Hey everyone! I'm a systems technician, not exactly a developer, but I've been trying out different methods for silently deploying software to domain-joined Windows computers without using agents or WinRM. Here's my current setup: 1. I copy the installer to the target machine using SMB. 2. A temporary service is created through the Service Control Manager (SCM). 3. The installer runs as LOCAL SYSTEM. 4. I ensure the SHA-256 hash is verified before execution. 5. After installation, the service and any related files are automatically cleaned up.
This solution leaves no trace afterwards, which is a plus. I developed this tool to streamline AD and M365 management tasks, and it's been performing well so far in my environment. However, I'm curious about how others approach remote software deployment. Are you using Intune, GPO, or something else? Do you have security or operational concerns with using SMB and temporary services? Also, I'm looking for a test tenant for Microsoft 365 integration. I applied to the Microsoft 365 Developer Program, but unfortunately got rejected. Any tips?
5 Answers
You might want to explore Group Policy for software deployment! The Microsoft documentation is thorough: it shows how to use the assign method to install software silently. It’s quite effective!
I’ve been experimenting with a winget script via Intune, but I’m not quite there yet. What’s tricky is figuring out how to execute the winget command from Intune. Any suggestions?
Are you using a PowerShell script to call winget? What specific issues are you running into?
PDQ Deploy is really great! I've been using it for a while, and it pair nicely with PDQ Inventory for deployment and inventory management. If you're looking for a solid solution, this pairing is definitely worth considering!
Totally agree! We're actually thinking about moving to PDQ at work, especially since the free tier is already pretty robust!
Your method is actually quite similar to how many traditional remote admin tools function, like PsExec. Copy binary ➔ create a temporary service ➔ execute as SYSTEM ➔ clean up. Just keep an eye on AV and EDR systems that might flag those temporary services!
Great feedback! Fortunately, we use PDQ Deploy, so the EDR isn't a problem for us. I appreciate the heads up!
Your approach is solid for environments where WinRM is restricted. I suggest considering using Task Scheduler via RPC; it allows you to create and trigger a scheduled task remotely which can be a cleaner way to execute things without leaving as much behind.
Thanks for the suggestion! I’m definitely interested in looking into that and also exploring named pipes for better logging.
Thanks for the tip! I’m looking for a solution that lets me trigger deployments on-demand, though.