Sneak peek: Public preview of Win32 application deployment using Microsoft Intune
Published Oct 02 2018 04:00 AM 50.9K Views
Microsoft

(Update March 15 2019: The public preview is complete and this feature is now generally available. Click here for product documentation) 

 

One of the most eagerly awaited features for Microsoft Intune customers is the ability to deploy most of their existing Windows applications to MDM-managed Windows clients. This article provides a sneak peek at this exciting capability that was announced at Microsoft Ignite. Building upon the existing support for line-of-business (LOB) apps and Microsoft Store for Business apps, administrators will use Intune to add, install, and uninstall applications for Windows 10 users in a variety of formats such as MSI, Setup.exe, or MSP. Intune will evaluate requirement rules before the start of app download/ install and notify end users of the status or reboot requirements using the Windows 10 Action Center. This fully cloud-based capability will provide the management flexibility and simplicity to help organizations shift to the modern desktop. The Intune feature is built by the same team that perfected Windows app deployment via Configuration Manager, serving applications to hundreds of thousands of Windows PCs worldwide. The public preview for Windows app deployment is expected to be available in the next release of Intune, and we will continue to add significant new capabilities over the next few months based on your feedback.

 

Click here to view on-demand video of the related session by Mahyar Ghadiali, Senior Program Manager, at Microsoft Ignite 2018.  This article provides a quick summary of the steps you may follow once the preview is available. It does not replace the official Intune  product documentation that will provide the complete details at the time of release.

Process overview

The overall process is quite straightforward. First you package and upload your existing apps to Intune using a new utility. Then you configure the relevant application properties, and add the app to Intune’s Company Portal catalog. Finally, you assign the apps to specific users or user groups, optionally marking the apps as featured, required, or available. The cloud-based management simplifies monitoring and troubleshooting during the application lifecycle. Let us start with a look at some of the pre-requisites

 

Client and application pre-requisites

  • Windows 10 version 1607 or later (Enterprise). We are currently testing Pro and Education editions of Windows 10 version 1607 and will be happy to hear your feedback.
  • Windows 10 client needs to be:
    • joined to Azure Active Directory (AAD) or Hybrid Azure Active Directory, and
    • enrolled in Intune (MDM-managed)
  • Windows application size is capped at 2 GB per app in the public preview. In this article, we will refer to it as “Win32 app” 

 

Prepare content for upload to Intune

 

In order to deploy to the Windows 10 clients, you must upload your existing Windows application to the Intune cloud. To prepare the application for upload, download the Intune Win32 App Packaging Tool from GitHub. Point the tool at your installer directory, which should include all the files for the proper installation of your application. This generates an app manifest file, and will encrypt and compress the installer bundle to produce a bundle with the .intunewin file extension. This does not change or otherwise repackage your application content. It is simply an optimization for upload to the cloud.

 intro.png

 

 

 

Create, assign, and monitor a Win32 app

Many organizations use custom Win32 apps that are typically written in-house or by a 3rd party. The following steps provide guidance to help you add a standard Win32 app to Intune.

 

Step 1: In the Add app pane, select Windows app (Win32) – preview from the provided drop-down list.

 

01.png

 

Step 2: In the add app pane, select App package file to select a file. In the App package file pane, click the browse button and select the Windows installation bundle you previously created with the extension .intunewin. Click OK when you're done.

 

02.png

 

 

Step 3: You will now configure the application properties within the add app pane.

Select App information to configure a name and other app metadata used by the admin to identify and monitor the application. This is the name displayed in the Windows Company Portal and selected by end-user to launch the application. IT administrators may choose to categorize the apps or highlight them as “Featured App” in the company portal.

 

2018-10-01_19-54-55.png

 

 

Step 4: Configure app installation details in the Program properties, such as any command-line switches and options to perform the installation and uninstallation.  

 

 

2018-10-01_19-54-57.png

 

 

 

Step 5: Configure app ‘Requirements’, still in the add app pane. The requirement rules are executed at the time of install so you have better chance of success when you deploy your app. Requirement rules are useful because they guard against content download to the target client machine by Intune until the requirements are met.

 

2018-10-01_19-54-58.png

 

 

Step 6: Configure app Detection Rules to help guard against redeploying the app repeatedly on a device. The app will not install on a system where it may be already installed. Your detection method expression can be built by creating multiple rules using file, registry and MSI product code. If your environment requires more detailed detection methods, you may deploy PowerShell scripts to detect the application.

 

2018-10-01_19-54-59.png

 

 

Step 7: Configure app return codes, still within the “Properties” pane of the “add app” pane. Return code entries are added by default during app creation. However, you can add additional return codes or change existing return codes. Select Return codes and change these settings only if you must customize either app installation retry behavior or post-installation behavior.  

