Deploy with Intune
Intune is a cloud-based service provided by Microsoft that focuses on mobile device management (MDM) and mobile application management. It is also known as Microsoft Intune or Microsoft Endpoint Manager (MAM). It is part of the Microsoft Endpoint Manager tool suite and is intended to assist organizations in managing and securing their devices, applications, and data across multiple platforms such as Windows, macOS, iOS, and Android.
Intune includes a number of features and capabilities that help IT administrators manage and protect devices, deploy and manage applications, enforce security policies, and ensure compliance within their organization. Intune's key features include:
- Device Management
- Application Management:
- Data Protection:
- Compliance and Security:
Intune provides organizations with greater flexibility, scalability, and ease of use by providing a unified and cloud-native approach to managing and securing devices and applications. It works well with other Microsoft solutions and services, such as Azure Active Directory and Microsoft 365, to provide an all-encompassing endpoint management and security solution.
With Intune, organizations can use a centralized and cloud-based management console to implement modern management practices, empower their workforce to be productive on any device, and ensure the security and compliance of their digital assets.
Intune supports a variety of application deployment methods, but for the purposes of this book, we will focus on LOB (line of business) and Win32. Let's look at how these two deployment methods compare in Intune.
Looking at LOB (Line of Business) Applications, we can see the following conditions::
- LOB applications are typically custom-built or specialized applications that an organization develops in-house to meet their specific business needs.
- Deploying LOB applications entails directly uploading the application package (e.g.,.appx,.msi) to Intune. After that, the package is distributed and installed on managed devices.
- LOB applications are primarily designed for modern platforms such as Windows 10 and later, but they may also support other platforms such as iOS and Android.
- LOB applications are ideal for deploying custom or business-specific applications within a company. They are frequently organization-specific and may not be available in public app stores.
- Intune offers LOB application management capabilities such as app installation, updates, and removal, as well as the ability to enforce policies and configurations specific to these applications.
- For LOB applications to be deployed, the application package must be available for upload, as well as proper signing certificates and relevant metadata.
Win32 Applications, on the other hand, are intended for a variety of purposes.:
- Win32 applications are traditional desktop applications that were not created with modern management platforms in mind.
- The Intune Win32 App Packaging Tool is used to create an application package for Win32 application deployment. The application installer (e.g.,.exe), installation script, and other dependencies are typically included in the package. The package is distributed and installed on managed devices via Intune.
- Win32 applications work with a variety of Windows versions, including legacy Windows 7 and Windows 8.1, 10, as well as modern Windows 11.
- Win32 applications are appropriate for deploying traditional desktop applications, such as legacy or complex applications that may necessitate customization or special installation procedures.
- Intune provides Win32 application management capabilities such as app installation, updates, removal, and policy enforcement. Furthermore, Win32 applications can use detection rules to determine whether or not the application is already installed on the device.
- Converting the application installer into a format compatible with Intune, as well as relevant configuration files and detection rules, is required when creating a Win32 application package.
In summary, LOB applications are organization-specific applications, whereas Win32 applications are traditional desktop applications. LOB applications are typically designed for modern platforms, whereas Win32 applications are more universal. Both deployment methods offer management capabilities, but the packaging and deployment processes vary depending on the application. Depending on the application requirements and compatibility with the target devices and platforms, organizations can select the best deployment method.
To make it easier to understand the difference between the two, we can look at LOB applications somewhat as MSI deployments with SCCM and Win32 deployments are similar to Script installations in SCCM. Of course you need to take in consideration multiple factors when creating such applications and for now, the business standard usually leans to Win32 deployments. For now, let’s take a look at how to deploy you application with both methods.
Deploy MSI via LOBA
Deploying an MSI with LOB (Line of Business) applications in Intune involves a few steps. Here is a step-by-step guide to help you deploy an MSI using the LOB method in Intune:
Step 1: Prepare the MSI Package
Of course the first step is to create and prepare the MSI package with all the necessary configurations and adjustments before deploying it. In our case we will use the repackaged VLC Media Player MSI.
Step 2: Upload the MSI to Intune
- Sign in to the Microsoft Endpoint Manager admin center with your Intune administrator credentials.
- Navigate to "Apps" > "All apps." Click on "Add" to add a new app.
- Select "Line-of-business app" as the app type.
- Select the App Package File
Step 3: Configure the App Details
- Provide the necessary details, such as the app name, description, and publisher information.
As you can see, just as the case with deploying MSI packages with SCCM, no detection method is requested because Intune automatically picks up the Product Code of the MSI package and uses it as a detection to check if the application has been successfully installed on the target devices/users.
Step 4: Assign the App to Groups
- Click on "Assignments" to assign the app to specific user groups or device groups and choose the appropriate groups based on your deployment requirements.
Step 5: Review and Deploy the App
- Review the app settings and ensure everything is configured correctly. If everything is correct click on Create.
Deploy EXE/VBScript/PowerShell via Win32
Deploying EXE installers, VBScript or PowerShell wrappers via the Win32 method requires more steps with Intune as it requires more steps with SCCM, so let’s take a look at what is necessary to create and deploy a Win32 Application.
Let us assume that we have created a PowerShell wrapper for our VLC Media Player repackaged application with PSADT.
Step 1: Prepare the PowerShell Script
Create or obtain the PowerShell script that you want to deploy. Ensure that the script performs the desired actions and is compatible with the target devices and platforms. We won’t go through all the steps on creating and modifying the PSADT template in this example. For more information check out our first MSI Packaging Ebook.
Step 2: Package the PowerShell Script
When it comes to Win32 applications in Intune, you can’t just upload the source media as it is and this must be converted to an .intunewin format using the Microsoft Win32 Content Prep Tool. The Microsoft Win32 Content Prep Tool is a command-line utility provided by Microsoft that assists in the preparation of Win32 app packages for deployment via Microsoft Endpoint Manager (formerly known as Microsoft Intune). It is intended to streamline the packaging process and ensure that Win32 app packages meet the requirements for enterprise deployment.
First, download the tool from the oficial Github repository. Once the tool is downloaded, extract it from the zip file. Next, open up a command prompt and use the following command:
IntuneWinAppUtil -c <setup_folder> -s <source_setup_file> -o <output_folder> <-q>
The.intunewin file will be generated from the specified source folder and setup file.This tool will retrieve the necessary information for Intune from an MSI setup file.If the -a option is used, all catalog files in that folder are bundled into the.intunewin file.It will be in quiet mode if -q is specified. The output file will be overwritten if it already exists.In addition, if the output folder does not already exist, it will be created.
The Microsoft Win32 Content Prep Tool does not have a GUI, but if you want one you can download the IntuneWinAppUtil GUI utility for free.
Once the conversion is successful, the output folder should contain the .intunewin file necessary to upload to Intune.
Step 3: Create the Intune Win32 App Package
- Sign in to the Microsoft Endpoint Manager admin center with your Intune administrator credentials.
- Navigate to "Apps" > "All apps." Click on "Add" to add a new app.
- Select "Windows app (Win32)" as the app type.
- Select the App Package File, in our case the .intunewin file created earlier
Step 4: Configure the App Details
- Provide the necessary details, such as the app name, description, and publisher information
Step 5: Define the Installation parameters and behaviors
- Fill in other relevant information, such as the installation command and uninstall command. Most of the behavior is similar to SCCM methods
Step 6: Define Application Requirements
- Specify any requirements or dependencies for the app, such as minimum operating system versions or device architectures.
Step 7: Define the Detection Method
- Specify the detection method for the app, which determines whether the app is already installed on the target device. Because we have an MSI we can still use the Product Code of our MSI as a detection method
Step 8: Configure Dependencies
- If required, add any dependencies to ensure the app is deployed correctly
Step 9: Configure Supersedence
Supersedence in Intune apps refers to the ability to replace or upgrade an existing deployed application with a newer version. It allows you to manage the lifecycle of applications by automatically detecting and handling updates or upgrades to applications in your environment.
When an application is superseded, it means that a new version of the application is available, and Intune will handle the process of replacing the older version with the new one on targeted devices. Supersedence helps ensure that devices stay up to date with the latest versions of applications, providing improved functionality, security updates, and bug fixes.
Step 10: Assign the App to Groups
- Click on "Assignments" to assign the app to specific user groups or device groups and select the appropriate groups based on your deployment requirements.
Step 8: Review and Deploy the App
Review the app settings and ensure everything is configured correctly. If everything is correct click on Create.
As you can see, the Win32 deployments are more lengthy and require more steps, but if you look closely it gives you a more granular view and control of your application deployment, hence why this method has been widely adopted by the IT Professionals.