Deploying Apps with Intune

This is a detailed process of how to package applications and get them into Intune. I will be using 7z as the example for this as  its small and quick to package. However, please note the process for packaging other applications will follow a similar process

What do I need?

There are a couple of prerequisites for packaging applications:

• A Windows 10/11 machine
• Intune WinPrep tool: Microsoft Documentation or Win32 content prep tool
• Installation files
  • Make sure that you get these from a trusted location. It is recommended that you only get these from Vendor sites or vendor supplied links.
  • Avoid 3rd party sharing sites
  • Make sure you get the latest "Stable"/GA release of the application
• VM running windows 10/11
  • This is to allow for you to be able to test the installation processes without impacting your regular machine.

What's first?

The first part in creating an Application package is to manually install the application. This is where a VM comes in handy as you'll be installing and reverting to a snapshot quite a bit.

Once your manual installation has completed, and you've had enough of the Next, Next, Next, Agree to Terms and Conditions, Finish. You'll need to work out how to Silently install the application. This will be dependent on the Application.

If your Application installer is a .EXE file you can often run it from a command prompt with a '-?' or '/?' and some will come up with a help prompt.

The following are some common installation switches. Please note this is not an exhaustive list and it won't work for all installers. Many will require additional switches or configurations.

• /s
• -s
• /S
• /Silent
• /q
• -q
• /quiet

Please note - some installers can be a little finicky and will need a '-' rather than a '/'. The same will go for capitalisation.

Once you've got the installation file and command, it is time to move on to the next step.

Create IntuneWin

Before you create your IntuneWin file make sure that only the installation files for the current application are in the folder you are working with.

• All files and folders in the setup folder will be added to the IntuneWin file.
  • e.g. using your downloads folder will add everything that is in your downloads folder to the IntuneWin.
• Create a new folder for each application package:
  
  
  
  
• Run the IntuneWin command
  • IntunewinAppUtil.exe -c <source Folder> -s <Installation file name> -o <output folder>
  • e.g. for 7z with the folder structure in the screen grab above
  • .\IntuneWinAppUtil.exe -c C:\intunewin\7z2301\ -s 7z2301-x64.exe -o C:\IntuneWin\Output\
    
  
  
  
  
• It will return an output like this if it is successful:
  
  

Create app in Intune

Once you have the IntuneWin file we can then create the win32 App

• From the Intune Admin Center go to Apps --> All Apps --> +Add --> Select Windows app (Win32)
• Select the app package file (IntuneWin)
  
  
• Browse to the file you created
  
  
  
  

• Enter in all the relevant Data here:
  
  
  

• Enter in the installation and uninstallation commands. This will be from the prep work you did with the test installations:
  
  

• Select an operating system Architecture and minimum versions. We recommend using the latest supported versions:
  
  
  
  
• Create your detection rules. In this example we will be using the MSI product code. However you can so something as simple as a file or folder existing. This will be dependent on the application.
  
  

• Click Next all the way to the end. I'm skipping over assigning the application to users at this stage as this is another discussion point below.

Assign to users/devices

Assigning applications to users can be simple, just add the 'all users' or 'all devices' device, and that’s it? This is where things can get a little messy.

Here, we haven't factored in which users actually need the application, or an easy way to remove the application for users if there is an upgrade.

Here are some suggestions to improve flexibility:

• Don't assign All users/All Devices to required apps
• Use groups for specific applications
• Look at implementing an RBAC strategy for your apps and policies

It doesn't just stop there...

Awesome work getting your application out to your users, but there is still more.

We can't just use one version of one app forever. Depending on how long it has taken to get an application packaged and pushed to users - especially if there is internal change control - the application might be already out of date.

Out of date applications can open your devices up to security vulnerabilities.

Application upgrades

Just using the inbuilt automatic application upgrade processes comes with some issues in itself:

1. If the user is not an administrator the application can change from a system installed to a user installed application
2. Depending on the Intune deployment method and detection logic you use the old version of the application may try and re-install itself
3. Users can (and will) pause or cancel upgrades
4. Reporting can become more difficult
   

Application lifecycle

What happens when you no longer require an application?

• The application is no longer being developed
• The business has chosen to use a different application
• There are issues with a particular version. For example, a CVE has been found and you need to ensure that is removed from the device

These are all things to think about when an application is at end of life, or is being retired. Making sure that there is a seamless way of removing this application from all your devices must be a consideration. 

Application uninstallation

Making sure that you have the correct uninstallation commands set for each application, make them silent. This will ensure that when the time comes to remove that application it will remove cleanly.

Just remember, some antivirus applications may have some form of tamper protection that will block the uninstallation. Ensure that the policies to disable this are in place, before assigning the uninstallation groups to your users.

To conclude

This is an ongoing process. This will take time and needs to happen on a regular basis to keep applications up to date. Inbuilt update process are not easily reportable, and can cause other issues.

If this seems all too hard, reach out to the friendly team at SureDeploy. 

SureDeploy can automate this all for you!

Take the complexity out of Microsoft Intune deployments with SureDeploy. Elevate your device management capabilities and enhance your security score.