Skip to content

Using Powershell App Deploy Tool Kit (PSADT)

What iS PSADT?

PSAppDeployToolkit is a wrapper that we utilize to standardize the applciation packaging process at CERN. The idea being package once and deploy multiple times to the various management software (Intune, MCM) that are utilized at CERN.

Instructions regarding PSADT

  • If you are a NICE Admin
    • Kindly follow the convention established with respect to unified packaging across Intune, MECM and CMF, as described in the Deployments Tab.
  • If you are a Local Admin
    • We heavily recommend that you utilize PSADT, but it is down to your discretion to your specific use case.
    • For more information related to the case study of utilizing PSADT, kindly have a look at this page.

How to install and package - SPADT v4

Varies slightly between versions (v3 and v4), but in essence, it's the same. At its core, there is a template that is reused for all packages.

  • Copy the premade template that is present in \\mecmrepo\APPS\_PSADT Templates

This should leave you with a template that contains the following files.

  • On creating the template, you can proceed to edit the invoke-AppDeployToolkit.ps1 file to suit the package to be deployed.

  • These include 3 sections primarily:

  • The App Variables

    Note: Make sure to keep the value of MarkerAppName consistent across CMF and MCM in order for the marker to function as expected.

  • The installation section (Also includes pre and post install scripts)

  • The un-installation section (Also includes pre and post un-install scripts)

  • You can add further configurations as needed, along with any other scripts as specified in this file. On saving you can close this file.

Note: There are variations to the commands that work for executing processes between v3 and v4. Feel free to have a look at the following commands and docs for the same.

For .exe - Start-Process -Path "$dirFiles\7z2409-x64.exe" -Parameters '/S' For .msi - Start-ADTMsiProcess -Action 'Install' -FilePath 'cernbox-5.3.2.15486.x64.msi' -ArgumentList '/QN /NORESTART'

You can refer the PSADT docs here: PSADT Functions

Also, Make sure to add the Marker in the Post-Installation Part of the Script: 

$markerPath = "HKLM:\SOFTWARE\cern\WindowsMDM\$($adtSession.MarkerAppName)"
if (! (Test-Path $markerPath)) {
    New-item -Path $markerPath -Force | Out-Null
}
New-ItemProperty -Path $markerPath -Name "ManagedBy" -Value $adtSession.ManagedBy -PropertyType String -Force | Out-Null

Note: As of 26.06.2025, this Marker code has been available in the PSADT template provided in \\mecmrepo\APPS\_PSADT Templates. It has been modified to make it flexibile for all deployment mediums, Intune, MCM and CMF

This is to help with co-management with CMF, and will be removed once CMF has been taken down.

  • To launch app installation, you need to invoke the Invoke-AppDeployToolkit.exe command.
    • On Intune, CMF and MCM, its as simple as: 
      For Install: Invoke-AppDeployToolkit.exe -ManagedBy "MCM"
For Uninstall: Invoke-AppDeployToolkit.exe -DeploymentType "Uninstall" -ManagedBy "MCM"

Note: As of 26.06.2025, there is an additional parameter that can be used, the ManagedBy parameter, which specifies if an application is to be managed by Intune, MCM or CMF. It is not compulsory for Intune deployments as the default value specified is Intune. It remains to be a good practice to include it nonetheless.

This is how it looks on manually invoking this command. You can use this for testing the package as well before deployment

Final Result: 

<#

.SYNOPSIS
PSAppDeployToolkit - This script performs the installation or uninstallation of an application(s).

.DESCRIPTION
- The script is provided as a template to perform an install, uninstall, or repair of an application(s).
- The script either performs an "Install", "Uninstall", or "Repair" deployment type.
- The install deployment type is broken down into 3 main sections/phases: Pre-Install, Install, and Post-Install.

The script imports the PSAppDeployToolkit module which contains the logic and functions required to install or uninstall an application.

PSAppDeployToolkit is licensed under the GNU LGPLv3 License - (C) 2024 PSAppDeployToolkit Team (Sean Lillis, Dan Cunningham, Muhammad Mashwani, Mitch Richters, Dan Gough).

This program is free software: you can redistribute it and/or modify it under the terms of the GNU Lesser General Public License as published by the
Free Software Foundation, either version 3 of the License, or any later version. This program is distributed in the hope that it will be useful, but
WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
for more details. You should have received a copy of the GNU Lesser General Public License along with this program. If not, see <http://www.gnu.org/licenses/>.

