Skip to content

Rewrite Build-IntuneAppBuilder as parameterized packager#1

Open
Hal-Scriptville wants to merge 107 commits into
mainfrom
build-intune-app-builder-v2
Open

Rewrite Build-IntuneAppBuilder as parameterized packager#1
Hal-Scriptville wants to merge 107 commits into
mainfrom
build-intune-app-builder-v2

Conversation

@Hal-Scriptville

@Hal-Scriptville Hal-Scriptville commented Apr 14, 2026

Copy link
Copy Markdown
Owner

Summary

  • Rewrite of Intune/Build-IntuneAppBuilder.ps1 from 37-line scaffolder to 176-line parameterized packager
  • Adds -Build flag that actually produces a .intunewin file (v1 only downloaded the tool)
  • Adds -UseCurl fallback for environments where EDR blocks Invoke-WebRequest (FortiEDR pattern encountered on HealthTrackRx LKBridge deployment)
  • Seeds install/uninstall/detect script stubs with Intune-standard logging and exit-code conventions

Test plan

  • Dry-run scaffold: .\Build-IntuneAppBuilder.ps1 -AppName NinjaOne
  • Re-run without -Force confirms stubs/tool preserved
  • -UseCurl path downloads successfully
  • Edit install.ps1 with real NinjaOne install command, then -Build produces valid .intunewin in Output- [ ] Upload resulting .intunewin to Intune test tenant and verify detection script fires

Windows Auto Update check and remediation script for Intune.
DisableDualScan fix for Intune updates.
Windows Deployment Automation based on updates to T-Minus script
Checks a list of domain for the number of GPOs and counts the number of folders in each domain folder (confirmation of GPO backup).
Server 2022 script to setup NDES feature requirements.
Microsoft NDES validation script.
Remediation script pair for Intune Management Extension health check.
Modified log collection.
Add FSMO roles.
NEW AD Health Check script.
Checks and sets computername via proactive remediation.
Intune Group Policy Analytics cleanup
Retrieve BitLocker keys, device names, and device IDs from Entra using Graph SDK
Intune cache cleanup files for remediation
Message output added
Edited for MDM folder size
Manage application updates/upgrades through Intune remediation scripts.
Enroll a device to Intune that previously failed
Working on porting so Graph SDK
Hal-Scriptville and others added 24 commits August 20, 2025 16:01
Creates or Adds to a named device group for stale device records based on a specific number of days offline.
Named device group for stale device records will be deleted. Includes Dry-Run option to check first.
This script performs the following actions to reset Windows Update when a Feature Update install has failed:

- Stops Windows Update services and related services
- Deletes Windows Update cache folders (SoftwareDistribution and catroot2)
- Clears pending update entries in the registry
- Resets Windows Update component permissions
- Re-registers Windows Update DLLs
- Resets Windows Update policies and WinSock
- Clears SCCM/Intune client cache if present
- Restarts Windows Update services
- Forces a new Windows Update detection cycle

After running this script, a system restart is recommended before attempting to manually install the feature update again. This should clear most stuck or failed update scenarios and allow for a clean installation attempt.
This script will help you identify the problematic devices. Here's what it does:
Key Features:

Queries all Windows managed devices in Intune
Checks for BitLocker recovery keys in Azure AD for each device
Identifies devices that report as encrypted but have no escrowed keys
Exports results to CSV for further analysis

Common Causes of Missing Keys:

Windows 10 version too old - Builds before 1809 had issues with automatic key escrow
BitLocker enabled before Intune enrollment - Keys won't escrow retroactively
Insufficient permissions - Device needs proper Azure AD registration
Group Policy conflicts - On-prem GPO overriding Intune policy
TPM ownership issues - TPM not properly initialized

Remediation Options:
For devices missing keys, you can:
powershell# Force key rotation (run on affected device with admin rights)
BackupToAAD-BitLockerKeyProtector -MountPoint "C:" -KeyProtectorId (Get-BitLockerVolume -MountPoint "C:").KeyProtector[0].KeyProtectorId
Or use Intune to trigger a key rotation:

