Happy May, everyone!
I’ve seen this question popping up quite a bit recently and thought it would make a worthwhile blog post.
There are certainly a number of different ways to approach this, but I have what I think is the most convenient long term solution. Instead of putting the agent installer, in the form of EXE or MSI within Intune, we can package up a PowerShell script that always downloads the most up to date agent. This has the huge benefit of meaning the package in Intune never has to be updated as a newer version of the Agent are released.
First you need to generate an installer token. This token will be utilised in the PowerShell script to allow it to download and install the agent on the machine. Note this token is not allowing blanket access to your Automate, it’s just allowing the requester to see things like your agent installer. Fortunately the legend that is Darren White has put together an Automate script to easily generate the token. You’ll find it here: https://forums.mspgeek.org/files/file/50-generate-agent-installertoken/
Putting together the PowerShell Script
The next step is to create the PowerShell script. Create a file called install.ps1 with the following content. Replace the server with the URL to your Automate server, and put your generated token in to the InstallerToken parameter. Also note you can set the LocationID to whatever you need depending on the company you are deploying to. This is the ID that appears in Automate next to a location (if you can’t see that see your settings in the top right of the Automate thick client and choose to turn on Show IDs).
iex (new-object Net.WebClient).DownloadString('https://bit.ly/LTPoSh'); Install-LTService -Server 'https://your.automate.url' -LocationID 2 -InstallerToken 'YOURTOKENHERE' -Force
It’s important you understand what this is doing. The DownloadString component is essentially pulling the LabTech PowerShell Module at https://raw.githubusercontent.com/LabtechConsulting/LabTech-Powershell-Module/master/LabTech.psm1 in to memory and executing it on whatever machine you deploy to. If you’re utilising this article to install the Automate Agent, you absolutely should consider forking this repository yourself and replacing the DownloadString URL with one you control. The above WILL work, though you’re essentially letting a third party control PowerShell content that is running on your agents which is a VERY BAD IDEA. Simply link your own psm1 that you fork in the same format as https://raw.githubusercontent.com/LabtechConsulting/LabTech-Powershell-Module/master/LabTech.psm1 but just in your own Github repository.
Create a filed called uninstall.ps1 and put the following inside:
iex (new-object Net.WebClient).DownloadString('https://bit.ly/LTPoSh'); Uninstall-LTService -Server 'https://your.server.url' -Force
The same advice applies as above.
We now need to package this script in a format that can be imported in to Intune. This involves generating a .intunewin file. The URL here explains the process in details Prepare a Win32 app to be uploaded to Microsoft Intune | Microsoft Docs but the long and short of it is place the PS1s created above in their own folder, download the IntuneWinAppUtil.exe at GitHub – microsoft/Microsoft-Win32-Content-Prep-Tool: A tool to wrap Win32 App and then it can be uploaded to Intune then run it, point it at the source folder, choose an output folder and that’s it – you have an intunewin file that can be imported in to Intune.
Navigate to https://endpoint.microsoft.com, and go to Apps, then All Apps. Click Add.
Select Windows app (Win32) as the App type.
In Step 1, upload your .intunewin file.
Add a Name, Description and Publisher at a minimum. I would recommend putting effort in to doing this properly, including putting a Logo in place though all that’s strictly necessary is Name, Description and Publisher. Choose Next.
In Install command add:
powershell.exe -executionpolicy bypass .\install.ps1
In Uninstall command add:
powershell.exe -executionpolicy bypass .\uninstall.ps1
For install behaviour, choose System.
If you’re dealing with something that can give specific return codes then you can enter them here, or leave them as default. Choose Next
In Requirements set the limitations you want to apply. For the Automate Agent you can select 64-bit and 32-bit for Operating system architecture. You will need to select a minimum operating system also.
In Detection Rules, choose Manually Configure Detection Rules and click Add. In rule type select File, and in Path place c:\windows\ltsvc. In File or Folder type ltsvc.exe and a detection method of File or Folder exists. Choose No to associate with a 32 bit app on 64 bit clients.
Step 5 gives you the ability to add dependencies. For the Automate Agent nothing is required here.
Step 6 allows you to apply supersedence, again for the Automate Agent nothing is required here.
Step 7 assignments is self explanatory and lets you target the install, making it optional or required. Scope it how you wish. I scope it to All users.
Review and Save, and that’s it!
If you have problems with deployment see https://docs.microsoft.com/en-us/troubleshoot/mem/intune/troubleshoot-app-install
You can force a sync in the Company Portal App or just restart the Microsoft Intune Management Extension service.