 

2018-10-01_19-55-00.png

 

 

Step 8: You are now ready to add the app. In the Add app pane, verify that you configured the app information correctly. Select Add to upload the app to Intune.

  

Step 9: App assignment and monitoring is one of the key benefits of managing Windows software with Intune. Once your app is uploaded to Intune, it will be visible in the Intune console. You can assign it to groups based on the requirements of your organization and easily monitor app information.2018-10-01_19-55-01.png

 

 

 

 

Step 10: The end-user will see Windows Action Center Notifications for required and available app installations. The following image shows an example of one such notification where the app installation is not complete until the device is restarted.

 2018-10-01_19-55-02.png

 

 

 

 

Next steps

If you are already a Microsoft Intune customer, look for the public preview to be available in your tenant shortly. We will make the release announcement on the What’s New page of Intune product documentation. If you are a future Microsoft customer, sign up for the 90-day free trial of Enterprise Mobility + Security (EMS), which gives you access to the complete solution for modern management and security including Microsoft Intune.

 

If you already have eligible subscriptions to Microsoft 365 or EMS, remember to use the FastTrack benefits available at no additional cost for the life of your subscription. Move confidently to cloud-managed Windows with end-to-end guidance throughout your Microsoft Intune deployment, delivered by Microsoft engineers or partners. We’re also pleased to announce Desktop App Assure—a new service from Microsoft FastTrack designed to address issues with Windows 10 and Office 365 ProPlus app compatibility. Windows 10 is the most compatible Windows operating system ever, so you should generally expect that apps that work on Windows 7 will continue to work on Windows 10 and subsequent feature updates. But if you find any app compatibility issues after a Windows 10 or Office 365 ProPlus update, Desktop App Assure is designed to help you get a fix. Learn more in this blog.

 

(Update March 15 2019: The public preview is complete and this feature is now generally available. Click here for product documentation) 

 

23 Comments
Copper Contributor

This is great news, as this is one of the big hurdles we have been trying to get over to truly start moving our users over to a modern workplace environment 

Brass Contributor

I need this like today!  

Microsoft

Update: BRK3285 session recording is now available from MS Ignite. Watch the demos, listen to the Q&A, and get more details in this free on-demand video https://www.youtube.com/watch?v=nXDCbFHvJ4Y 

 

 

Brass Contributor

Trying to get Adobe Creative Cloud installed as its not in the Microsoft Store, this seems the only way, I tried scripting it, works fine as Admin but cant get it to go as a Standard User !  Help!   

Copper Contributor

Great feature looking forward to see how this expands as time goes on.

 

Was just wondering though I have deployed ApplicationX version 1.1 now I need to upgrade that application to 1.2 do I simply upload the new .intune bundle and tweak the detection logic or do I create a new "Win app"?

Brass Contributor

Currently testing this out. I'm very new to Intune and have a few questions.

 

How is this feature different than the previous "Line of Business app" deployment feature?  It seemed pretty similar - you upload your .msi and it will push it out via Intune.  

 

I've added the app (a Labtech computer management agent) to Intune and assigned it to an Intune group where my test Win 10 PC resides and set it to "required" but it has not installed on the PC yet.  How long should that typically take? Within minutes? Hours?   How do I start to troubleshoot this?   If i look at the app status page in Intune, it just shows 0 for Installed, Not Installed, Failed, Install Pending, etc.   Are their logs on Intune I should be looking at?  Are their logs on the PC?

 

Very excited to get this working. Thanks for any advice you can provide!

 

Jason Hartman

 

 

Copper Contributor
I'm getting the same experience as Jason - no errors to be found, but zero deployment activity, apps have been in our tenant for about 24 hours now.
Copper Contributor

@Jason Hartman@Rob BroughallI think the problem is that you have to assign the app to a group of users and not devices. That worked for me after a restart of the client. Unsatisfying restriction..

Edit: works if app is assigned as required.

Copper Contributor

That's not the case from what I can tell, I put three apps up there last week, all assigned to device only groups, one of the apps has finally deployed & is picking up new machines quickly, however the other two have still done nothing.  Almost like there's a backlog somewhere...

Copper Contributor

I did the following:

Assigned the app to a group containing my device -> nothing happened.

Added the user to the group -> app appeared in Company Portal.

Removed the user from the group (device is still in the group) -> app disappeared in Company Portal.

 

It seems to be the same restriction as for the deployment of powershell scripts: https://microsoftintune.uservoice.com/forums/291681-ideas/suggestions/35699161-powershell-assignment...

Edit: works if app is assigned as required.

Brass Contributor

Hi all,

I created a case with the support team to figure out why my Win32 app wasn't deploying.  We found that my test machine was missing the Intune Management Extension.  This is the component that is required to be on the local machine in order to deploy PowerShell scripts and Win32 apps.

