Deploy Win32 Application in Intune

I am working on project to migrate from Config Manager to Modern Management in Intune. Intune’s preview of allowing Windows 32-bit applications appears to bridge a problem we were facing. When I started to research how to deploy a Windows 32-bit application via Company Portal, I started with Google searches. To write this blog I used information I found in the product documentation and some good blogs by Peter van der Woude and Maurice Daly. I hope this post is a different enough that you will find it useful.

There are 6 steps to converting and deploying the application

Gather required information

When creating the application in Intune the following information is required:

  • Application Name – required
  • Description – required
  • Application Publisher – required
  • Icon file – is not required by recommended
  • Install command line
  • Uninstall command line
  • Install behavior: user, machine
  • Software installation requirements: operating system, memory, disk space
  • Detection rule: MSI, file, or registry
  • Any custom return codes

Determine install / uninstall command lines

This part is general to how on software packaging regardless if it is Config Manager or Intune. If you are familiar with how to find command line switches skip ahead to the next section. Before I package any software that is not a simple MSI, I install the software on a test virtual machine. This allows me to determine the silent install command lines, what other prerequisites are needed, and which detection method to use. The application for this blog is going to be “ACL for Windows” by “ACL Services Ltd.”. When I review the installation source files, I see that it is InstallShield setup.exe with an MSI. I could just use the msiexec.exe as the installation program, but since there is a setup.exe file to go with it, I will install the application on the test machine to see what InstallShield scripting is occurring in the setup.exe

Before I go into detail, I want to talk about command line switches. Always review the vendors documentation to find any custom switches and return codes they may have. Otherwise, most command line switches can be found by typing “setup.exe /?” at the command line. If the install name is not “setup.exe” type the name of the executable. For MSI packages, type “msiexec.exe /?”. For InstallShield setup.exe files Flexera has a great help documentation at https://helpnet.flexerasoftware.com/installshield19helplib/helplibrary/IHelpSetup_EXECmdLine.htm.

All work is performed a virtual machine with Windows 10 with Orca installed. Orca is a Microsoft MSI editor tool available in the Windows 10 SDK, “MSI Tools” feature. Once the machine has ready, create a snapshot/checkpoint.

Find Pre-requisite software needed

  1. Open the virtual machine.
  2. Run setup with no arguments to view InstallShield pre-requisites.
  3. This software requires Microsoft Visual C++ 2010 SP1, Microsoft Visual C++ 2012 redistributable packages along with Open XMLSDK.

  4. Since there is pre-requisite software needed, I will need to package this using setup.exe. The InstallShield script logic will automatically detect the installation status of the pre-requisites and installs if necessary. If there were no pre-requisite software needed, I could just use the MSI.
  5. Cancel the installation.

Find the silent install command line

  1. In the virtual machine, open an elevated command prompt window or a PowerShell window.
  2. Set PowerShell location to the folder with the software: set-location c:\temp\ACL_forWindows_13.0.0.579
  3. To view the command line arguments, type .\setup.exe /?

  4. Per the screen that was displayed, the silent install command line setup.exe /S /v/qn
  5. Run the silent install command line to validate it is correct.
    1. Open Task Manager
    2. Select the Details pane.
    3. Wait for the setup.exe process to end
    4. This software restarted the computer. Since Intune should control the restart of the computer, the command line will need to be modified to not automatically restart the computer.
  6. The revised command line with option to suppress restart is setup.exe /S /v”/qn /norestart”

Find the silent uninstall command line

Now that the product is installed on the test machine, we can use PowerShell or Regedit to find the uninstall command line. Information about software installed for the local machine, not the user context, is stored in the HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall key. For 32-bit apps on a 64-bit OS, it is stored in the HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall key. You can use Regedit to browse to these keys and look at each item until you find the item with “ACL” in the display name. Or you can run a PowerShell command:

Get-ChildItem -Path HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall, HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall | Get-ItemProperty | Where {$_.DisplayName -match "ACL"}|Select -Property DisplayName, UninstallString, Publisher, URLInfoAbout, URLupdateInfo

This returns the Uninstall string “Msiexec.exe /X{C0735525-C106-4C1B-A70D-81AB2299FB04}”. To make the command line silent, we would add the “/qn /norestart” parameters to it. So, the final silent uninstall command line is: Msiexec.exe /X{C0735525-C106-4C1B-A70D-81AB2299FB04} /qn /norestart.

