Deploy .MSI Package via PowerShell Follow
Synopsis
This step-by-step document will describe how to deploy the provided EvoCredentialProviderSetup.msi via a PowerShell script. The script can be used to deploy the installation at user logon or remotely using any RMM tool such as PDQDeploy, SCCM, etc.
Requirements
- Download the latest Evo Credential Provider agent from HERE, and save it to a network share.
- Network Share accessible by all users and workstations with read-only permissions set.
Steps
- Log on as domain administrator to the file server where the network share resides.
- Locate the shared network folder or create one.
- Verify your network share folder has the proper network share permissions for the Everyone group.
- Note: A hidden share can also be used. Append a $ at end of the Share name to hide it.
- Note: A hidden share can also be used. Append a $ at end of the Share name to hide it.
- Create a folder named Evo in the network share.
- Right-click the Evo folder and select Properties.
- On the Share Properties page, click on the Security tab and click on Edit.
- On the Permissions for Shares page, click on Add.
- On the Select Users, Computers, Service Accounts, or Groups dialog box, type in Domain Users and click OK.
- Set permissions for Domain Users to Read & execute, List folder contents, and Read.
- Once again, on the Permissions for Shares page, click on Add.
- On the Select Users, Computers, Service Accounts, or Groups dialog box, click on Object Types…
- On the Object Types page, select Computers and then click OK.
- On the Select Users, Computers, Service Accounts, or Groups dialog box, type in Domain Computers and click OK.
- Set permissions for Domain Computers to Read & execute, List folder contents, and Read. Then click OK twice.
- Copy the EvoCredentialProviderSetup.msi file to the Evo folder in the network share.
- Open Windows PowerShell ISE by clicking on Start, type in PowerShell, and select Windows PowerShell ISE program.
- Copy and paste the script below into the Windows PowerShell ISE program and modify the variables to suit your environment.
- Save the script to your network share.
- Test script.
PowerShell Script
The script variables MUST be modified for your environment.
########################################
#
# Description: This script is used to
# silently install EvoCredentialProviderSetup.msi in
#
# Author: Evo Security
#
########################################
#Requires -RunAsAdministrator
# Variables - Change these for your environment. The Values provided are examples only!
#
# Enter the full UNC path to the network share in quotes (as a string)
$MsiPath = "\\servername.your.ADdomain\ShareName$\Evo\EvoCredentialProviderSetup.msi"
# $MsiPath = "..\src\evo\windows-credential-provider\release-x64\evocredentialprovidersetup.msi"
# Enter your Evo Directory name
$EvoDirectory = "your_evo_directory"
# Enter your Environment URL provided by Evo Security...no trailing slash!!!!
$EnvUrl = "https://ENVIRONMENT.evosecurity.com"
# Enter your failsafeuser. Can be a domain user: "your.ADdomain\username" OR a local user "WORKGROUP\username"
# OR just a user "username" which covers AD and local users with that username
$FailSafeUser = "username"
# Enter your credential mode. 10 = Elevated Login, 90 = Secure Login, 100 = Secure + ElevatedLogin
$CredMode = 100
# Enter your SecretKey provided by Evo Security. Is unnecessary if $CredMode is 90 (Secure Login)
$ApiKey = 'abc123'
# Enter your AccessToken provided by Evo Security. Is unnecessary if $CredMode is 90 (Secure Login)
$Accesstoken = 'ACCESSTOKEN'
# Uncomment the following line to make Evo Credential Provider the sole credential provider on the system. It enforces login through Evo 2FA
#$SoleProvider = $True
# Change the following value to set an MFA grace period
$MFATimeOut = 0 # good values are from 0-1440 minutes, 0 means no grace period, 240 = 4 hours
# Uncomment following line to only display message box showing InstallerParams for debugging
$DebugParams = $True
#######################################################
# Script - Do not modify anything after this line!
#######################################################
function IsRunningAsAdministrator {
$currentPrincipal = New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())
return $currentPrincipal.IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)
}
$FullMsiPath = (Resolve-Path $MsiPath -ErrorAction SilentlyContinue).Path
$EnvUrl = $EnvUrl.Trim("/ ") # cleans up environment url
$InstallerParams = "DOMAIN=$EvoDirectory ENVIRONMENTURL=$EnvUrl FAILSAFEUSER=$FailSafeUser ACCESSTOKEN=$Accesstoken APIKEY=$SecretKey CREDENTIAL_MODE=$CredMode MFATIMEOUT=$MFATimeOut"
if ($CredMode -eq 100 -or $CredMode -eq 10) {
$InstallerParams += " APIKEY=$ApiKey"
}
if ($SoleProvider) {
$InstallerParams += " SOLEPROVIDER=1"
}
if ($DebugParams) {
echo "InstallerParams`: $InstallerParams"
echo "MSI Path`: $MsiPath"
echo "Full MSI Path`: $FullMsiPath"
}
else {
if (-not $FullMsiPath) {
throw "Could not find the MSI file`: $MsiPath."
}
$msi = New-Object -com "WindowsInstaller.installer"
$msi.UILevel = 2 # 2 is for silent, 3 will give a prompt
$msi.InstallProduct($FullMsiPath, $InstallerParams)
if ($msi) { [System.Runtime.Interopservices.Marshal]::ReleaseComObject($msi) | Out-Null }
}
Conclusion
This concludes the setup guide. Please proceed to test the PowerShell script by deploying it to a test group of users and computers via your RMM tool of choice. It can also be used to deploy via GPO user logon script.
Comments
0 comments
Please sign in to leave a comment.