How can we help?

Articles in this section

Deploy .MSI Package via PowerShell Follow

Synopsis

This step-by-step document will describe how to deploy the provided EvoCredentialProviderSetup.msi via a PowerShell script. The script can be used to deploy the installation at user logon or remotely using any RMM tool such as PDQDeploy, SCCM, etc.

Requirements

Steps

  1. Log on as domain administrator to the file server where the network share resides.
  2. Locate the shared network folder or create one.
    PowerShell_1.png
  3. Verify your network share folder has the proper network share permissions for the Everyone group.
    1. Note: A hidden share can also be used.  Append a $ at end of the Share name to hide it.
      PowerShell_2.png
  4. Create a folder named Evo in the network share.
    PowerShell_3.png
  5. Right-click the Evo folder and select Properties.
    PowerShell_4.png
  6. On the Share Properties page, click on the Security tab and click on Edit
    PowerShell_5.png
  7. On the Permissions for Shares page, click on Add.
    PowerShell_6.png
  8. On the Select Users, Computers, Service Accounts, or Groups dialog box, type in Domain Users and click OK.
    PowerShell_7.png
  9. Set permissions for Domain Users to Read & execute, List folder contents, and Read.
    PowerShell_8.png
  10. Once again, on the Permissions for Shares page, click on Add.
    PowerShell_9.png
  11. On the Select Users, Computers, Service Accounts, or Groups dialog box, click on Object Types…
    PowerShell_10.png
  12. On the Object Types page, select Computers and then click OK.
    PowerShell_11.png
  13. On the Select Users, Computers, Service Accounts, or Groups dialog box, type in Domain Computers and click OK.
    PowerShell_12.png
  14. Set permissions for Domain Computers to Read & execute, List folder contents, and Read. Then click OK twice.
    PowerShell_13.png
  15. Copy the EvoCredentialProviderSetup.msi file to the Evo folder in the network share.
    PowerShell_14.png
  16. Open Windows PowerShell ISE by clicking on Start, type in PowerShell, and select Windows PowerShell ISE program.
    PowerShell_15.png
  17. Copy and paste the script below into the Windows PowerShell ISE program and modify the variables to suit your environment.
    PowerShell_16.png
  18. Save the script to your network share.
    PowerShell_17.png
  19. Test script.

PowerShell Script

The script variables MUST be modified for your environment.

 

########################################
# 
# Description: This script is used to 
# silently install EvoCredentialProviderSetup.msi in 
# 
# Author: Evo Security
#
########################################

# Variables - Change these for your environment. The Values provided are examples only!
# 

# Enter the full UNC path to the network share in quotes (as a string)
$MsiPath = "\\servername.your.ADdomain\ShareName$\Evo\EvoCredentialProviderSetup.msi"
# $MsiPath = "..\src\evo\windows-credential-provider\release-x64\evocredentialprovidersetup.msi"

# Enter your Evo Directory name
$EvoDirectory = "your_evo_directory"

# Enter your Environment URL provided by Evo Security...no trailing slash!!!!
$EnvUrl = "https://ENVIRONMENT.evosecurity.com"

# Enter your failsafeuser. Can be a domain user: "your.ADdomain\username" OR a local user "WORKGROUP\username" 
# OR just a user "username" which covers AD and local users with that username
$FailSafeUser = "username"

# Enter your credential mode. 10 = Elevated Login, 90 = Secure Login, 100 = Secure + ElevatedLogin
$CredMode = 100

# Enter your SecretKey provided by Evo Security. Is unnecessary if $CredMode is 90 (Secure Login)
$ApiKey = "abc123@@@"​

# Enter your AccessToken provided by Evo Security. Is unnecessary if $CredMode is 90 (Secure Login)
$Accesstoken = "ACCESSTOKEN"

# Uncomment the following line to make Evo Credential Provider the sole credential provider on the system. It enforces login through Evo 2FA
#$SoleProvider = $True

# Change the following value to set an MFA grace period
$MFATimeOut = 0 # good values are from 0-1440 minutes, 0 means no grace period, 240 = 4 hours

# Uncomment following line to only display message box showing InstallerParams for debugging
$DebugParams = $True

#######################################################
# Script - Do not modify anything after this line!
#######################################################

$FullMsiPath = (Resolve-Path $MsiPath -ErrorAction SilentlyContinue).Path 

$EnvUrl = $EnvUrl.Trim("/ ") # cleans up environment url

$InstallerParams = "DOMAIN=$EvoDirectory ENVIRONMENTURL=$EnvUrl FAILSAFEUSER=$FailSafeUser ACCESSTOKEN=$Accesstoken APIKEY=$SecretKey CREDENTIAL_MODE=$CredMode MFATIMEOUT=$MFATimeOut"

if ($CredMode -eq 100 -or $CredMode -eq 10) {
$InstallerParams += " APIKEY=$ApiKey"
}

if ($SoleProvider) {
$InstallerParams += " SOLEPROVIDER=1"
}

if ($DebugParams) {
echo "InstallerParams`: $InstallerParams"
echo "MSI Path: $MsiPath"
echo "Full MSI Path: $FullMsiPath"
}
else {
if (-not $FullMsiPath) {
Write-Error "Could not find file $MsiPath."
return
}

$msi = New-Object -com "WindowsInstaller.installer"
$msi.UILevel = 2 # 2 is for silent, 3 will give a prompt
$msi.InstallProduct($FullMsiPath, $InstallerParams)
if ($msi) { [System.Runtime.Interopservices.Marshal]::ReleaseComObject($msi) | Out-Null }
}

Conclusion

This concludes the setup guide. Please proceed to test the PowerShell script by deploying it to a test group of users and computers via your RMM tool of choice. It can also be used to deploy via GPO user logon script.

Related articles

Comments

0 comments

Please sign in to leave a comment.