• Alex

How-To: Deploy PSADT with Workspace ONE as System breaking through Session 0

Updated: Dec 27, 2020

As I found some spare time during holidays I wanted to finally publish this post.

Hope you find it useful.


As usual we start with the "Why"

In one of my recent projects we need to deploy/install Win32 applications running in System-Context but require the ability to interact with the User.


For two main reasons:

  1. Prompt User to close a running application

  2. Allow the User to postpone the installation


As some of you might already be familiar with Powershell App Deployment Toolkit (PSADT for short); just to highlight some of its incredible capabilities which made it the #1 choice to address our challenge:

  • Provides a set of functions to perform common deployment tasks, such as installing or uninstalling applications, prompting users to close apps, setting registry keys, copying files, etc.

  • Provides user interaction through customizable user interface dialogs boxes, progress dialogs, deferral options or balloon tip notifications.

  • UI is localized in several languages

  • Works with VMware Workspace ONE UEM (more about the integration below)

  • Community-driven and Open Source

All good, so why writing a blog post you may ask - because there is one challenge PSADT does not address: the ability to launch an application installation/uninstallation in System-Context while still be able to interact with the User-Context. Microsofts security control prevents user processes interference with system processes.

  • Session 0 hosts System processes which includes system app install process

  • Session 1 hosts User logon and user-initiated processes

  • Session 2-99 hosts user-initiated processes on multiuser environments


ServiceUI.exe to the rescue

To get around this issue, Microsoft created a little tool called ServiceUI.exe a decade ago, which is packed into the Microsoft Deployment Toolkit (aka MDT) which can be downloaded here.


It´s sole purpose:

Execute program interactively in target session. Must run from SYSTEM context. If no session is specified, program will run in session connected to keyboard/mouse (console).

After installing MDT you will find the x86 and x64 binary under

C:\Program Files\Microsoft Deployment Toolkit\Templates\Distribution\Tools\x64, and

C:\Program Files\Microsoft Deployment Toolkit\Templates\Distribution\Tools\x86


Bring it all together

Unfortunately during my tests a simple execution of

ServiceUI.exe <executableofyourchoice> 

using WS1 UEM did not run reliable enough plus our packaging team wanted to have a template structure to repeatable create and test future applications; therefore I've added another long-time friend into the kit: PSExec from Sysinternals. I will explain later why.


The Template Folder Structure

1. PSADT Core Files - Used the Standard PSADT Files and Folders plus

  • Added custom AppDeployToolkitBanner.png and AppDeployToolkitLogo.ico

  • Modified AppDeployToolkit.xml to serve our needs (eg. dialog positioning, default log-paths, balloon-tip behavior, etc)

2. WS1 Kick-Off Files - these two are executed by Workspace ONE UEM (or Intune, or ...)

3. Detection Details - is used to document how to detect the application is being installed

4. Helper Tools - provide both versions (x64 and x86) in case needed

  • Copy/Rename PSExec.exe downloaded from Microsoft Sysinternals

  • Copy/Rename ServiceUI.exe from MDT Templates\Distribution\Tools folders


The content of the two Kick-Off Files are simple and only need to be changed in case x86 is required for execution. The command instruct PSExec to launch a ServiceUI process in System Context (-s), being Interactive (-i) and accepts the EULA.

ServiceUI will then call DeployApplication.exe which executes/displays whatever specified in Deploy-Application.ps1.


_install.bat

@Echo off
PSExecx64.exe -si -accepteula %~dp0ServiceUIx64.exe %~dp0Deploy-Application.exe

_uninstall.bat

@Echo off
PSExecx64.exe -si -accepteula %~dp0ServiceUIx64.exe %~dp0Deploy-Application.exe Uninstall

If combined with the deferral feature of Workspace ONE UEM which was introduced in version 2006, you get a very descent user experience:

Brooks Peppin wrote an excellent article on "App Install Deferrals (PSADT) with Workspace ONE" which I can highly recommend reading.


Closing Words

Our packaging team has switched over to PSADT for every application meanwhile, even if no User interaction is required.

They love all the advantages the Toolkit brings to their daily operations (eg. Out-of-the-box logging, Registry and File-handling, Checking prerequisites, ...), the ability to streamline application deployment (create, test, zip, upload and simply execute _install.bat) as well as the consistency (every new app starts by extract the PSADT Template).


Mission accomplished.


Bonus Round

Just in case you like to use the Banner I have created - here you are:

AppDeployToolkitBanner_Intune
.png
Download PNG • 17KB
AppDeployToolkitBanner
.png
Download PNG • 17KB
AppDeployToolkitLogo
.ico
Download ICO • 15KB

196 views0 comments

© 2020 by Alexander Askin