Intune provides native support for pushing PowerShell scripts to enrolled devices via the Intune management extension however a draw back of this feature is you can only make the scripts required to devices and they only run once unless there are any changes to the script. With the introduction of support for Win32 apps we can now make PowerShell scripts appear in the company portal to be installed and reinstalled at will.
The example used in this blog will be used for updating a registry setting when a user installs the app from the company portal.
The Script:
The goal of the script is to change the scforceoption to a value of 1 or 0. (The scforceoption enforces smart cards on devices preventing users from authenticating via username/password)
WARNING: If you enforce smart cards and do not use smartcards or Windows Hello for business then you will lock yourself out of your device.
Param
(
[Parameter(Mandatory=$true,Position=0)]
[String]$Value
)
$registryPath = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System"
$Name = "scforceoption"
New-ItemProperty -Path $registryPath -Name $name -Value $value -PropertyType DWORD -Force | Out-Null
Save the script as smartcard.ps1 in a empty folder.
In the folder containing the ps1 file create an install.cmd file. Paste the following code:
powershell.exe -executionpolicy bypass -command "& '.\SmartCard.ps1' 1"
Along with the install.cmd file create an uninstall.cmd file. Paste the following code:
powershell.exe -executionpolicy bypass -command "& '.\SmartCard.ps1' 0"
You should now have a folder containing smartcard.ps1, install.cmd and uninstall.cmd.
Packaging:
You now need to download the Intune-Win32-App-Packaging-Tool from the official Microsoft GitHub repository.
Once downloaded extract the contents then launch an elevated command prompt. Change directory to the extracted location. Run the IntuneWinAppUtil.exe application.
1. Please specify the source folder: paste the full path to your folder containing smartcard.ps1, install.cmd and uninstall.cmd
2. Please specify the setup file: SmartCard.ps1
3. Please specify the output folder: Paste any path you want to save the intunewin file too.
Deploying:
Next from the Intune portal > Client Apps select Add App
App Type: Windows app (Win32)
App Package File: Choose your SmartCard.intunewin file
App Information: Fill as you like
Program:
a. Install Command: install.cmd
b. Uninstall Command: uninstall.cmd
c. Install Behaviour: choose system or user
Requirements: Choose OS and architecture
Detection rules: (Because we are changing a registry setting it is easy to detect by using the manually configure detection rules option)
a. Rule Type: Registry
b. Key Path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
c. Value Name: scforceoption
d. Detection Method: Integer Comparison
e. Operator: Equals
f. Value: 1
Select Add
You can now deploy the script as available to devices.
A neat trick if your struggling with a detection method – Have the PowerShell script create a blank file in a location (New-Item $path -ItemType file | out-null) then choose the file exists option in the detection method. This might not be the best detection rule but will get your app to install successfully.
