MSEndpointMgr

Deploy a Windows Installer for MDM managed Devices with Microsoft Intune

Since Microsoft Intune is a cloud based service it’s being updated frequently and this time around Microsoft has some great additions in store. In this blog post I will talk about the new capability to deploy a Windows Installer package (MSI) for devices that are managed through MDM, in other words being treated as a Mobile Device. Previously, you were only able to deploy appx, xap and appxbundles for Mobile Devices, but today you’re now able to also manage MSI installations. This is a great feature if you ask me, and proves that Microsoft is evolving the management capabilities for devices being managed as Mobile Devices through OMA-DM.

Windows Installer for Windows 10 devices through MDM

Importing and modifying software in Microsoft Intune are handled by the Microsoft Intune Software Installer Publisher and requires .NET Framework 4 Full and a restart before you can begin to use it. In order to publish and deploy a Windows Installer file for Windows 10 devices that are managed as MDM devices, there are a few rules and restrictions that you need to be aware of before you go ahead:

  • You can only upload a single file with the extension .msi
  • The file’s product code and product version are used for app detection
  • The default restart behavior of the app will be used. Intune does not control this
  • Per user MSI packages will be installed for a single user
  • Per machine MSI packages will be installed for all users on the device
  • Dual mode MSI packages currently only install for all users on the device
  • App updates are supported when the MSI product code of each version is the same

You can read more about app deployment with Microsoft Intune on the following link:
https://technet.microsoft.com/en-us/library/dn646955.aspx

Publish a Windows Installer software

Update! With the release of Windows 10 1511 (TH2), you’re now able to deploy Windows Installer packages through the MDM agent. Although it seems that you’re only able to run the installation ‘As soon as possible’, while scheduling is not yet available.

Before we can deploy a Windows Installer software to any device, we need to publish it within Microsoft Intune first. In this demonstration I will publish 7-zip, that you can download here.

  1. Go to manage.microsoft.com and login with your Global Administrator account for Microsoft Intune.
  2. Click on Apps and then click on Add Apps.
    161_2
  3. The Microsoft Intune Software Publisher will now start. Click on Next at the Before you begin page.
  4. Select Software installer for how this software is being made available to devices and select Windows Installer through MDM (*.msi) as the software installer type. Click Browse and select the MSI file, in this case I’ve downloaded 7-zip 9.20 x64 to C:\Install.
    161_3
    Click Next.
  5. Enter the following information:
    Publisher: Igor Pavlov
    Name: 7-zip 9.20 x64
    Description: Compression software
    URL for software information: https://www.7-zip.org
    Category: Other AppsWe will skip the icon and making the app a featured app this time around, since this is just a demonstration. Click Next.
    161_4
  6. Select the architecture of the Windows Installer package. In this case I’ve chosen the 64-bit version of 7-zip. Do not make any selection as for the operating system and click Next.
    161_5
  7. On the Command line arguments page, supply any parameters for the Windows Installer. Remember that these parameters that are intended for the package, not for msiexec. Click Next.
    161_6
  8. If you’re satisfied with what you’ve configured as shown in the summary, click Upload.
    161_7
  9. Microsoft Intune Software Publisher will now start to upload your Windows Installer package with the configurations you’ve made.
    161_8
  10. Once the upload has completed, click Close.
    161_9
  11. Go to Apps in the console and make sure your new app is selected. Click on Manage Deployments.
    161_10
  12. Select a group that contains your Windows 10 devices that are managed as mobile devices. Click Next.
    161_11
  13. Choose Required Install in the Deployment column, and select As soon as possible in the Deadline column. If you’d choose Available Install instead in the Deployment column, the app will be made available in the Company Portal app for users to install it on demand. Click Finish.
    161_12

App deployment information

At this point we’ve published the 7-zip app to Microsoft Intune and deployed it to a group of mobile devices. Since we choose the Deadline option of As soon as possible, it means that during the next synchronization Microsoft Intune will scan devices in the select group(s) and then deploy the app. This results in that the app is not deployed immediately as the meaning of the Deadline option would suggest. Below is a list of options that are available as Deadlines and what they in fact mean:

DeadlineSchedule
NoneDeploys the app based on the agent policy settings
As soon as possibleDuring the next synchronization, Microsoft Intune scans devices in the selected groups, and then deploys the app. For more information about how to schedule synchronization, see Use policies to manage computers and mobile devices with Microsoft Intune
One weekThis option deploys the app package one calendar week from the current day
Two weeksThis option deploys the app package two calendar weeks from the current day
One monthThis option deploys the app package one calendar month from the current day
CustomThis option lets you set a specific date and time for the app package to deploy

Summary

I’m really excited about the fact that more and more features that previously have been possible to perform with the Intune agent are coming to mobile devices. In fact, being able to deploy a Windows Installer package through OMA-DM is really cool. In the near future I hope to see more features like this coming to the mobile device management area, making it ever better than it already is.

Nickolaj Andersen

Chief Technical Architect and Enterprise Mobility MVP since 2016. Nickolaj has been in the IT industry for the past 10 years specializing in Enterprise Mobility and Security, Windows devices and deployments including automation. Awarded as PowerShell Hero in 2015 by the community for his script and tools contributions. Creator of ConfigMgr Prerequisites Tool, ConfigMgr OSD FrontEnd, ConfigMgr WebService to name a few. Frequent speaker at conferences such as Microsoft Ignite, NIC Conference and IT/Dev Connections including nordic user groups.

7 comments

  • Hey Nickolaj,
    What advantages does the Intune Client has? It looks like it’s better to manage W10 with the MDM agent.
    Regards,
    Edward

  • Hey mate
    How are you enrolling your Windows 10 device with Intune? I’ve found that If I use auto-entrollment via AAD or enroll via Work Access within Windows 10, the machine registers as a mobile device and MSI deployments never run.
    If I install the Intune Client Software instead, the device enrolls as a Computer and MSI deployments install successfully.
    Cheers
    Sam

    • Hey Sam,
      As it states in the post, this functionality is not working for devices managed as mobile devices as of yet. Microsoft has claimed that there’s an announcement coming in regards to this (and most likely additional things).
      Regards,
      Nickolaj

  • What I find weird as an Windows Installer guru is that the ProductCode and ProductVersion are used for product detection. Common sense would be that the UpgradeCode would be used alongside ProductVersion as that’s what is being used by Windows Installer to determine whether a older/newer ProductVersion is installed of the same (!) product using the Upgrade table.

    • I think that Microsoft has some work to do here, but I wanted to highlight this functionality because I believe it’s the right focus forward.

Sponsors