Running provisioning package (ppkg) to enroll to Microsoft Azure AD (Entra ID)

[nssijt]

Hi all, is there any updated method or ways it can be less painful to run a provisioning package (ppkg) in a more automated way with fogproject?

I had wrote a simple batch file:
powershell.exe Install-ProvisioningPackage -ForceInstall -PackagePath \demo.ppkg -QuietInstall

As I have tried putting the batch file together with the ppkg -> zip it -> deploy via fog's snap-in pack. It doesn't seems to be running.

Anyone has a more brilliant idea to share so that I can learn from all of you?

[mastacontrola]

I might suggest maybe output to a logfile on the root of your C: drive. This will at least potentially give you more information.
I don't know how ppkg works, but if the thing is not able to be installed via the System user, this may also be a problem.

Basically in your logging I'd suggestin having "starting" "about to run" "ran" "complete" kind of messages:

Something like:

print "Starting Snapin operation" > 'c:\snapin_run_troubleshooting.log'

print "About to run command: powershell.exe Install-ProvisioningPackage -ForceInstall -PackagePath \demo.ppkg -QuietInstall" >> 'c:\snapin_run_troubleshooting.log"

powershell.exe Install-ProvisioningPackage -ForceInstall -PackagePath \demo.ppkg -QuietInstall >> 'c:\snapin_run_troubleshooting.log' # This allows the command to send its output to the log as well

print "Command should have ran please validate" >> 'c:\snapin_run_troubleshooting.log"

print "Snapin operation complete" >> 'c:\snapin_run_troubleshooting.log'

[darksidemilk]

I would suggest using powershell directly.
i.e. I just tested this with success.

• So make the snapin with the 'powershell' template
• Adjust 'Snapin run with argument' to -ExecutionPolicy Bypass -NoProfile -command "('
• Upload the ppkg file as the snapin file.
• Set the snapin arguments to this
  • ').trim() | sv -name ppkg; Install-ProvisioningPackage -PackagePath `"C:\program files (x86)\FOG\tmp\$ppkg`" -ForceInstall -QuietInstall;"

What this does:

• Fog service will download the ppkg file to C:\program files (x86)\FOG\tmp\file.ppkg
• Fog service will run powershell.exe with a command derived from the arguments
  • Takes the name of the ppkg file, encased in (' file.ppkg ') trims it, and sends it to set-variable through the pipeline, uses the sv alias for a shorter string
  • Then runs Install-ProvisioningPackage with the full path to the downloaded package in force and silent mode.

I just tested this, ran it and then ran Get-ProvisioningPackage and the package was listed as installed. If it doesn't work we can look at adding more logging to it.

Other options for this specific use case would be to use group policy for enforcing enrollment into Azure/Entra AD.

[nssijt]

Wonderful and thank you both Tom and JJ Fuller for your detailed guidance. I am really appreciative of that. Let me get to my test environment to do a test and I shall get back if what JJ Fuller has suggested works.

Thanks again for both of your recommendation which I had been trying for several weeks without a single success with fog snap-in. I shall get back soon.

[nssijt]

Sorry I wasn't able to test it out as yet as I found that the issue is because of the initial provsioning package that I wasn't able to removed

Not sure why, once i run the ppkg once, it cannot be removed for me to run another ppkg or the similar ppkg

I shall test and get back if JJ Fuller's script works on another machine probably after 12 Sep as it is crunch time for me this period

[darksidemilk]

@nssijt were you able to test this out further?

[nyp-jeremyt]

Hi @darksidemilk JJ Fuller, Sorry I didn't get back yet as I am trying to find time to test of this. I briefly managed to test it out i think a month back but it doesn't seems to work.

I didn't fully test on it so I shall get back on this.

Sorry for the lapse and slow reply as I am currently engaged in workplace's Polytechnic open house works.

I shall get back by next week or the week after when my scheduled is less tense.

Thanks again to follow up @darksidemilk JJ Fuller.

[nssijt]

hi @darksidemilk,

The snap-in seems stuck some how and unable to deploy as shown in the task.

let me try on another host instead

[nssijt]

@darksidemilk, i have finally been able to push the task after resetting the encryption data.

Unfortunately, i think the powershell script/cmd you wrote for me doesn't work to push the ppkg.

I will also try on my own, any other further advice?

[darksidemilk]

Can you try manually installing the package on a machine, i.e. something like Install-provisioningPackage -packagePath 'C:\temp\package.ppkg -forceinstall changing the package path to where-ever you put it?
Install-ProvisioningPackage is a built in function from windows. If that's not working to install the package then it's a problem with the package. If that command works manually, then something else might be going on with the snapin method. Need a little more info to be able to troubleshoot it.

[nssijt]

works @darksidemilk when i run the code manually.

I think will need to investigate on the snap-in.

Thanks for your step-by-step guidence @darksidemilk .

I shall explore further

[rluzuriaga]

I have ran into some packages/applications that I cannot run through a FOG snapin. In my case it was because the FOG snapin runs using the SYSTEM account. I had to trick the application to use it with an admin account by running it like this.

$username = "AdminUserName"
$password = ConvertTo-SecureString "AdminPassword" -AsPlainText -Force
$myCred = New-Object System.Management.Automation.PSCredential $username, $password
Invoke-Command -ScriptBlock {#Command I actually want to run in here} -Credential $myCred

That didn't work for everything though. I still had one script that would not run even with the above commands.
It may be worth to try it though.

[nssijt]

thanks @rluzuriaga, greatly appreciated your guidance and sharing, tried your runas local admin, seems not working too.

@darksidemilk, I further explored your code which I ran manually on a cmd, no issue. So i kind of in a way agree with @rluzuriaga. Shall explore along that area to see if I can have any breakthrough.