Silently install ten top Win32 apps with Intune

We've heard a lot about Winget and the Windows Package Manager recently. However we'll still need to be able to deploy Win32 apps via Intune for the foreseeable future, especially during an Autopilot process. This blog post isn't about using the Win32 Content Prep tool to convert apps into the intunewin format. It's about the research I carried out to understand how to install ten top apps (with a focus on the financial sector) silently and to detect them afterwards. This research can take a while so I thought it might save others some time.

Edit the installation command with your executable name. Note that I've used the presence of a file as my detection method for many of the apps. You can be more specific with this rule by configuring a file version if that's what you need.

Bloomberg Terminal:

Provides coverage of markets, industries, companies and securities across all asset classes.

Download the latest “Bloomberg Terminal” installer 

• Silent install: sotr102_5_80.exe /s maindir=“C:\blp\” conn_type=Private
• Detection (file or folder exists): C:\blp\Wintrv\wintrv.exe

Refinitiv FXall:

Formerly Reuters, a complete end-to-end solution for your FX trades

There is one additional consideration with this application. A response file must be generated in order to install it silently. Generate the response file by running this command (as administrator):

Refinitiv-FXall-Setup.exe -r installer.properties

The installation wizard launches. Follow the wizard to the end. This installs the application and creates the response file. This file must be saved in the same folder as the EXE when the app is being converted to a .Intunewin file.

• Silent install: Refinitiv-FXall-Setup.exe -i silent
• Detection (file or folder exists): C:\Program Files\Refinitiv\Refinitiv FXall_\7.9.0.53\Refinitiv FXall_.exe

Anaconda:

Anaconda Distribution is the world’s most popular open-source Python distribution platform. Download 

• Silent install: Anaconda2-4.2.0-Windows-x86_64.exe /InstallationType=AllUsers /S /D=C:\Program Files\Anaconda2
• Detection (file or folder exists): C:\Program Files\Anaconda2\pythonw.exe

Morning Star Direct:

Morning Star Direct is an investment & portfolio analysis software, which gives you the tools to build strategies and products.

Morning Star Direct is a pretty straightforward installation as it is MSI based. However there are two additional consideration here.

• Firstly, the Morning Star Direct application forces a reboot, which happens automatically and without warning. We have to use the parameter REBOOT=ReallySuppress to prevent that. A reboot is still required to complete the installation but the user is notified to restart.
• Secondly, there are two installations.
• The Morning Star Direct prerequisites can be downloaded from here 
• The Morning Star Direct application can be downloaded here 
• The Prerequisites app has to be added as a dependency for the Morning Star Direct application and is installed first.

• Silent install: msiexec /i "prerequisite.msi" /qn
• Detection : MSI {7FA41A52-1D83-4C2D-A432-475AA3F7881B}
• Silent install: msiexec /i "direct.msi" /qn REBOOT=ReallySuppress
• Detection: MSI {D9C2A982-D2E0-4E83-B8FD-8E7B8160EBA2}

SQL Server Management Studio:

This app was developed by Microsoft and is used for configuring, managing, and administering all components within Microsoft SQL Server. It can be downloaded here

• Silent install: SSMS-Setup-ENU.exe /quiet
• Detection (file or folder exists): C:\Program Files (x86)\Microsoft SQL Server Management Studio 18\Common7\IDE\Ssms.exe

Visual Studio Code:

Visual Studio Code is a lightweight but powerful source code editor. Download

• Silent install: VSCodeSetup-x64-1.74.2.exe /silent
• Detection (file or folder exists): C:\Program Files\Microsoft VS Code\Code.exe

Power BI Desktop:

Get a 360° view of your business data and quickly connect, shape, visualize, and share data insights through Power BI. Download

• Silent install: PBIDesktopSetup_x64.exe -s ACCEPT_EULA=1
• Detection (file or folder exists): C:\Program Files\Microsoft Power BI Desktop\bin\PBIDesktop.exe

Adobe Reader:

This app can be downloaded here

• Silent install: AcroRdrDC2200320258_en_US.exe /sALL /rs /msi EULA_ACCEPT=YES
• Detection (file or folder exists): C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe

Sophos Antivirus:

This app can be downloaded here

• Silent install: SophosSetup.exe --quiet
• Detection (file or folder exists): C:\Program Files\Sophos\Sophos UI\Sophos UI.exe exists

Remote Help:

Remote help is a premium add-on application that works with Intune and enables your users to get assistance when needed over a remote connection. 

