AutoPackager v3: Winget to Intune Automation
Purpose:
To assist others in reducing toil in packaging and deploying applications in Intune that are available within Winget. To allow them to take advantage of the code provided and inspire new functionality and features. This is made available without warranty or support. Use at own risk.
Problem:
Packaging applications within Intune and keeping them regularly updated can take a significant amount of time, especially if you host a large software catalog. I wanted to create a workflow that would assist, standardize, and automate this process as much as possible while keeping to native Intune application deployment mechanisms. There are others that have tried to do Winget integrations, but I feel this one allows for the greatest customization and work within the Intune deployment processes best.
Solution:
I created several PowerShell scripts that when ran together simplify and automate many of the tasks needed to keep an application catalog up to date with minimal effort. Currently these scripts can only help automate what is in the Winget repository database. It works by creating recipe files for each of the applications you wish to import into your application catalog.
Prerequisites:
1. Create a Microsoft Entra App Registration
a. Give the API permissions DeviceManagementApps.ReadWrite.All and DeviceManagementConfiguration.ReadWrite.All for Application type.
i. Grant Admin Consent for these new permissions.
b. Create a new Client secret
i. Ensure you keep track of the Secret ID and the Value as these will be needed later.
2. Create a GitHub PAT Token (will be needed or you will hit api limits with GitHub when running AutoPackager)
3. Download all AutoPackager V3 files from my GitHub
a. Read the Readme and SystemConfigReadMe.txt
b. Update AutoPackager.config.json
i. Required areas to update are the AzureAuth section and GitHubToken
1. AzureAuth should work with CertificateThumbprint but I have only used and tested Client Secret.
ii. Remember: This is a json file. If you are adding network paths, you have to double the \ in your path. Example: \\\\server.server.com\\share name\\folder name
c. Launch AutoPackager.GUI.ps1 and run the Prerequisite checker (Install any modules or fix any issues it finds)
4. Setup Automation
a. Scheduled task on a workstation or server that will run Autopackager and read the recipes nightly.
5. Automation Account
a. Create a local windows account or domain service account that can be used as the account for the scheduled task. System may work too, but if you do not choose a domain account you will not be able to archive to a network folder (setup in the autopackager.config.json file.
How it works:
Searching Winget and testing installer
After completing all prerequisites, it is best to start with AutoPackager.GUI.ps1. On the Winget tab the GUI allows you to search the Winget repository for the application you want to automate. Once found, you can show the Winget application YAML file for the latest installer URLs and the types of installers available (x64, x86, arm, exe, msi, etc.). Once you determine what installer you want to use update the Winget tab further with the installer type wanted and click download installer. This will allow you to test the installer manually and figure out what switches and options are needed to make it a silent install. Be sure to keep track of these switches as they will be needed later in the recipe section. For silent uninstall, it is recommended to look in the registry for the Uninstall string of the newly installed application under the following locations;
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\.
Once the uninstall string is found test different switches to determine how to make it uninstall silently and record for the recipe step later. Remember only the switches will be needed for the Recipe section later.
Create stub Intune applications
On the Intune App(s) tab you will need to create two Intune applications. Ensure you pick your icon prior to creating the applications. The icon is what will be used in Company Portal. The Primary application will be for what is made available or as a required application to your user population. The other Required Update application will have a suffix of – Required Update and will be used in the future to keep any devices with a previous version updated. These two buttons will only create a stub record and will not deploy to anything.
Create your Recipe
On the Recipe tab, fill in all the information you can from your testing and the application stubs. There is a lot of options on this page, please refer to the help tab if you have questions on them. If you followed the process up to this point you should have the Winget ID, PrimaryAppId, Required Update AppId, Architecture, Installer Type, Installer Scope (Should always be machine), InstallArgs, and UninstallArgs filled in at this point. InstallArgs and UninstallArgs are just the switches you found earlier in your testing. DO NOT give full paths to the exe/msi or the full uninstall string found in the registry. ONLY the switches. If you know other areas, you can update them as well. Once complete click Create New Recipe, and it will create it in the Recipe location stored in the autopackager.config.json file. You will update the recipe further as the process continues.
Run AutoPackager in Package Only and Full Run modes
On the Run tab you should see two modes. Ensure Package Only mode is selected and ensure your recipe file is in the target box then click Run AutoPackager. This will do all the automated functions to package up and do all the steps except for uploading to Intune. Once Package Only mode is ran, you will find all of the output files and scripts in the Working folder. From there you will be able to test the install.ps1 and uninstall.ps1 scripts. You will also need to test and ensure that the Requirement and Detection scripts respond with TRUE when the application is installed. The scripts also log to C:\ProgramData\Microsoft\IntuneManagementExtension\Logs so you can validate. If all scripts work and report back properly it is time to Run in Full Run mode. This will upload all the files and scripts to the application stubs created earlier.
Test deployment with Intune
Find your new application in Intune and assign some test groups. Validate the install and uninstall work properly. If something doesn’t work and the recipe needs to be updated and tested again you will need reset the stub applications before updating the recipe and testing again. To Reset the applications back to original stub states then go the to Reset tab and ensure the correct Primary AppId and Required Update AppId are populated and then click the Reset buttons.
Finalize Recipe
Once you have your recipe file set the way you want, and your deployment ring groups set for the required updates then it is time to move the recipe to your automation server.
Automation
Once AutoPackager is configured on your local machine and verified that things are working with a single recipe, it is best to copy your local directory to an automation machine (Windows Server or another Windows workstation). You will want to create a scheduled task to run everything.
Task Scheduler Setup
1. General tab
a. Select your account
b. Run whether user is logged on or not
c. Run with highest privileges
2. Triggers tab
a. Begin on a schedule
b. Daily (Pick your time)
c. Enabled (checked)
3. Actions tab
a. Start a program
b. Program/Script: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
c. Add arguments: -NoProfile -executionpolicy bypass -file ".\autopackagerv2.ps1" -fullrun -allrecipes
d. Start in: (Directory you copied the AutoPackager files)
Closing:
I hope this helps others. I will most likely keep developing this to be more feature rich and will update my GitHub page as new updates are made. I will not be active in my responses but feel free to leave comments if you wish. I do check them occasionally and will respond as time allows. If you take this code and develop it further, please leave a comment on where you make it available and what updates you made. I would be interested to see where this can go.
