Please enjoy this blog post authored by Mary Vacherweill, Sr. Applications Administrator, Faber Daeufer & Itrato PC.
Managing application deployment as part of an imaging process is a challenging task in a cloud-first or cloud-only environment. Though Microsoft’s Configuration Manager (SCCM) offers some cloud services, non-domain-joined cloud environments currently must use alternative and multiple solutions for imaging, initial configuration, and general application delivery. Remote monitoring and management (RMM) software provides for achieving some of this on company endpoints but has limitations as an efficient primary vehicle to achieve overall initial imaging.
Microsoft Intune offers a platform for handling application deployment and management, especially when integrated with Entra ID (formerly Azure Active Directory) and supplemented with RMM and a group policy cloud provider such as Cloud Policy service for Microsoft 365 or Netwrix’s PolicyPak. To begin your journey towards using Intune for Application deployment, see ILTA member Daniel Creaney’s article Tune Up Your App Deployment with Microsoft Intune (iltanet.org).
Over the past few years, the IT team at my firm worked to cobble together a mixture of these services plus a fair amount of manual installation, which works but is time-consuming. Most initial or re-images take a few days start to finish.
I set out this year to see if Intune could be relied on more fully for initial “imaging” of enterprise laptops, functioning akin to the concept of a master / base / golden image process in a faster, more efficient manner.
LEARNING
If you are not yet comfortable using Intune, start by finding an Intune learning system which works for you. I used Udemy’s The Complete Course of Microsoft Intune, which at $12.99 was a remarkably affordable method. I found the videos to be helpful (if a bit buggy in terms of audio/video compilation and performance) but I had to disregard (or transcribe) the on-prem reference material. Still, it was a good place to start.
There are some excellent YouTube channels which provide detailed, follow-along instruction on all things Intune. Here are some of the ones I use: Intune & Vita Doctrina (especially his full playlist Learn to master Win32 app creation in Microsoft Intune; you will definitely need to use Microsoft Win32 Content Prep Tool (see description below) to produce application installation files (in the .intunewin format) for use in the Intune admin center); Ciraltos (Travis Roberts offers several helpful videos on Intune); Bearded365Guy (Jonathan Edwards has Intune videos designed for planning and beginning).
OPERATING SYSTEM
Key to the simplification of this process is the laptop procurement provision. Our laptops are obtained with an operating system already installed, Windows Autopilot and Out-of-the-Box Experience (OOBE) for our tenant ready to go based on serial number. We coordinate with our hardware provider OEM partner to have this in place.
When devices are enrolled using Windows Autopilot, the required Intune Management Extension is typically installed as part of the device setup process. This ensures that the device can receive and execute PowerShell scripts, Win32 apps, and other configurations deployed via Intune. If your devices are enrolled through Autopilot, the Intune Management Extension should already be present. You can verify its installation by checking for the IntuneManagementExtension service or looking at the logs in C:\ProgramData\Microsoft\IntuneManagementExtension\Logs.
Intune offers an excellent way of upgrading an OS using its Devices > Manage Updates > Windows updates > Feature updates. I upgraded our enterprise computers from Windows 10 to Windows 11 using Microsoft Entra device groups, and then again from version 22H2 to 23H2 this year using our existing update rings. The deployment was faster, easier, and more successful than I dared hope. I used Intune’s Devices > Scripts and remediations to create a configuration policy to move the Windows 11 Taskbar from center to left so the upgrade from Windows 10 to 11 would feel more familiar to end users.
PLANNING
Organize Your Application Stack
Start by categorizing all applications used within your organization into three tiers. Tier 1 applications are mission-critical applications essential for the day-to-day operations of your organization. They include core productivity tools and systems integral to business functions for all enterprise computers, such as Office, Edge, a document management system (DMS), Teams, etc. and prerequisites such as Microsoft Visual C++ Redistributables and Microsoft Visual Studio 2010 Tools for Office Runtime. Tier 2 applications are those which are important but might not need to go on every single enterprise computer. They support secondary business functions and are sometimes used less often than Tier 1 applications. Included might be Litera products such as DocXtools and numbering, printer drivers for specific offices, ScanSnap, WordRake, etc. Tier 3 applications include those which are used occasionally or may support niche functions and departments within the organization. This could include applications like Notepad++, various admin consoles, SnagIt, etc.
Identify Potential Bundles - next, group applications into bundles based on their functionality and deployment needs. Bundling can help streamline deployment and management. For example, using PowerShell Application Deployment Tool (PSADT) I bundle items such as: Litera Tier 1 comprised of Compare, Metadact and Contract Companion (Metadact and Compare both use the same Litera Admin Panel (LAP) configuration and templates so it makes sense to always deploy these together); Litera Tier 2 (these might be used only by document production, admin help, legal secretaries, etc.) comprised of DocXtools, DocXtools Companion and NTD. You could do the same with multiple components of a DMS bundle with xml or config files, or a PDF solution with updates/FixPacks included.
Incorporate registry edits into PowerShell scripts and manage configuration files for settings. I have found separate Intune registry settings slow and unreliable, and to my eye it is not yet mature enough to follow specific ordered steps. You can also include copying and placing config files for settings.
Capture Dependencies List - identify all dependencies required for your applications to install and function correctly. This might include an RMM Agent, Microsoft VSTO, Visual C++ Redistributables (x86 and x64), Winget Pre-Install (Windows Package Manager; should be installed and configured before deploying applications which depend on it).
Note: defining dependencies does not mean I use Intune ‘Dependencies’ – there are a few drawbacks including the inability to choose anything other than a like app type or to easily define the order of install. Likewise, I have shied away from Intune’s Supersedence because I find the iterations become confusing and make it trickier to remove apps which are no longer needed.
PACKAGING
PSADT
This toolkit is a wonderful, light, and easy to use PowerShell solution and is open source. Intended for enterprise organizations, it can handle a variety of simple to complex scenarios and takes little training to use. You can download it here.
Microsoft Win32 Content Prep Tool
IntuneWinAppUtil.exe is a tool that converts Windows classic (Win32) apps into the .intunewin format for Microsoft Intune. It is obtainable on GitHub. I recommend following a YouTube tutorial as outlined previously to learn the skills needed. I found the learning curve not too steep.
Compilation Methods
Source Types - when preparing applications for deployment, IntuneWinAppUtil.exe can handle various source file types, including .bat, .exe, .msi, .psi, and “evergreen” PowerShell scripts using Winget to automate finding and using the latest version of an application.
Define Your Local Intune Repository
When using IntuneWinAppUtil.exe, make yourself a template set of folders; I put mine at the root of C:\ to keep file paths short. For example, Source - the directory where the source files are located; Output - the destination directory for the compiled .intunewin file; Icon - preserve the icon and URL for the vendor’s application site here; Scripts - maintain scripts for automation and consistency in deployment processes; ensure scripts are well-documented and tested [Note: some scripts will be included in the Source folder as part of the wrapping; some (like detection scripts) should be kept separately in a folder such as this one].
Uninstall Provisions
Intune includes uninstallation provisions. For applications installed via MSI packages, you can use the msiexec.exe command to perform uninstalls, which makes sure the application is removed cleanly. Intune will automatically populate the uninstall script based on what is in the MSI.
Custom Scripts, both PowerShell (for custom uninstallation processes and to handle complex removal tasks and provide feedback on the uninstallation status) and cmd (for simpler uninstallations or where PowerShell is not needed).
I use msiexec and custom scripts about equally, as they both work well.
Deployed enterprise-wide via Intune, this is the secondary tool I use to image a laptop, because not only is the sync immediate, but I can also control the exact order in which I want to install things. While I leave Intune automation for things like Office, Edge, Teams, Remote Desktop, Zoom, etc., our legal application stack (and prerequisites) needs to be set down in a specific order and I can achieve this via the Company portal. I can also control when to reboot and uninstall applications when desired.
DOCUMENT YOUR PROCESSES
Memorialize and regularly update your processes and procedures in a list or runbook to have a reference for your application management. This can be as simple as a Word document or an Excel spreadsheet. Mine is a straightforward list using the guidelines outlined in this article. The applications listed here are just examples of the applications that Intune is good for installing and where some hands-on work is still required.
1. Intune will automatically install/configure during OOBE (only takes a little over an hour on a wired internet connection):
a. RMM Agent (latest available using Evergreen script)
b. Edge
c. Microsoft 365 Apps for Enterprise
d. Password Manager
e. Windows App
f. Group policy cloud client
g. Company Portal
h. HP Smart
i. Software installs media folder [this is a Device configuration profile in Intune]
i. Will synchronize software install media folder
ii. Will silently sign in users to OneDrive and sync app with their Windows credentials
j. Winget Pre-Install 1.6.3482
k. Zoom (64-bit)
2. Open Company Portal and install (one-click-buttons take only minutes to finish):
a. Microsoft Visual Studio 2010 Tools for Office Runtime
b. Visual C++ Redistributables 2022 (multiple packaged together)
c. DMS
d. Litera Tier 1
e. Litera Tier 2 if applicable
f. WordRake if applicable
3. Manually install (approx. 10 minutes):
a. Microsoft Monitoring Agent
b. PDF solution (ours requires user context for customizations preservation)
Result
Using these methods I can now image a laptop in about ½ a day, including a quality control review (QC) step. This may seem like a long time compared to an hour or so for a standard on-prem deployment, but note that (a) considering this process can be used to deploy a custom set of software packages to a device anywhere in the world it’s still pretty efficient, and (b) it’s not a half-day of hands-on time by the technician, but rather 30-60 minutes at the screen/keyboard during a few hours. Installations are done as the user (administrator) for whom the laptop is being imaged, after which admin rights are removed and changed to standard. Last, I should mention I use only one AutoPilot group, but employing differing Entra ID groups would offer more granular control. I may move to this for tier 2 applications if Intune’s Dependencies become more flexible.
Best Practices
- Organize Intune Packages: place Intune packages at C:\ to manage file lengths and avoid path issues
- Employ Shift + Right-Click > Copy as Path when capturing folder names to avoid typing mistakes
- Identify Scripts: begin each script with comments detailing its purpose, version, author, and date
- Be Diligent in Consistent Naming: use consistent naming conventions for scripts, configurations, and other resources
- Separate Files: keep requirement scripts, detection scripts, and other resources in distinct locations
- Test: use ‘Pause’ commands for testing purposes and remove them before final deployment
- Preserve a Single Source: use a single, up-to-date instance of IntuneWinAppUtil.exe for consistency
- Use Editing Tools: use Notepad++ for editing PowerShell scripts, ensuring the encoding is set to UTF-8 (not UTF-8-BOM) before wrapping with IntuneWin
Use Caution When Upgrading: test upgrades of PSADT with each package to ensure compatibility and performance
By following these guidelines and best practices you will have a solid plan for preparing to manage initial imaging of a legal application stack using Microsoft Intune, working towards a time-saving process to meet your organization’s needs.
#Microsoft365
#Cloud
#ITOperations
#200Level