Intro

Whole world gone mad but keeping your endpoints patched should not wait. Case for this post is to fix vulnerability COVID-19 🦠 on devices 😷… wait what?? I meant INTEL-SA-00189! Using Intune for this task is now the best choice under circumstances when 100% of employees work remote from homes. So let’s do it!

Prepare your script

To use Intune Win32 application deployment you need to wrap installer with special tool (more info below), provide install and uninstall command and you are kind of done. For some basic stuff or in-house apps it should be enough but when you want some more control over what is happening during deployment I will let you in on a little secret… you can wrap Powershell script🥂. Well that’s neat! Thanks to that I was able to check if workstation has my favorite folder for storing stuff and determine exit code based on installation result.

#Check for path where logs will be stored
if (!(Test-Path C:\Temp)) {
    New-Item -Path C:\ -ItemType Directory -Name Temp
    New-Item -Path C:\Temp -ItemType Directory -Name SU
}
elseif (!(Test-Path C:\Temp\SU)) {
    New-Item -Path C:\Temp -ItemType Directory -Name SU
}

function Get-Info
{
    "[$Env:ComputerName] [$Tag] [$((Get-Date -Format 'yyyy-MM-dd HH:mm:ss').ToString())] [$($env:UserName)] [$($MyInvocation.ScriptLineNumber)]"
}

function Exit-WithCode
{
    param
    (
        $exitcode
    )

    $host.SetShouldExit($exitcode)
    exit
}

$SoftwareName = 'IntelGraphics'
#Check currently installed version of driver
$InstallationVersion = Get-CimInstance -ClassName win32_pnpsigneddriver | Select-Object devicename, manufacturer, driverversion | Where-Object {$PSItem.DeviceName -like 'Intel(R)*HD Graphics*'}
#Write driver version to file
"$(Get-Info) Installed version $($InstallationVersion.driverversion)" | Out-File -Append -FilePath c:\Temp\SU\IntelGraph.log
#Install drivers silently
$Process = start-process ".\Intel\igxpin.exe" -ArgumentList @('-report c:\temp\su\IntelGraph.log', '-s') -NoNewWindow -Wait -PassThru
$Process.WaitForExit()
#Determine exit of installation based on exitcode of Intel  
If($Process.Exitcode -eq '0'){
    #Hard reboot
    Exit-WithCode -exitcode 1641
}else{
    #Retry
    Exit-WithCode -exitcode 1618
}

There is not much going but it shows how simple it can be to fit installation to your needs. Notice that Intel installer path is .\Intel\igxpin.exe it means that Microsoft Intune Management Extension runs installation with current path set to inside of deployed package.

path

Another thing is that after installation is complete I’m exiting the script with specific codes. These are default codes with assigned action. I will explain them later.😉

Microsoft Intune Content Prep Tool

Before you will be able create app deploy in Intune you need to wrap your stuff into .intunewin format. Go here to get wrapping tool 🎁. Using it is child’s play:

wrap

Prepared package upload to app profile

wrap2

Installation command and return codes

Going further, you will need to specify command for installing your package. Because it is powershell script remember to run it with execution policy bypass parameter.

install

To find out software uninstall command run code below on device which already has it installed

Get-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*',
                    'HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*',
                    'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*',
                    'HKCU:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*' -ErrorAction Ignore |
Where-Object DisplayName |
Select-Object -Property DisplayName, DisplayVersion, UninstallString, InstallDate |
Sort-Object -Property DisplayName

It scans through registry and will list all applications on device.
Installing Intel Graphics drivers requires device reboot. It can be done with installation parameter but it will do the reboot immediately which in business is not a good option. Better way is to act accordingly to return codes.

Soft reboot

soft

But only if you allow it

softnotif

Hard reboot

grace

notify

And in summary you will see

status

Detection rule

Last step of app deployment is verification if software is present on device. You can specify this setting is many different ways:

detection

More detailed info you will find here. In this deployment I decided to use Custom detection script

$Driver = Get-CimInstance -ClassName win32_pnpsigneddriver | Select-Object devicename, manufacturer, driverversion | Where-Object {$PSItem.DeviceName -like 'Intel(R)*HD Graphics*'}

if ($Driver.driverversion -eq '26.20.100.6888') {
    Write-Output 'Newest version installed'
    #Exit code will be 0 and STDOUT not empty
}
else {
    exit 1
}

And this table explains how it works

Exit code Data read from Write-Output Detection state
0 Empty Not detected
0 Not empty Detected
Not zero Empty Not detected
Not zero Not Empty Not detected

Summary

Deployment of apps using Win32 allows you to do a lot of magic with great precise! For sure I will play with it a lot.🧙‍♂️
Sneak peak on deployment status:

detection

See you in next! 😉 🧠