Device Actions → Rotate BitLocker Keys (requires Windows 10 1909+)

Prerequisites:

Microsoft.Graph.Authentication module
Microsoft.Graph.DeviceManagement module
Microsoft.Graph.Identity.DirectoryManagement module
Intune Administrator or Global Administrator role
Multiple improvements.
- AD/: Active Directory, GPO, ADFS, NDES scripts
- BitLocker/: BitLocker management scripts
- Intune/: Intune enrollment, AutoPilot, AppX, runbooks
- ProactiveRemediation/Detection/: Intune detection scripts
- ProactiveRemediation/Remediation/: Intune remediation scripts
- WindowsUpdate/: WSUS, AU, update management scripts
- Utilities/: Miscellaneous one-off scripts
- Resolved case-collision duplicates (WinGet/Winget)
Rewrote both scripts from minimal single-check versions to comprehensive
artifact removal: services, registry keys (x64 + WOW6432), directories,
WMI namespaces, and SMSCFG.ini. Adds logging to IME log directory and
post-removal verification. Useful for SCCM decommission or Intune-only
migration scenarios.

Co-Authored-By: Additional tools <tools@noreply>
v1 only scaffolded folders and downloaded IntuneWinAppUtil.exe.
v2 produces a ready-to-edit package and can build the .intunewin.

Changes:
- param() block: -AppName, -BasePath, -SetupFile, -Build, -Force, -UseCurl
- TLS 1.2 + ErrorActionPreference='Stop'
- Idempotent download; prints SHA256 of the tool
- -UseCurl switch for EDR-blocked environments (FortiEDR Invoke-WebRequest block)
- Stub scripts seeded: install.ps1, uninstall.ps1, detect.ps1
  with Intune-standard log paths and exit-code conventions
- Existing stubs preserved on re-run unless -Force
- -Build flag invokes IntuneWinAppUtil to produce the .intunewin

Co-Authored-By: Claude
- Swap .EXAMPLE blocks in Build-IntuneAppBuilder.ps1 from NinjaOne to Chrome
- Add Examples/Chrome/ with a complete reference package:
  install.ps1, uninstall.ps1, detect.ps1, README.md
- Chrome chosen because it's ubiquitous and has well-known MSI + detection
  patterns. NinjaOne and other client-specific packages live in private
  client-script repositories.

Co-Authored-By: Claude
@Hal-Scriptville Hal-Scriptville force-pushed the build-intune-app-builder-v2 branch from 50af330 to 4a35913 Compare April 14, 2026 13:33
Previously every app scaffold downloaded its own copy of the Content
Prep Tool. -ToolPath lets one shared tool (e.g., C:\Build\Intune\IntuneWinAppUtil.exe)
be referenced by every app, avoiding redundant downloads and simplifying
versioning of the tool across a build host.

Behavior:
- When -ToolPath is set, the tool is validated and reused from the given path.
- When -ToolPath is omitted, existing behavior is preserved (per-app download).

Co-Authored-By: Claude
Companion to Build-IntuneAppBuilder.ps1. Creates a per-app folder under
a shared build root (default C:\Build\Intune) with Source/Detection/Output,
and downloads IntuneWinAppUtil.exe once at the root so every app reuses it.

Prints the exact command to build the .intunewin so the next step is
copy-pasteable after dropping in scripts and binaries.

Co-Authored-By: Claude
Documents the v1 → v2 → v3 evolution inline so future readers can
see what changed without digging through git history.

Co-Authored-By: Claude
Generic multi-location Win32 app builder for RMM agents with tokenized
per-location MSI URLs (NinjaOne, Atera, Datto, etc.).

For each row in an input CSV:
- scaffolds Source/Detection/Output under an output root
- downloads the per-location tokenized MSI
- copies shared install/uninstall/detect templates
- invokes IntuneWinAppUtil and renames the artifact for the location

Filter column lets the same CSV hold all locations but only build
Intune-target rows (e.g., skip AWS server-only locations that deploy
via SSM).

Co-Authored-By: Claude
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant