Intune - sidecar for Win32 apps revealed

Traditionally it has not been easy to deploy applications to Windows 10 devices managed by Intune. There is a great solution for deploying Office 365 ProPlus. Also, it's always been easy to deploy single file MSIs and that's great. However how many apps do we admins get to deploy that are packaged very nicely by the vendor into single MSI files? Not many I'd say. Usually we get a .exe file or in fact the installation files contain multiple folder and files.

So what have our choices been to deal with this? 

• Repackage EXEs & MSIs with multiple files to a single file MSI using 3rd party tools (e.g. Flexera Admin Studio) - can be complex.
• Convert apps to .appx using the desktop bridge - the desktop app converter is Microsoft’s utility to do this and it's is not a straightforward tool to use.
• Deploy apps using PowerShell scripts - this is very powerful and uses the Intune management extension in conjunction with Azure blob storage.

The Intune management extension (codename sidecar) supplements the native Windows 10 MDM capabilities. So, how does it work? How do we get the management extension on to the devices?

Well, it’s just an MSI itself and we’ve been able deploy MSIs for quite some time. If a PowerShell script is assigned to a user and the Intune management extension is not already installed on a device, it will be pushed down to the device automatically by Intune. You’ll be able to see it as a service and in Programs and Features. You'll also get a new folder structure and access to log files (IntuneManagementExtension.log for example)

The agent then checks for policy every 60 minutes. Remember the device itself only syncs every 8 hours? You can force the device to sync immediately by restarting the “Microsoft Intune Management Extension” service.

That sounds really cool, doesn't it and it is really cool. Wouldn't it be great if sidecar could be used natively to deploy .exe files without the need for scripts and independent Azure storage. Well Microsoft have been listening.

This has now been announced at Ignite so we can finally talk about it. The Intune management extension now supports native Win32 app deployment. This is made possible by the introduction of a new file extension that can be uploaded to Intune - the .intunewin file.

I've been able to get an advance preview of this so let's walk through the process

Prerequistes:

• Windows 10 version 1607 and later
• Windows 10 edition (Enterprise, Pro, Edu, IOT Core, IOT Enterprise Core)
• Device must be Azure AD joined and Intune enrolled

Prepare the app

Microsoft have developed a new tool, the Microsoft Intune Win32 App Packaging Tool, to pre-process Win32 apps. The packaging tool converts application installation files into the .intunewin format. The packaging tool also detects some of the attributes required by Intune to determine the application installation state. After you use this tool on the app installer folder, you will be able to create a Win32 app in the Intune console. I've used it and it works really well.

You can download the tool from GitHub

You will also find the command-line parameters available for the tool.

Copy the app to a source folder. I've 7Zip for this test and it's small and quick, and it's an exe file. We've not been able to deal with this easily up to now.

Intune Win32 App Packaging Tool is a command line tool. Browse to the location and launch the tool. Specify the source location of the app (7Zip for me).

Specify the location for the output file. The tool executes and finally produces the .intunewin file....

...which you'll find in the output folder.

Upload the app

Now we can add the app in Intune, select the new file type available (at the bottom). This is not yet generally available.

Browse to the .intunewin app in the App package file pane.

Configure the app information.

Configure the program details. Note that you must know the silent installation (and uninstall) parameters.

Configure the requirements. You must enter OS architecture and minimum OS.

Configure the detection rule. We know all about this from ConfigMgr. We can choose MSI product code, presence of file or folder or registry value. I'm using the file-based option.

This is our detection rule.

I've accept the default return codes.

The app is uploaded to Intune and created.

Assign the app to an Azure AD group as normal.

Behavior on device.

My test device has already been used for testing of app deployment using PowerShell script. Therefore the Intune management extension is already installed. I've restarted the service to get immediate action.

I'm notified that software changes are required. The IntuneManagementExtension log file also tells me that a Win32App is about to be installed.

Installation is finished.

App is installed.

This is a huge step forward for software deployment to Windows 10 devices with Microsoft Intune. It is now much easier to deploy business Windows apps to MDM-enrolled devices. This can simplify your shift to the modern desktop. You don't have to change of course. If you're currently using ConfigMgr to deploy apps then keep doing that, as it works really well. If you want to go to modern desktop this new feature will remove a major roadblock.

I hope it helps you. 

Until next time........