I've been working to integrate toast notifications into some of my Win32 InTune Installer packages, all of which deploy in the SYSTEM context, and noticed that the notifications wouldn't show when deployed via InTune despite working in PSEXEC. I could briefly see a PowerShell window flash, but that was it. After investigating, I found that when InTune stages a system-context package for installation, only the SYSTEM account and Administrators group have access to the install folder, period.

I added this to the beginning of my install script to overcome this, which essentially just grants Read & Execute rights to the Users group for the installation folder. Not sure if this is something that could be integrated and locked behind an XML parameter. Obviously, depending on the package, this might not be smart to enable by default, but for me personally the packages I'm working on incorporating Toast notifications into don't contain any sensitive information.

# Initialize Variables
$ScriptPath = (Get-Item .).FullName

# Grant user read access to install folder so that the notification script can be run by the user later
$AccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule ("users", "ReadAndExecute", "ContainerInherit,ObjectInherit", "None", "Allow")
$ACL = Get-Acl $ScriptPath
$ACL.SetAccessRule($AccessRule)
Set-Acl $ScriptPath $ACL

I'm not sure if this super cool script is still being actively developed, but hopefully this information helps someone. Thanks for making this!