 

I had manually enrolled my device into Azure AD and Intune/MDM.  Turns out auto-enrollment is the only way to get the Intune Management Extensions to installed.  Auto-enrollment basically means that when you join a device to Azure AD it will automatically enroll that device in Intune/MDM as well.  So in order to turn that on, you go into your Azure portal -> Azure Active Directory -> Mobility (MDM and MAM) and then select Intune. The "MDM User Scope" at the top needs to be set to "Some" or "All" in order to have auto-enrollment enabled.  "Some" just means that you want to specify a group of users to apply it to. So I created a security group and added my test user to.   Mine was originally on "None".  

 

Then I went into devices and "Retired" the device.  Then on the PC, went to Settings -> Accounts -> Work Accounts and disconnected the Azure AD join and Intune enrollment that previously existed.  I rebooted the device, went back to Settings -> Accounts -> Work accounts and did an Azure AD Join again.  Immediately I saw it pushing down my Win 32 app and it was installed successfully.

 

TLDR - make sure you are using auto-enrollment in order to get Intune Management Extensions installed on the device. This is required to deploy Win32 apps.

 

Jason Hartman

 

Brass Contributor

I've been testing this for a couple of days now and so far the results work great.  I have found one bug, which once the application is installed successfully, if the user clicks the option to "Reinstall" the application, the state of the application from Company Portal will remain "Download Pending" indefinitely.  PC and service restarts have no effect.  The logs seem to indicate the action was taken, but the state of the application simply never changes from "Download Pending".

The only solution I've found so far is to manually uninstall the application, and the Intune client will then install the application and change the state as it should.

Jason and folks - there is an intermittent bug where apps aren't always able to reliably install apps from the Company Portal or IW Portal. The bug is being fixed this week. It's not consistent, though. Hopefully you've had a better experience since posting this; if not, definitely open a support case.

Brass Contributor

Another quick note after further testing, if you try to use this to deploy things like the Visual C++ Redistributable for Visual Studio 2015, the version detection does not appear to work properly.  We are attempting to use the registry key validation per the MSDN article best practices for installer deployment, but the version recorded in the registry isn't evaluated properly by the Intune client because the vc++ registry key stores the vesion value with the "v" character at the beginning. I think the Intune client should be able to handle this version notation properly as it is a common way of recording versions.
See logs below:

<![LOG[[Win32App] Got reg value path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\VisualStudio\14.0\VC\Runtimes\x64, name: Version, value: v14.15.26706.00]LOG]!><time="15:17:17.9269191" date="10-19-2018" component="IntuneManagementExtension" context="" type="1" thread="5" file="">
<![LOG[[Win32App] Failed to parse Version with actualValue: v14.15.26706.00, DetectionValue: 14.15.26706.00]LOG]!><time="15:17:17.9274783" date="10-19-2018" component="IntuneManagementExtension" context="" type="3" thread="5" file="">
 
Copper Contributor

I am seeing that my intune wrapped exe is still running (ccmsetup.exe), but I immediately get a "failed" status in Intune and on the workstations.  

10-19-2018 4-28-32 PM.png(sidenote, if anyone is wondering why i'm using the exe instead of msi, the msi would not work for this tenant)

Brass Contributor

When creating and uploading win32 apps will be supported via graph api??

 

Thanks

Silver Contributor
Copper Contributor

There is a small typo error in the tool. After adding source folder, it starts with copy soure folder. Instead of source:grinning_face:

Iron Contributor

Need the option to include MST as part of the install. Several applications uses MST for custom settings.  Thanks. 

Brass Contributor

Hi Jeff. I havent tried but i believe you can do that already because the wrapper gets the entire folder so you just need to stick the mst on the same folder and refer to it on the install line. 

Copper Contributor

The documentation above says the Win32 app converter supports MSI, EXE, and MSP, but that is not true!  Trying to load just a single MSP fails.  I understand the work around is to package the MSI with the MSP, and just write the command to invoke the MSP.  However as an example, the MSI for Bluebeam is over 1GB in size, whereas the MSP is under 100MB.  Having to load a 1GB MSI to deploy a 100MB MSP is a terrible oversite for the Win32 app dev team.  Being able to distribute MSI Patch files is HUGE!  Please vote up here: https://microsoftintune.uservoice.com/forums/291681-ideas/suggestions/35691400-support-for-deploymen...

Brass Contributor

Hi Mark,

 

I've just tested and the same happened here. So the tool is really not working as it should.

 

What i do for small packages is i create a powershell script to with the run command line and convert it in Exe  (look for PowerShell2Exe).

 

i know its now the best solution but it can help on the mean time 

@MarkReid we could use some help from you to troubleshoot what's going on (including logs/etc.) I will send an email to you directly through this platform. 

Version history
Last update:
‎Mar 15 2019 04:26 PM
Updated by: