Rewrite Build-IntuneAppBuilder as parameterized packager#1
Open
Hal-Scriptville wants to merge 107 commits into
Open
Rewrite Build-IntuneAppBuilder as parameterized packager#1Hal-Scriptville wants to merge 107 commits into
Hal-Scriptville wants to merge 107 commits into
Conversation
Windows Auto Update check and remediation script for Intune.
DisableDualScan fix for Intune updates.
Windows Deployment Automation based on updates to T-Minus script
Checks a list of domain for the number of GPOs and counts the number of folders in each domain folder (confirmation of GPO backup).
Server 2022 script to setup NDES feature requirements.
Microsoft NDES validation script.
Remediation script pair for Intune Management Extension health check.
Modified log collection.
Add FSMO roles.
NEW AD Health Check script.
Checks and sets computername via proactive remediation.
Intune Group Policy Analytics cleanup
Retrieve BitLocker keys, device names, and device IDs from Entra using Graph SDK
Intune cache cleanup files for remediation
Message output added
Edited for MDM folder size
Manage application updates/upgrades through Intune remediation scripts.
Enroll a device to Intune that previously failed
Working on porting so Graph SDK
Creates or Adds to a named device group for stale device records based on a specific number of days offline.
Named device group for stale device records will be deleted. Includes Dry-Run option to check first.
This script performs the following actions to reset Windows Update when a Feature Update install has failed: - Stops Windows Update services and related services - Deletes Windows Update cache folders (SoftwareDistribution and catroot2) - Clears pending update entries in the registry - Resets Windows Update component permissions - Re-registers Windows Update DLLs - Resets Windows Update policies and WinSock - Clears SCCM/Intune client cache if present - Restarts Windows Update services - Forces a new Windows Update detection cycle After running this script, a system restart is recommended before attempting to manually install the feature update again. This should clear most stuck or failed update scenarios and allow for a clean installation attempt.
This script will help you identify the problematic devices. Here's what it does: Key Features: Queries all Windows managed devices in Intune Checks for BitLocker recovery keys in Azure AD for each device Identifies devices that report as encrypted but have no escrowed keys Exports results to CSV for further analysis Common Causes of Missing Keys: Windows 10 version too old - Builds before 1809 had issues with automatic key escrow BitLocker enabled before Intune enrollment - Keys won't escrow retroactively Insufficient permissions - Device needs proper Azure AD registration Group Policy conflicts - On-prem GPO overriding Intune policy TPM ownership issues - TPM not properly initialized Remediation Options: For devices missing keys, you can: powershell# Force key rotation (run on affected device with admin rights) BackupToAAD-BitLockerKeyProtector -MountPoint "C:" -KeyProtectorId (Get-BitLockerVolume -MountPoint "C:").KeyProtector[0].KeyProtectorId Or use Intune to trigger a key rotation: Device Actions → Rotate BitLocker Keys (requires Windows 10 1909+) Prerequisites: Microsoft.Graph.Authentication module Microsoft.Graph.DeviceManagement module Microsoft.Graph.Identity.DirectoryManagement module Intune Administrator or Global Administrator role
Multiple improvements.
- AD/: Active Directory, GPO, ADFS, NDES scripts - BitLocker/: BitLocker management scripts - Intune/: Intune enrollment, AutoPilot, AppX, runbooks - ProactiveRemediation/Detection/: Intune detection scripts - ProactiveRemediation/Remediation/: Intune remediation scripts - WindowsUpdate/: WSUS, AU, update management scripts - Utilities/: Miscellaneous one-off scripts - Resolved case-collision duplicates (WinGet/Winget)
Rewrote both scripts from minimal single-check versions to comprehensive artifact removal: services, registry keys (x64 + WOW6432), directories, WMI namespaces, and SMSCFG.ini. Adds logging to IME log directory and post-removal verification. Useful for SCCM decommission or Intune-only migration scenarios. Co-Authored-By: Additional tools <tools@noreply>
v1 only scaffolded folders and downloaded IntuneWinAppUtil.exe. v2 produces a ready-to-edit package and can build the .intunewin. Changes: - param() block: -AppName, -BasePath, -SetupFile, -Build, -Force, -UseCurl - TLS 1.2 + ErrorActionPreference='Stop' - Idempotent download; prints SHA256 of the tool - -UseCurl switch for EDR-blocked environments (FortiEDR Invoke-WebRequest block) - Stub scripts seeded: install.ps1, uninstall.ps1, detect.ps1 with Intune-standard log paths and exit-code conventions - Existing stubs preserved on re-run unless -Force - -Build flag invokes IntuneWinAppUtil to produce the .intunewin Co-Authored-By: Claude
- Swap .EXAMPLE blocks in Build-IntuneAppBuilder.ps1 from NinjaOne to Chrome - Add Examples/Chrome/ with a complete reference package: install.ps1, uninstall.ps1, detect.ps1, README.md - Chrome chosen because it's ubiquitous and has well-known MSI + detection patterns. NinjaOne and other client-specific packages live in private client-script repositories. Co-Authored-By: Claude
50af330 to
4a35913
Compare
Previously every app scaffold downloaded its own copy of the Content Prep Tool. -ToolPath lets one shared tool (e.g., C:\Build\Intune\IntuneWinAppUtil.exe) be referenced by every app, avoiding redundant downloads and simplifying versioning of the tool across a build host. Behavior: - When -ToolPath is set, the tool is validated and reused from the given path. - When -ToolPath is omitted, existing behavior is preserved (per-app download). Co-Authored-By: Claude
Companion to Build-IntuneAppBuilder.ps1. Creates a per-app folder under a shared build root (default C:\Build\Intune) with Source/Detection/Output, and downloads IntuneWinAppUtil.exe once at the root so every app reuses it. Prints the exact command to build the .intunewin so the next step is copy-pasteable after dropping in scripts and binaries. Co-Authored-By: Claude
Documents the v1 → v2 → v3 evolution inline so future readers can see what changed without digging through git history. Co-Authored-By: Claude
Generic multi-location Win32 app builder for RMM agents with tokenized per-location MSI URLs (NinjaOne, Atera, Datto, etc.). For each row in an input CSV: - scaffolds Source/Detection/Output under an output root - downloads the per-location tokenized MSI - copies shared install/uninstall/detect templates - invokes IntuneWinAppUtil and renames the artifact for the location Filter column lets the same CSV hold all locations but only build Intune-target rows (e.g., skip AWS server-only locations that deploy via SSM). Co-Authored-By: Claude
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Intune/Build-IntuneAppBuilder.ps1from 37-line scaffolder to 176-line parameterized packager-Buildflag that actually produces a.intunewinfile (v1 only downloaded the tool)-UseCurlfallback for environments where EDR blocksInvoke-WebRequest(FortiEDR pattern encountered on HealthTrackRx LKBridge deployment)Test plan
.\Build-IntuneAppBuilder.ps1 -AppName NinjaOne-Forceconfirms stubs/tool preserved-UseCurlpath downloads successfully-Buildproduces valid.intunewinin Output- [ ] Upload resulting.intunewinto Intune test tenant and verify detection script fires