Remote help must be installed on each device before that device can be used to participate in a remote help session. You can download the latest version of remote help directly from Microsoft 

• Silent install: remotehelpinstaller.exe /quiet acceptTerms=1
• Detection (file or folder exists): C:\Program Files\Remote help\RemoteHelp.exe

-----------------------------------------------------------------------------------------------------------------------

That's it, that was the ten apps that I recently had to deploy via Intune for a financial services customer. I hope you find it handy if you need to work with one of them. It was difficult to get this information for some of the apps as the enterprise installation documentation was only available with a support contract.

Until next time.....

Windows 10 devices not enrolling in Intune

This is just a quick post to describe a customer issue I encountered this week. Customer had previously configured Azure AD Connect and all devices were hybrid joined. They had just implemented a GPO to enrol the devices into Intune

Administrative Templates > Windows Components > MDM > Enable automatic MDM enrollment using default Azure AD credentials

However no devices were enrolled.

I looked a the event viewer on one of the devices and this told me where the problem was. In the DeviceManagement-Enterprise-Diagnostics-Provider log I saw this error

Auto MDM Enroll: Device Credential (0x0), Failed (Unknown Win32 Error code: 0x8018002b)

I figured that this was nothing to do with credentials but was caused by the user not being assigned a license. I was half right. The user had been assigned a license but it was a standalone Intune license. This is not enough for automatic Intune enrollment, that also requires an Azure AD Premium P1 license. I explained that it was still possible to enrol each device manually, but advised that wasn't a sustainable approach. 

Customer cancelled the Intune licenses and EM+S E3 licenses were provisioned. Problem solved and devices are now being automatically enrolled.

Moral of the story: Standalone Intune licenses are not recommended. You "may" get away with them if you are just managing mobile devices (Android & iOS), but not when you are managing Windows. EM+S or M365 is recommended.

Until next time....

Suppressing key mapping on Zebra tablet using Intune

I've been doing a lot of work with Zebra devices recently. In this blog post, I showed how to use Zebra StageNow to create an XML file which could be deployed by Intune. I used the same technique to solve this latest problem.

I've developed an Android Enterprise dedicated device solution to turn Zebra ET40 rugged tablets into kiosk devices running Chrome only. Everything was working correctly except for one minor detail. I could press the top left button on the device which displayed the settings menu for the device. That's not what you want on a kiosk.

The button is labelled number 3 in the graphic above. The Zebra documentation tells me that this is a programmable button (or a key that supports key mapping) called P1. I carried out a lot of testing and I discovered that pressing P1 on the ET40 defaults to the settings app. I needed to suppress this key mapping on P1.

I was able to do that by creating a StageNow Xpertmode profile.

I added the KeyMappingMgr CSP.

I selected the following settings and saved the profile:

• “Remap Key” button
• "The key to modify" :  Select “P1 button” from drop down
• "Key behaviour": Suppress Key

 Then I exported the settings to xml.

<wap-provisioningdoc>

  <characteristic version="9.2" type="KeyMappingMgr">

    <parm name="Action" value="1" />

    <characteristic type="KeyMapping">

      <parm name="KeyIdentifier" value="P1" />

      <characteristic type="BaseTable">

        <parm name="BaseBehavior" value="5" />

      </characteristic>

    </characteristic>

  </characteristic>

</wap-provisioningdoc>

This XML file was then use to create an Intune configuration profile based on the Zebra OEMConfig app. 

