How to deploy a Win-32 app with Microsoft Intune!
Dear Microsoft Intune Friends, Deploying a .msi app is a more or less simple matter in most cases. However, if you need to deploy an .exe app, it gets a bit more complicated. It takes a little art and science to deploy the app. What exactly do I mean by that? Well, an .exe app can't just be uploaded to the Intune portal and then deployed. Before we even get started with Intune, we need to figure out how to install and uninstall the Win32 app. This means we need a machine (identical to the machines you manage with Intune) to perform a test install and uninstall on. The challenge here is that installation and uninstallation are performed "seamlessly", more precisely without interaction of a person. I use Notepad++ as an example in this article. The installation and uninstallation of Notepad++ works something like this: Installation (/S for silent - case sensitive): npp.8.1.5.Installer.exe /S We need the complete program path later in Intune. "C:\Program Files (x86)\Notepad++\notepad++.exe" The uninstallation works like this: "C:\Program Files (x86)\Notepad++\uninstall.exe" /S (/S for silent - case sensitive) With this knowledge in hand, we can move forward. No, not in Intune but on our local computer. I have already downloaded the executable file for the test installation. We cannot work with the .exe file in Intune, we have to make this Intune compatible. For this we use the Microsoft Win32 Content Prep Tool from Microsoft (Thanks to the Microsoft team). https://github.com/microsoft/Microsoft-Win32-Content-Prep-Tool Now start a command prompt with elevated privileges and navigate to the IntuneWinAppUtil.exe file. Now you need the complete path to your Notepad++ .exe file and a path for the "packaged" Intune version. It may look something like this: IntuneWinAppUtil.exe -c C:\Temp\NotepadPP -s C:\Temp\NotepadPP\npp.8.1.5.Installer.exe -o C:\Temp\NotepadPP_Packed -q -c <setup_folder> Setup folder for all setup files. All files in this folder will be compressed into .intunewin file. Only the setup files for this app should be in this folder. -s <setup_file> Setup file (e.g. setup.exe or setup.msi). -o <output_file> Output folder for the generated .intunewin file. -q is specified, it will be in quiet mode. Now we move on to the Microsoft Endpoint Manager Admin Center. https://endpoint.microsoft.com Navigate to the Apps. Select the platform in my example Windows. Select Add. Select Windows app (Win32). Now locate your "packaged" Notepad++ file. Enter some information about the app (especially the required fields). Now our collected information on installation and uninstallation comes into play. If your app still has special return codes enter them as well. Select operating system and and version, the rest is optional. Now we need to configure the dection rules. We don't want Notepad++ to be installed on a system where Notepad++ is already present. There are no dependencies in my example. This app does not replace any existing app. Now you can specify who should receive this app I choose "All Devices" and "All Users". Navigate to a system in Intune and click Sync. This is simply to force the installation of the app. If you have the possibility to force the synchronization on the physical one, you can check faster if the installation works. Now wait a few minutes and Voila the app is there!!! Sure, that wasn't the huge highlight now. I just wanted to share my experience. I hope this article was useful. Thank you for taking the time to read the article. Best regards, Tom Wechsler P.S. All scripts (#PowerShell, Azure CLI, #Terraform, #ARM) that I use can be found on github! https://github.com/tomwechslerDevice Security
There’s little disagreement that mobile technologies are beneficial to business. Mobility means flexibility and productivity gains and a sense of control for employees. Mobile is more than just smartphones. With IoT, more devices like smartwatches, tablets, and manufacturing equipment are enabled to access networks and provide information to individuals through multiple channels. In many ways, this has changed the “boundaries” of the workplace, which make managing enterprise data more complex. An IBM study found that 62% of IT leaders with a well-defined mobile strategy achieve ROI in 12 months or less. Harnessing the power of mobile devices can improve the flexibility and productivity of employees, while sound Mobile Device Management protects an enterprise from security threats. How are companies approaching mobility? A recent Gartner study found that 66% of employees currently use their own devices at work. From a productivity, cost and employee satisfaction perspective, allowing employees to bring their own devices is beneficial. Mobile access means that companies can work beyond the walls of their cubicles and can more easily access information on the go. Employees are more likely to be comfortable navigating their own devices and for the IT department, it drives fewer device set-up and maintenance costs. However, the benefits are not without risks. Risks Increasing the number of devices with access to a network makes managing and securing those devices more complicated. Identifying the number of devices on the network, configuring these devices to comply with company policies, granting access to internal information, as well as protecting these devices from outside threats pose many challenges. Another risk, less tangible but certainly impactful, is employee compliance and overall satisfaction. Even if corporations provide devices, many employees are still prone to carry their own devices with them, or find work arounds. Transparency around device policies and security risks can help convey the risks to non-compliant or resistant employees. If deployed properly, BYOD policies can meet employee needs and still protect the network from external threats. This month on Tech Community, we’ll be discussing mobile device management, productivity gains from a mobile-first world, and the security challenges (among other challenges) that go along with managing an ever-growing network of devices. How does your company approach mobility and what are the challenges and successes you’ve had?[New Blog Post] iOS Enrollment with Microsoft Intune Decision Tree
In the ever-evolving landscape of mobile device management, Microsoft Intune stands as a beacon of simplicity and efficiency. For organizations embracing the Apple ecosystem, enrolling iOS devices into Intune offers a world of possibilities. Let's embark on a journey through the high-level overview of various iOS enrollment methods, each designed to cater to diverse organizational needs. iOS Decision Tree 1. Supervised Devices: For Maximum Control and Customization Supervised devices are the powerhouses of iOS management. Perfect for corporate-owned devices, they provide enhanced control, allowing organizations to tailor settings and restrictions as needed. 2. User Enrollment: Balancing Work and Life on a Single Device Ideal for personal device use, User Enrollment ensures a harmonious coexistence of work and personal data. Users maintain privacy while benefiting from the organizational security umbrella. 3. Device Enrollment: Comprehensive Control for Personal Devices For a more encompassing approach, Device Enrollment brings personal iOS devices into the organizational fold. Organizations maintain control while users enjoy the familiarity of their own devices. 4. Automated Device Enrollment (formerly DEP): Seamless Out-of-the-Box Experience Formerly known as Device Enrollment Program (DEP), Automated Device Enrollment streamlines the onboarding process for new devices, ensuring they are automatically enrolled into Intune upon activation. 5. Apple Configurator: Tailoring Settings for a Cohesive Experience Apple Configurator offers a manual yet robust approach for customizing settings on iOS devices. Ideal for specific use cases where hands-on configuration is preferred. Elevate your iOS device management experience with Microsoft Intune – where simplicity meets efficiency! :mobile_phone::sparkles: https://www.linkedin.com/in/shady-khorshed-19277723/ is a Microsoft enthusiast. He loves writing on iOS/Android, Windows 11, Windows 365 and related Microsoft Intune. He is here to share quick tips and tricks for all young professionals. #MicrosoftIntune #iOSDeviceManagement #TechSolutions #MobileSecurity #MicrosoftIntune #MobileDeviceManagement #AndroidEnrollment #TechInnovation #Apple #ios #android #decisiontree #microsoft #intune #COPE #COSU #COBO #BYOD #Appprotectionpolicy #Workprofile #devices #design #environment
Windows Autopilot and Configuration Management Client Installation Methods
I'm using Windows Autopilot to build my machines with AzureAD hybrid join. Currently as part of the ESP we deploy the configuration manager client and our VPN software (both Win32 apps) to them so we can get them co-managed ASAP. We also do this in ESP as blocking apps to control the device availability to users until they are completed. Our implementation partner advised us to install the Configuration Manager client in this manner to speed up co-management. Autopilot works (albeit slow at _ 60 mins). I am confused though on whether or not adding the configuration manager client into the autopilot build in this manner is supported? Reading this (https://learn.microsoft.com/en-us/mem/configmgr/comanage/how-to-prepare-win10) it states: You can't deploy the Configuration Manager client while provisioning a new computer in Windows Autopilot user-driven mode for hybrid Azure AD join. This limitation is due to the identity change of the device during the hybrid Azure AD-join process. Deploy the Configuration Manager client after the Autopilot process. For alternative options to install the client, see https://learn.microsoft.com/en-us/mem/configmgr/core/clients/deploy/plan/client-installation-methods. So reading this it seems what we are doing is invalid. So question 1: Is it incorrect/unsupported to install the configuration manager client as a Win32 app during autopilot (ESP or otherwise)? Furthermore I read here (https://learn.microsoft.com/en-us/mem/configmgr/comanage/how-to-prepare-win10) that it appears there is no longer a need to to deploy configuration manager client as an app at all but it can simply be configured in it via Home -> Device -> Enroll Devices -> Windows Enrollment > Co-management Authority You no longer need to create and assign an Intune app to install the Configuration Manager client. The Intune enrollment policy automatically installs the Configuration Manager client as a first-party app. The device gets the client content from the Configuration Manager cloud management gateway (CMG), so you don't need to provide and manage the client content in Intune. Is this method only valid post autopilot?
GIA - Get Intune Assignments Application
Hello Everyone, Some time ago I was struggling to get all Assignments Intune for a Specific Azure AD Group. This option does not exist at console, and we need to run a lot of queries at MS Graph and/or use PowerShell to retrieve. So, to help the community I started to create PowerShell scripts to help to query some of the Assignments but, still, I had a lot of scripts each one to retrieve a specific type of items (like profiles, conditional access, apps, etc). After a while I decide to develop a C# .NET Application to facilitate the process. Today I want to share with all you my GIA App (Get Intune Assignments). It's available on my gitHub page: https://github.com/sibranda/GetIntuneAssignments I hope this app can help you guys the same way is helping me and my customers. RegardsAnalyze the local Group Policy Objects (GPOs) using Group Policy Analytics in Microsoft Intune!
Dear Microsoft Intune Friends, Many companies are looking to cloud solutions to support the growing number of field workers. But how can field workers' systems be managed with a cloud solution? Until now, these systems have been managed with the group policies from the local infrastructure. Can these group policies also be used in the cloud solution? My customer scenario involved the following. The customer was considering re-managing the systems with Microsoft Intune. The majority of systems (both in-house and off-site) were managed with group policies. For this reason, I wanted to get an overall view first. This is exactly where the Group Policy Analytics tool from Microsoft Intune comes into play. The tool is still in preview (maybe not by the time you read this article), but it can still be used very well for a first assessment. We start in the local infrastructure and launch Group Policy Management. We navigate to the Group Policy Objects and select a GPO. To examine the GPO in Intune, we need a GPO report file. Either we can create a report file directly or (and this is how I will do it) we create a backup of a Group Policy object. This will contain the report .xml file. Now, let's got to the Microsoft Intune Portal. https://endpoint.microsoft.com Click on Devices. Now in the menu we navigate to Group Policy Analytics. Click the Import button. Locate the gpreport.xml file. We have generated this file with the GPO backup. The import is quickly completed, close the blade and click on the percent number. In this example, there is no support in Intune for the lcal GPO settings. Here's another example, where we see the support from Intune is there. We can look at some more details. In the menu select Reports on and click Group Policy Analytics. Click Refresh below Summary. Click Reports to the right of Summary. Click on the blue "Generate again" button. Now you get the detailed information about the individual settings in the group policies and see right away whether they are also supported by Intune or not. Maybe I could help you a bit when it comes to the decision to manage devices with Microsoft Intune in the future. Sure this wasn't super exciting, but I still wanted to share this information with you. I hope this article was helpful for you? Thank you for taking the time to read this article. Best regards, Tom Wechsler
We’re running into an Intune issue where a Win32 app with a dependency sits at "Download Pending"
Setup: Main App: Installs in User Context Dependency: Installs in System Context Dependency Detection: Hosts file modification detection script Direct file detection does NOT work either When the hosts file modification is present (detection is met), detection works, and everything installs fine manually The Problem: If detection passes (exit 0) → Everything installs fine. If detection fails (exit 1) → Intune never moves forward, just stays at "Download Pending" indefinitely. Happens with both file-based detection and script-based detection. Dependency app as well at parent app install fine via Intune on their own as well as manual testing. What We Need to Know: Does Intune get stuck in "Download Pending" instead of moving forward when dependency detection fails? Could the install context mismatch (dependency in SYSTEM, main app in USER) be causing this? Myth or fact? Does Intune break the install process if a dependency app is in system context and the parent app is in user context? Again, both apps work fine independent of each other. Thanks for any help!
Disable automatic app updates for specific apps in Intune
Hi, In our organization, I have enabled all three options below to install and manage traditional Android applications through Intune, However, we have encountered a situation where certain specific Android applications, such as the Google Play Private App, only work with lower versions of the OS. The higher version is not compatible, and Google Play Store is reporting it as an unsafe app and blocking it. Is there any option available in Intune that allows us to block automatic app updates for specific applications?
