PSAppDeployToolkit is a PowerShell-based, open-source framework for Windows software deployment that integrates seamlessly with existing deployment solutions (e.g. Microsoft Intune, SCCM, Tanium, BigFix etc.) to enhance the software deployment process. It achieves this by combining a battle-tested prescriptive workflow, an extensive library of functions for common deployment tasks, a customizable branded User Experience, and full-fidelity logging - to produce consistently high deployment success rates of over 98%.
- Seamless Integration: Works with all major deployment solutions
- User Experience: Beautiful, customizable UI with both Fluent and Classic interfaces
- Flexible Deployment: Handle complex deployment scenarios with ease
- Reliable: Battle-tested in enterprise environments
- Extensible: Rich library of functions for common deployment tasks
| Light Mode | Dark Mode |
|---|---|
 |
 |
| Custom Accent Light | Custom Accent Dark |
|---|---|
 |
 |
-
Up until now, it was not possible to display any user interface when deploying an application as SYSTEM using Intune (or any endpoint management tool) without using ServiceUI. Well, now it IS possible:
- I REPEAT! You no longer need to use ServiceUI, EVER AGAIN! π₯³πππͺ πͺ©π―ββοΈ
- In fact, we strongly advise you stop using it as soon as possible. ServiceUI works by manipulating system security tokens in a way that could allow malicious actors to escalate privileges or bypass security controls.
- We've taken a fresh approach which leverages the Windows security model and separates out user interactions onto a process running in the users' session - we never perform any user interaction or messaging of any kind within the SYSTEM context. This means a more secure and reliable deployment experience.
- We have also removed the requirement for the 'Allow users to view and interact with the program installation' checkbox in Configuration Manager deployments.
-
There is now full feature parity between the Fluent and Classic User Interfaces:
- Deferral Deadline and Countdown Timer on Close Apps Dialog
- Ability to prevent the Restart Dialog from being dismissed once a certain point in the countdown is reached
- Ability to allow users to move dialogs
- Ability to set the initial dialog placement to multiple locations
- PowerShell ISE compatibility
-
Furthermore, the Fluent UI has gained new features:
- Due to the rearchitecture of how we handle user interaction with Dialogs, it is now possible to prompt the user for input using Show-ADTInstallationPrompt's -InputBox parameter
- Support for formattable text (Bold, Italic & Accent) as well as URL hyperlinks in dialog messages
- You can now set the % complete of the progress bar in the Progress Dialog (for example, if you are running a custom script that you want to show incremental progress changes for)
- Ability to set different icons for Light / Dark mode
-
The security rearchitecture required all of our process execution code to be rewritten. This has enabled us to provide a wealth of new capabilities to both Start-ADTProcess and Start-ADTProcessAsUser using the following new parameters:
- -UseUnelevatedToken parameter to force a process run without elevation, for deploying user-context apps with Windows 11 Administrator Protection enabled
- -WaitForChildProcesses parameter to wait for all child processes to end - useful for installers/uninstallers that hand off to another process and exit early
- -KillChildProcessesWithParent parameter to close all started child processes once main process has ended - useful when installers start the application post-install, which is typically undesired when running as system
- -Timeout parameter along with supporting -TimeoutAction and -NoTerminateOnTimeout parameters to control the outcome
- -ExpandEnvironmentVariables parameter to allow variable expansion such as %AppData% when running a process as a user
- -StreamEncoding parameter, useful for apps like Winget that write to the console using UTF8
- -PassThru output now has a new 'interleaved' property that combines stdout/stderr in order
-
It's now possible to set PSADT configuration settings via Group Policy using the included ADMX templates, which will override any settings in the config.psd1 file. This allows you to change, update or enforce settings across an organization.
- Added functions for managing user / machine environment variables:
- Added functions for managing INI file sections / values:
- Added Start-ADTMsiProcessAsUser for installing / uninstalling user-context MSIs via the System account
- Added Test-ADTEspActive to test for an active Enrollment Status Page (ESP)
- Added -DeferRunInterval switch to Show-ADTInstallationWelcome to limit retry times from Intune
- Added -Path / -LiteralPath support to registry functions
- Added volatile key creation support to Set-ADTRegistryKey
- Added MultiString add / remove support to Set-ADTRegistryKey
- Added -MaximumElapsedTime parameter to Invoke-ADTCommandWithRetries
- Added -SuccessExitCodes and -RebootExitCodes parameters to Uninstall-ADTApplication
- Show-ADTHelpConsole has been given some love and a facelift with High-DPI awareness, resizability, PowerShell 7 compatibility, and extension module display
- Reworked Invoke-AppDeployToolkit.exe to be more compliant within WDAC environments
- Added -NoWait support to Show-ADTDialogBox
- Added process detection code to enable automatic silent deployments when processes aren't running
- Added /Debug switch to Invoke-AppDeployToolkit.exe to show terminal output for debugging purposes
- Added /Core switch to Invoke-AppDeployToolkit.exe to allow PowerShell 7 usage
- Added support for running processes from network drives
- Added -NoOobeDetection option to Open-ADTSession to bypass OOBE detection logic when DeployMode is set to Auto. Use this to show the UI during OOBE / Autopilot ESP phases.
- Added -NoSessionDetection option to Open-ADTSession to bypass session detection logic when DeployMode is set to Auto. Use this to show the UI when no user is logged on and the SYSTEM process is interactive.
- Added -NoProcessDetection option to Open-ADTSession to bypass process detection logic when DeployMode is set to Auto. Use this to show the UI even if there are no processes to close.
- Changed -DeployMode Interactive to always show interactively. This means the toolkit will always show the dialogs, bypassing the OOBE/Session/Process detections that occur in Auto mode.
- Changed default DeferExitCode from 60012 to 1602, since ConfigMgr and Intune recognize this natively as 'User cancelled the installation'
- Changed toolkit to exit with 3010 if a suppressed reboot was encountered without having to use -AllowRebootPassThru. To mask 3010 return codes and exit with 0, you can now add -SuppressRebootPassThru
- Changed default msiexec.exe parameters in interactive mode from /qb-! to /qn
- Changed UI functions to no longer minimize windows by default, -MinimizeWindows can be added to enable this
- Changed the 'Processes to close' in the Invoke-AppDeployToolkit template to the AppProcessesToClose ADTSession parameter, where they can be re-used over Install / Uninstall / Repair
- Changed installation failure to be silent as it was in v3.x; however, you can still uncomment a line to get the full detailed stack trace as used in v4.0.x, or a new minimal example using the Fluent UI
- Fixed Start-ADTProcessAsUser function to work as expected
- Fixed Block-ADTAppExecution to avoid triggering AV solutions
- Fixed dialogs to show correct deployment type Install / Uninstall / Repair
- Fixed SCCM pending reboot tests within Get-ADTPendingReboot
- Fixed MSI repair to default to 'Reinstall' to avoid forced unavoidable reboots when running msiexec /f against an app that is in-use
- Fixed OOBE detection code to factor in User ESP phase
- Fixed launching processes in the users' session when using certain MDMs, e.g. VMware Workspace ONE.
- Windows 10/11
- PowerShell 5.1 or later
- .NET Framework 4.7.2 or later
For detailed documentation, examples, and advanced usage, visit our official documentation
We welcome contributions! Please see our Contributing Guide for details
This project is licensed under the GNU Lesser General Public License