Make note of the Publisher, and URL information as these will be used when inputting information about the application in Intune.

Extract ICON file

Adding an icon to the application makes it easier for the user to locate the application in the company portal. It also just looks nice. Below is a PowerShell script that will extract an icon from a file.

Add-Type -AssemblyName System.Drawing
$icon = [System.Drawing.Icon]::ExtractAssociatedIcon("C:\Temp\ACL_forWindows_13.0.0.579\setup.exe")
$icon.ToBitmap().save('ACL.jpg', [System.Drawing.Imaging.ImageFormat]::Jpeg) 

Determine Detection Rules

Only one detection method is needed. I am going to list how you can find the information for each of the 3 main methods: MSI rule, file rule, and registry rule. In my final example, I will be using the MSI rule.

MSI Rule

Since this install used an MSI, we can use the MSI product code as the detection method. The product code is the GUID used in the uninstall command line. So, for ACL for Windows it is {C0735525-C106-4C1B-A70D-81AB2299FB04}. Another method of finding the product id GUID is to edit the MSI with Orca. To find the product key via Orca:

  1. Install Orca on the computer.
  2. Right-click on the MSI, and select Edit with Orca
  3. In the left-panel, scroll down to select the Property table
  4. Find the ProductCode property
  5. Note the value

File Rule

For the File rule perform the following steps.

  1. Open properties of the shortcut created for the application launch.

  2. Note the Target File Path
  3. Note the Target File Name

Registry Rule

A good registry rule to use is the uninstall registry key. The Key Path and Value Name are required. I use a similar command line as used to find the uninstall command line.

Get-ChildItem -Path HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall, HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall | Get-ItemProperty | Where {$_.DisplayName -match "ACL"}|Select -Property DisplayName,PSPath|format-list

The Key Path is the PSPath value after the “Registry::” So in this case it is “HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{C0735525-C106-4C1B-A70D-81AB2299FB04}. The Value Name will be DisplayName.

Use IntuneWinAppUtil.exe to create “. intunewin” file

Finally, we are ready to start the Intune specific process. In order to publish a Win32 application in Intune, it must first be converted into a “.intunewin” file. Microsoft has provided a free utility to perform the conversion. You can download the utility from GitHub. If you type IntuneWinAppUtil.exe with no parameters, it will prompt you for the source folder, setup file, and output folder. These options can be passed as parameters on the command line: IntuneWinAppUtil -c -s -o <-q>

Step-by-step instructions:

  1. Copy the source files to a folder.
  2. Copy the “IntuneWinAppUtil.exe” file locally.
  3. Create an output folder for the “.intunewin” file.
  4. Open an elevated PowerShell Window.
  5. My example uses c:\temp as the download location. The software title is ACL_forWindows_13.0.0.579. The output folder will be C:\Temp\Intune_ACLForWindows.
  6. Type: Set-location c:\temp
  7. Type: .\IntuneWinAppUtil.exe -c c:\temp\ACL_forWindows_13.0.0.579 -s setup.exe -o c:\temp\Intune_ACLForWindows

Add Application to Intune

Open the Azure portal and select the Intune Console.

Once in the Intune console, select Client Apps from the Manage column

Select Apps from the Client Apps Manage column.

Click on the option.

Select app type of “Windows app (Win32) – preview” in the App type drop down in the Add app column

Click on App Package File Select file

Browse to the output file created above

Click on the OK button.

Click on App information Configure

Complete the App information fields

Click on the OK button.

Click on Program Configure

Enter the Install command line from above: setup.exe /S /v”/qn /norestart”

Enter the uninstall command line from above: Msiexec.exe /X{C0735525-C106-4C1B-A70D-81AB2299FB04} /qn /norestart

Select System for Install behavior

Click on the OK button.

Click on Requirements Configure

Since this is a 32-bit application, select 32-bit and 64-bit

Select the lowest version of Windows 10 listed.

Click on the OK button.

Click on Detection rules Configure

For Rules format, select “Manually configure detection rules”.

Click on the Add button.

For Rule type, select MSI.

Enter the MSI product code found above.

Select No for MSI product version check.

Click the OK button.

Click the OK button.

Click on Return codes Configure.

We have no custom return codes

Click on the OK button.

Click on the Add button.

The application is saved.

Wait for the application to be uploaded into the Cloud and available for assignment.

Assign the application to a group

Once the application has been created, it will need to be assigned to a group for distribution. I will be using the “All Users” group to simplify these instructions.

Start with the Intune portal opened to Client apps – Apps – ACL for Windows – v13.0.0.579

Click on the Assignments option in the Manage column.

Click on Add group

For assignment type select “Available for enrolled devices”

Click on No groups selected Included groups

Select Yes for “Make this app available to all users with enrolled devices”

Click on the OK button.

Click on the OK button to create assignment.

Click on the Save button.

Install the application

Now we can test that application that it installs correctly. To review the Intune log file, you will want to install the CMTrace.exe utility on the target computer. This utility is a part of the SCCM 2012 R2 Toolkit that can be downloaded from here. If you have Configuration Manager 1806 or greater, the CMTrace utility is in the CD.Latest folder on the site server. Other information that is helpful to have when reviewing the log file is the applications object id. This can be found in the Audit logs in Intune.

Sign onto a computer with the Intune client and Company Portal installed. The Company Portal can be downloaded from the Windows Store.

Start Company Portal application.

Select ACL for Windows – v13.0.0.579

Click Install

Browse to C:\ProgramData\Microsoft\IntuneManagementExtension\Logs to monitor the deployment.

In the IntuneManagementExtension.log file, look for [Win32App] entries

Logged entry ===Step=== Start to Available app 

First to process the detection rules to see if the application is already installed.  I used an MSI detection rule, so a WMI query will be made to the Win32_Product class

122318_1711_DeployWin3224.png

The next step is to validate the requirements are met.  Since I selected 32-bit or 64-bit, it skips the OS Architecture check.  It did run the Windows 10 version check and the computer passed.

122318_1711_DeployWin3225.png

All checks passed to proceed.  Next, a web request is sent to authenticate to Intune data store.

122318_1711_DeployWin3226.png

Authentication passed, so the download can proceed.  Content is downloaded to C:\Program Files (x86)\Microsoft Intune Management Extension\Content\Incoming\<object ID>

122318_1711_DeployWin3227.png

The download completes, and the content is expanded for installation.  It is interesting to note that the log files show that Windows Delivery Optimization is used to download the content.

122318_1711_DeployWin3228.png

The application installation then proceeds.  The log file shows the installation command that was entered when configuration the application.  It also shows the process ID associated with the installation.  If you were to start Task Manager at this point, you would see the setup.exe running.

122318_1711_DeployWin3229.png

The application installs successfully, so the detection rules again, to validate the application installed.

122318_1711_DeployWin3230.png

The results of the install are also written into the registry at HKLM:\Software\Microsoft\IntuneManagementExtension\Win32Apps\User Guid\Object ID

122318_1847_DeployWin3231.png

And back in the Company Portal, the application shows as installed.

122318_1711_DeployWin3232.png

Monitor the Deployment

When connected to the Intune console Client Apps – Apps node, highlight the application.  This will display summary information about how many devices have the application installed.

122318_1847_DeployWin3233.png

If you select the Monitor – Device install status, information about the devices that have the product installed will be displayed.

122318_1847_DeployWin3234.png

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s