.PARAMETER DeploymentType
The type of deployment to perform. Default is: Install.

.PARAMETER DeployMode
Specifies whether the installation should be run in Interactive, Silent, or NonInteractive mode. Default is: Interactive. Options: Interactive = Shows dialogs, Silent = No dialogs, NonInteractive = Very silent, i.e. no blocking apps. NonInteractive mode is automatically set if it is detected that the process is not user interactive.

.PARAMETER AllowRebootPassThru
Allows the 3010 return code (requires restart) to be passed back to the parent process (e.g. SCCM) if detected from an installation. If 3010 is passed back to SCCM, a reboot prompt will be triggered.

.PARAMETER TerminalServerMode
Changes to "user install mode" and back to "user execute mode" for installing/uninstalling applications for Remote Desktop Session Hosts/Citrix servers.

.PARAMETER DisableLogging
Disables logging to file for the script. Default is: $false.

.EXAMPLE
powershell.exe -File Invoke-AppDeployToolkit.ps1 -DeployMode Silent

.EXAMPLE
powershell.exe -File Invoke-AppDeployToolkit.ps1 -AllowRebootPassThru

.EXAMPLE
powershell.exe -File Invoke-AppDeployToolkit.ps1 -DeploymentType Uninstall

.EXAMPLE
Invoke-AppDeployToolkit.exe -DeploymentType "Install" -DeployMode "Silent"

.INPUTS
None. You cannot pipe objects to this script.

.OUTPUTS
None. This script does not generate any output.

.NOTES
Toolkit Exit Code Ranges:
- 60000 - 68999: Reserved for built-in exit codes in Invoke-AppDeployToolkit.ps1, and Invoke-AppDeployToolkit.exe
- 69000 - 69999: Recommended for user customized exit codes in Invoke-AppDeployToolkit.ps1
- 70000 - 79999: Recommended for user customized exit codes in PSAppDeployToolkit.Extensions module.

.LINK
https://psappdeploytoolkit.com

#>

Error Handling during tests:

ServiceUI.exe and Larger Installations

  • In the case of a larger installation (For example Visual Studio Community Editions), it would be better to have the PSADT wrapper show pogress and errors of the installation to the user. For this, we can slighlty modify the package creation, by incorporating the ServiceUI.exe file: 
    Install command
ServiceUI.exe -process:explorer.exe Deploy-Application.exe
Uninstall command
ServiceUI.exe -process:explorer.exe Deploy-Application.exe -DeploymentType 'Uninstall'

This helps with exposing the underlying GUI:

  • When deploying applications through Microsoft Intune, the installation script runs in the SYSTEM context by default. This means it operates under the LocalSystem account, which has no direct access to the user's interactive session.
  • ServiceUI.exe is a tool from the Microsoft Deployment Toolkit (MDT) that allows processes running as SYSTEM to interact with the user session.

It effectively:

  • Attaches SYSTEM processes to the interactive user session
  • Allows UI elements (error messages, progress prompts) to appear on the user's screen

Reference Articles:

  • https://discourse.psappdeploytoolkit.com/t/installation-messages-using-serviceui-exe-in-intune/4664/3
  • https://www.anoopcnair.com/intune-to-user-interaction-using-serviceui/

Note The -process:explorer.exe is crucial because it ensures that the installation UI is displayed in the currently logged-in user's session rather than the hidden SYSTEM session. - Intune deployments run in SYSTEM context (NT AUTHORITY\SYSTEM), which operates in Session 0—an isolated Windows session with no graphical user interface (GUI). If you run a UI-based script or application directly from SYSTEM, it will not be visible to the logged-in user.

Storing in \\mecmrepo and Proceeding with Packaging

On completion of packaging an application using PSADT, place it within it's respective app folder inside \mecmrepo\APPS, and proceed to the respective steps for deployment in either Intune or MECM.

The Structure of packaged apps are to follow this convention: 

Vendor folder
    |- App folder
        |- Version folder
            |- Output - Compressed outputs (Eg: .intunewin)
            |- Assets - Logos and other assets
            |- Staging - Contains the PSADT template
                 |- Files - Contains the Package Files (Previously placed in DFS)

Note: Do not leave spaces in App Folder and Vendor Folder, due to issues with how $($adtSession.DirFiles) is set up.