Deploying Win32 apps and Powershell Scripts via Intune to AAD Registered + Intune Enrolled devices.
My name is Saurabh Sarkar and I am an Intune engineer in Microsoft. I have a YouTube channel ‘EverythingAboutIntune’ and you can subscribe to the same to learn more about Microsoft Intune.
Background:
- We have had the ability of deploying Powershell Scripts and Win32 apps via Intune since 2019 (when the functionally was initially introduced)
- However this was initially developed and designed keeping corporate devices in mind.
- Hence one of the pre-reqs of deploying Win32 apps and Powershell Scripts via Intune was- Device was needed to be AADJ or Hybrid AADJ.(which usually accounts for Corporate devices and not Personal (BYOD) devices.
Please refer to the below blog for understanding the detailed flow behind the deployment of a Win32 application(and the logs) via Intune-
What has changed! (the value add!)
Starting October 2020, (with 2010 Intune service release), we now-
- Have the ability of deploying Win32 apps to WPJ devices as well!(i.e. devices which are AADRegistered + Intune Enrolled)
- We now have the ability of deploying Powershell scripts as well! !(i.e. devices which are AADRegistered + Intune Enrolled)
The same has been documented here.(In the ‘Whats New’ for Intune page)
Advantages:
- As mentioned above, traditionally given that Win32 apps and PS scripts via Intune could be deployed to AADJ and HAADJ machines.
- This was thus mostly used for Autopilot devices, Hybrid Autopilot devices, Comanaged devices and devices enrolled via Group policy(Hybrid AADJ)
- All the above devices were Corporate and we could not leverage this for personal devices.
- Now for Personal devices, once they are AAD registered(and Intune enrolled), we can leverage the PS script and Win32 app deployment feature.
Test Results for Win32 app deployment on AAD Registered devices:
- Device Name- VM1
- IntuneDeviceId- 70616108-71a6-4c1a-a66f-dfc3f1ccf40b
- Join Type- AAD Registered
- App Name- EAI-7-Zip 19.00
- App type- Win32 app
- App Id- 59f9a567-b92d-4dc2-9c7a-fdb94e29275c
- Test device name- VM1
- Test Deviceid- 70616108-71a6-4c1a-a66f-dfc3f1ccf40b
- Upn- [email protected]
- App Target Intent – Required
Device Side Behavior:
- IME was installed automatically>Win32 app installed automatically(was deployed as Required)
- Initially neither the IME nor the targeted app(7-zip) were present in the device.
- We can see the Toast notifications as the logs showing that the policy came down to the device.
Reporting at the portal-
- At the Intune portal we can see that the app was successfully installed in the device.
Documentation-
- The relevant change has been made to the official cx facing docs which can be found here.
Conclusion:
- As seen above we can now deploy Win32 apps to AAD Registered + Intune enrolled devices
- The IME installation happens automatically (if the app was provisioned as Required)
Test Results for Powershell script deployment on AAD Registered devices:
- Policyid- 0dfa0b2c-800c-49ea-ae9f-58397095f5c1
- Device Name- VM2
- Deviceid- 0d072de5-e49b-4f5e-aaa6-581a89fa6475
- UPN- [email protected]
- Device Join type- AAD Registered + Intune enrolled.
Device Side Behavior:
- The script was deployed as required to an AAD Registered and Intune enrolled device.
- IME got installed automatically.
- The script ran successfully and reported the same to the service.
- We can see the output of the script has been generated in the device.
Logs
- IME logs from the device indicate that the script(i.e the policy) came down to the device and was processed.
- One of the MS official document suggests that for an AAD Registered+ Intune enrolled device only the device context PowerShell scripts work but user context PowerShell scripts are ignored by design.
- User context scripts will be ignored on WPJ devices and will not be reported to the Microsoft Endpoint Manager console.
However as per my testing that is not the case.
I have been able to successfully deploy PS scripts (in user context) to AAD Registered + Intune enrolled devices
Relevant Documentation:
- The MS document for PS script deployment is not currently updated(to reflect the ability to deploy PS scripts to WPJ machines)
- MS document here suggests that on an AAD Registered/Intune enrolled machine the scripts deployed via Intune will not go through however this is not exactly the case as seen in this article.
- We can indeed push PS scripts to AAD Registered/Intune enrolled machines via Intune
SideNote-
- If we select the option of “Enroll Only in device Management” then we still cannot push Win32 apps/PS scripts to these devices via Intune.
- Even of we try to achieve the above, IME doesnot get pushed to these devices and hence the app/script installation does not occur.
Conclusion
- I am sure that the ability to deploy Win32 apps and PS scripts to AAD Registered devices(post Intune enrollment) is an welcome and much awaited addition to the Intune functionality.
- I hope this blog has been helpful in highlighting this new feature!