Select Configure > select the three dots next to Transaction Steps > and then select Add setting.

 

From the list of settings select, Device Administration Configuration.

Under Device Administration Configuration only two settings are required.

• Action = Submit XML
• Submit XML = the .xml data we copied above. Paste it into this field.

Complete the wizard to create the device configuration profile and assign it to a group of your devices. Now pressing the P1 button now has no effect and the kiosk is secure.

Until next time......

Migrate from Device Administrator to Android Enterprise

Starting with Android 5.0 and later, Google introduced Android Enterprise. That introduced the managed device (device owner) and work profile (profile owner) modes to provide enhanced privacy, security, and management capabilities. These modes support the different Android Enterprise deployment scenarios and can be managed by using the Android Management API. The Device Administrator method of managing Android devices is now considered legacy and has been deprecated by Google. They are encouraging migration to the Android Enterprise method.

I've recently deployed Android Enterprise (personally owned with work profile) for a number of customers and also developed a process to encourage users to migrate from Device Administrator. This is the only Android Enterprise migration that does not require a full reset of the device. Note that we cannot force the user to migrate but can encourage with the help of detailed communication. We can also block access to corporate resources via conditional access if they don't comply.

When Android Enterprise is adopted in production, enrollment restrictions should be imposed to block any new enrollments using Device Administrator.
 
We can now encourage users to move their Android devices from device administrator to personally owned work profile management by using the compliance setting to Block devices managed with device administrator. This setting lets you make devices non-compliant if they are managed with device administrator. When users see that they are out of compliance, they can tap Resolve. They will be taken to a checklist that will guide them through:

• Unenrolling from device administrator management
  
• Enrolling into personally owned work profile management
  
• Resolving any compliance issues

In the Microsoft Endpoint Manager admin center, navigate to Devices > Android > Compliance policies to open the Android Compliance policies blade. Click Create Policy. The setting we're interested in is on the Device Health blade.

Select Block for Devices managed with device administrator. 

On the Actions blade, I've added two actions:

• Mark device non-compliant immediately
• Send push notification to the user

Be a little careful with your configuration here. Intune, the Company Portal app, and the Microsoft Intune app, can't guarantee delivery of a push notification. Notifications might show up after several hours of delay, if at all. This includes when users have turned off push notifications. Do not rely on this notification method for urgent messages. Add an action to first notify the user via email and make sure to adjust the default action to not mark a device as noncompliant immediately. That will provide the end-user with time to perform the migration before completely being blocked, if you have a conditional access policy configured.

Save and assign the policy. Start with a test or pilot group to ensure that your migration process is problem-free. It is recommended to create a procedure document to be sent to end users. It should contain the steps below so that users can follow what is expected from them.

 

The user receives a push notification telling them that “Your organization requires you to update settings”. The user should click on the notification.

 

The user can see the details. The user can see that they have to move to a new device management setup, which involves adding a work profile to the device. The user should click Resolve.

 

The user should click Begin to start the migration. The first step is to remove the existing management.

 

The user receives a warning that they may temporarily lose access to corporate services like WiFi.

 

The current device administrator management is being removed.

 

The current device administrator management has been removed. The user should click Continue.

 

The user should click Continue at the privacy screen.

 

The username is already pre-populated. The user should enter their password to sign into Intune (you may not see this step).

 

The user should click Confirm to accept that the organization will manage the work profile.

 

The work profile is being created.

 

The company portal is being configured.

 
 

The work profile has been created. The user should click Continue to activate.
 

The device is being registered with Intune.
 

The work profile is almost finished.

 

The user should select device ownership. This has no effect on the device itself. It is merely a label that allows the IT admin to target devices in the console.

 

The device has been enrolled in Android Enterprise with work profile and is compliant. The user should click Done.

 

The user can read information about the new work setup and should click Got it.

