -si -accepteula %~dp0ServiceUIx64.exe %~dp0Deploy-Application.exe
@Echo off PSExecx64.exe -si -accepteula %~dp0ServiceUIx64.exe %~dp0Deploy-Application.exe Uninstall
If combined with the deferral feature of Workspace ONE UEM which was introduced in version 2006, you get a very descent user experience:
Brooks Peppin wrote an excellent article on "App Install Deferrals (PSADT) with Workspace ONE" which I can highly recommend reading.
Our packaging team has switched over to PSADT for every application meanwhile, even if no User interaction is required.
They love all the advantages the Toolkit brings to their daily operations (eg. Out-of-the-box logging, Registry and File-handling, Checking prerequisites, ...), the ability to streamline application deployment (create, test, zip, upload and simply execute _install.bat) as well as the consistency (every new app starts by extract the PSADT Template).
Just in case you like to use the Banner I have created - here you are: