Our machines are Intune managed and our users arent local admin on the machines itself. Now we want users to have the latest version of VMware Horizon on the machine. You can deploy a version of Horizon with company portal but i find the version updating difficult especially in our case because Horizon is being used most of the time and when we push an auto update to our users It can corrupt the local installation of Horizon.
So we needed to make a manual update tool that a user can run to update the version of Horizon without admin rights on the machine.
What i did to make the installer user friendly, automated and with an interface is to make use of the Powershell deployment toolkit. I created an Deploy-Application.ps1 file for the install. You can find the files on my git.
Download the toolkit and extract the files and replace the Deploy-Application.ps1 with my version.
What i did to always have the latest version of the installer to download is to create an own https repo where you upload the installer file to. I think this was easier then to script the download of the vmware website to find the latest file and this gives you more control of the version you want the machines to have installed. I make use of an azure blob file storage but you can use any http URL you want. Check line #142 of the deploy script, you can change the URL here. The file gets downloaded to the Files folder of the toolkit.
#Download latest VMWare-Horizon-latest
# Source URL
Show-InstallationProgress "Downloaden van laatste versie van VMware Horizon"
$url = "https:storage.com/vmware-horizon/VMware-Horizon-Client-latest.exe"
# Destation file
$dest = "\Files\VMware-Horizon-Client-latest.exe"
# Download the file
$wc = New-Object net.webclient
$wc.Downloadfile($url, $dest)Now comes the hard part of creating a scheduled task that runs under system. The problem with the system account is that it doenst have a gui/desktop so we need to make use of a file called ServiceUI.exe. ServiceUI.exe is an executable that comes with the Microsoft deployment toolkit. ServiceUI can detect the user session and allow user interaction. You can download MDT from here and install it. Once MDT is installed, you can find the exe in the below path. The syntax is shown below.
I hade some problems with serviceUI and folder paths so what i did is to create a bat file for the scheduled task to run. You can find the bat file on my git. The bat file changes to the directory so that Serviceui is located works from the same directory as where the files are located, you can find the fold on my git. run-vmware-update.bat.
Now to create a scheduled task, make sure you change the user of the task to system and make sure you mark run with highest privileges and that the task can run on demand. Choose the bat file we just created as action in the scheduled task. Make sure you check the paths for you system. Export the scheduled task as xml and save it in the same directory as the toolkit because we need the scheduled taks later to install the whole package with Intune.
We need to create an install.ps1 script for intune’s win32 packager so that all the files are installed on the target machines. Our main folder is located at C:\Program Files (x86)\GRIJ\EndpointManager\VMwareHorizonClient, if you use an other folder make sure you change al the script paths.
The install.ps1 script copy’s al the files needed, imports the scheduled task from the XML and also more important changes the rights on the scheduled task so that a standard user can run the task. You can find the install.ps1 on my git. I also included an uninstall script for the package.Our deployment folder for Intune contains the following files.
I will explain the files again:
- AppDeployToolkit are the toolkit files we downloaded.
- Files are the installer files of the application you need to install, in our case Horizon. Because we download the latest version of the msi installer the folder is empty on deploying and will get the msi file of Horizon when the scheduled task is launched.
- Output is the folder of our intune win32 wim file output, you can use any other folder
- SupportFiles comes with the deployment toolkit
- Deploy-Application.exe is the file we use in the run-vmware-update.bat the install the app, this files actuly runs the Deploy-Application.ps1 but its easier to run an exe from a bat file then a powershell script.
- install.ps1 is the file we use to install the whole package with intune.
- run-vmware-update.bat is the file we use from the scheduled task.
- ServiceUI.exe is the file we use to have an installer interface when you run processes from the system account.
- uninstall.ps1 is used within intune to uninstall this whole package.
- update-vmware-horizon.xml is the export of the scheduled task, this xml gets imported from the install.ps1 script.
Now we need to create an intune install file from the folder above with the intunewin32 packager, when done create an win32 application within intune and upload your created win file.
| Install command | %SystemRoot%\sysnative\WindowsPowerShell\v1.0\powershell.exe -windowstyle hidden -executionpolicy bypass -command .\install.ps1 |
| Uninstall command | %SystemRoot%\sysnative\WindowsPowerShell\v1.0\powershell.exe -windowstyle hidden -executionpolicy bypass -command .\uninstall.ps1 |
| Install behavior | System |
| Detection rules | I just use the file of folder exist and point to our install folder in c:\program files, but you can create your own detection if you want. |
We dont want the user to search for the updater from the scheduled task library so we need to create a nice shortcut on the desktop so that the user can run this task from. To create shortcuts in intune i make use of the following project.
Creating desktop shortcuts with Intune | Nicola Suter (nicolonsky.ch)
Its very easy to customize a shortcut with this script and you can just change the details of the shortcut from the intune install command. You can customize the shortcut, but just make sure the ShortcutTargetPath and ShortcutArguments are pointed to the scheduled task name. This is after the /run /tn “Scheduledtaskname”. In our case the name is UpdateVmwareHorizon. I set the vmware update tool as a dependancy of the shortcut app so that we dont have a shortcut installed before the update tool is installed.
| -ShortcutTargetPath | “C:\Windows\System32\schtasks.exe” |
| -ShortcutArguments | “/run /tn UpdateVmwareHorizon” |
| Install command | %windir%\sysnative\windowspowershell\v1.0\powershell.exe -ExecutionPolicy Bypass -file “CreateDesktopIcon.ps1” -ShortcutTargetPath “C:\Windows\System32\schtasks.exe” -ShortcutDisplayName “Update VMWare Horizon” -ShortcutArguments “/run /tn UpdateVmwareHorizon” -IconFile “%SystemRoot%\System32\SHELL32.dll,24” |
| Uninstall command | %windir%\sysnative\windowspowershell\v1.0\powershell.exe -ExecutionPolicy Bypass -file “RemoveDesktopIcon.ps1” -ShortcutDisplayName “Update VMWare Horizon” |
You can customize the icons and pictures of the installer in the AppDeployToolkit folder, just change the banner, ico, en toolkit logo to your own image.