 

The user can see the separation between Personal and Work resources at the bottom of the screen.

The user can see notifications that corporate resources are installing – see notifications for Teams and Outlook. 

The user can see the corporate apps in the Work container. See the briefcase icon which denotes a corporate app. 

 

In the Microsoft Endpoint Manager admin center, the test device can no longer be seen in the results for the Migrate from Android Device Administrator compliance policy. That is expected. This policy is assigned to Device Administrator devices and the test device is now Android Enterprise. Therefore, the policy is no longer applicable.

When Android Enterprise is adopted in production, enrollment restrictions should be imposed to block any new enrollments using Device Administrator.

Navigate to Devices > Enroll devices > Enrollment restrictions to Block further Android Device Administrator enrollments.

I hope this helps. Until next time.....

 

Autopilot White Glove issue

Windows Autopilot white glove feature has been renamed to Windows Autopilot for pre-provisioned deployment. The pre-provisioning service allows partners or IT staff to pre-provision a fully configured and business-ready Windows 10 PC. From the end user’s perspective, the Windows Autopilot user-driven experience is unchanged, but getting their device to a fully provisioned state is faster.

I recently encountered a problem with the process while deploying Windows 10 v1909. 

This UAC prompt for User OOBE Create Elevated Object Server appeared just after the Device setup phase. 

Clicking No caused a real problem and the process started again, this time getting stuck for hours trying to join the organization. This was never going to work. I could see in the MEM console that the device had joined Azure AD and enrolled in Intune and the apps had successfully installed.

Clicking Yes allowed the process to successfully finish.

The prompt is caused by a setting in the security baseline - Local Policies Security Options > Administrator elevation prompt behaviour. It was configured by default to Prompt for consent on the secure desktop. Changing that to Prompt for consent on non-Windows binaries did the trick and removed the prompt.

Thanks to my former colleague Dan Padgett for figuring that out.

Until next time.....

Block apps from running on fully managed Android devices

My customer is using Microsoft Intune to manage Android devices (Samsung A51) which have been enrolled as "fully managed" devices. We have a device configuration profile in place to manage the device restriction settings. The customer also wants to block consumer and system apps that are pre-installed by the OEM and gave us a list of apps.

First I looked at a restricted apps policy. This is used to allow or prevent specific apps on devices. It is supported on Android and Samsung Knox Standard devices but is only available for "device administrator" management.

https://docs.microsoft.com/en-us/mem/intune/configuration/device-restrictions-android#restricted-apps

Next I decided to look at uninstall packages for the apps. I created packages for some of the apps based on their URL in the Google Play Store. Then I assigned the packages as Uninstall to the Android device group. This worked well but unfortunately, not all the apps were available in the Play Store, so this was an incomplete solution.

I found the answer with Android Enterprise system apps.

https://docs.microsoft.com/en-us/mem/intune/apps/apps-ae-system

This allowed me to create the app packages using the Package Name, with no reference to the Play Store. Every Android app has a registered package name. You just have to be able to find it.

This search link will give you details on package names for all system apps pre-installed on many Samsung models. I found everything I needed and was able to create the uninstall packages.

• Navigate to the Endpoint Manager admin center to create the apps.
• Click Apps > All Apps > Add
• For the App Type, look at the bottom option and choose Android Enterprise system app.
  

• Click Select to commence the Add App wizard.

• This is where you enter the app details. Pay particular attention to the Package name. It must be entered correctly. The tooltip tells us to contact the device manufacturer to get the system apps package name of the format com.example.app. Click Next to continue.
• You only have two options on the Assignments page. To enable an app, assign the system app as Required. To disable an app, assign the system app as Uninstall. System apps cannot be assigned as available. Select the assignment groups and click Next.
• Review and create the app.

I was able to prevent the apps in the table below from running and satisfy the customer requirement.

App	Package Name
Netflix	com.netflix.mediaclient
Galaxy Store	com.sec.android.app.samsungapps
Verizon Call Filter	com.vzw.ecid
Verizon Cloud	com.vcast.mediamanager
Verizon Digital Secure (Safe)	com.securityandprivacy.android.verizon.vms
My Verizon	com.vzw.hss.myverizon
AR Zone	com.ARZone.arzone
Bixby Voice	com.samsung.android.bixby.agent
Bixby Voice Stub	com.samsung.android.bixby.agent.dummy
Bixby Home	com.samsung.android.app.spage
Bixby Service	com.samsung.android.bixby.service
Bixby Vision Framework	com.samsung.android.bixbyvision.framework
Game Launcher	com.yujimny.android.gamelauncher
Samsung Internet	com.sec.android.app.sbrowser

I hope this helps. Until next time....

Configuration Manager co-management considerations

Co-management allows you to cloud-attach your Configuration Manager infrastructure. Essentially it enables you to manage Windows 10 devices with the ConfigMgr agent and Intune MDM at the same time. Implementing co-management gives you instant access to invaluable features like conditional access.

I just want to share some information on co-management that I find useful.

Co-management scenarios

My previous understanding was that, without co-management, it was not possible to manage a Windows 10 device with ConfigMgr and Intune at the same time. However, as I recently discovered on a customer site, that is only partially true. It depends on the order.

On a recent customer engagement, I had configured co-management with a pilot collection.

I was very surprised to see co-managed devices in the Azure portal that were not members of the pilot collection. I now understand that it depends on the scenario.

If the ConfigMgr agent is running on a device and the device becomes Azure AD joined, no attempt is made to enrol in Intune, even if automatic Intune enrolment is configured. When co-management is configured, then automatic Intune enrolment kicks in and enrols the device in Intune.

However, what happens if the device is MDM enrolled first? In this case you can install the ConfigMgr agent. The device will be co-managed but will not receive any workloads if it hasn’t been added to a co-managed collection.

In this case you will see a co-management capability of 1, which is what I saw on my customer site. This means that the device is co-managed but hasn’t received any policy. The “real” co-managed devices had a capability of 45. 

Intune automatic enrolment

What happens if my devices are already Azure AD joined but I haven’t configured automatic Intune enrolment? 

I was concerned that automatic enrolment was a one-time thing i.e. when the device is joined to Azure AD it is automatically enrolled in Intune (if that is configured). I was concerned that if automatic enrolment is not configured first then the Intune enrolment doesn’t try again as the device will already be joined to Azure AD.

MDM URLs must be populated on the client before it can be successfully enrolled. These URLs are populated by the automatic Intune enrolment user scopes. When co-management is configured, the ConfigMgr agent periodically checks for these URLs and keeps retrying until they are populated. At that point, the device is enrolled in Intune. It is not a one-time thing.

ConfigMgr client settings

Hybrid Azure AD join, and automatic Intune enrolment are among the prerequisites for co-management. What happens if you configure hybrid AADJ using Azure AD Connect? Do you still need to configure this in ConfigMgr client settings (Automatically register new Windows 10 domain joined devices with Azure Active Directory to = Yes)?

The answer is no. You do not need it. This is a throwback to when you needed a GPO to tell devices to perform a hybrid AADJ. Current supported versions of Windows 10 will automatically join Azure AD if they find a Service Connection Point in Active Directory.

However, this is the default setting and you should leave it alone. If you turn it off, you may block devices from competing the AAD join.

GPO

As stated above you no longer need to configure a GPO to force a hybrid AAD join. For current supported Windows 10 devices, this should happen automatically.

Co-management display changes (April 2020)

There are some changes in the 2004 service release. On the All devices page, the entries for the Managed by column have changed:

• Intune is now displayed instead of MDM
• Co-managed is now displayed instead of MDM/ConfigMgr Agent

Learn more about co-management in the official Microsoft docs

I hope this helps you to understand and configure co-management. Until next time…..