Support Tip: Best Practices for Intune Software Distribution to PC’s


~ Joel Stevens | Support Escalation Engineer

This articles describes tips and recommended best practices for distributing a software or update package to PC clients using Microsoft Intune. Note that in this particular example we are talking about full PC clients rather than MDM enrolled Windows desktops. For more information on the various options for managing devices, please see the following:

Choose how to manage devices

Prepare ahead for Software Distribution

To distribute the software or update package, you will first need to obtain the necessary installation or update files to support a deployment installation. These files need to include either an installation executable file such as Setup.exe or a Windows Installer file such as application.msi.

If your installation file requires other files or folders to complete a client installation, you will need to ensure that you have organized all of those files into a single folder that you can access so that they can be added to the software package by the Intune Software Publishing Wizard.

NOTE Whichever file type you select, remember that Intune can only deploy software that requires no user interaction during installation.

For .EXE installations, a /Install switch is added automatically.

Most EXE files typically require the use of additional command line arguments to turn off the default user interaction and set the package to install silently. Microsoft Intune only supports deploying EXE installer packages, if you need to deploy runtime EXE’s then you will need a 3rd party tool to create an installer package.

For .MSI packages, a switch of /quiet is added automatically. The installer packages should detect that the installation is occurring in the SYSTEM context and automatically install in silent mode, however this does depend on how the software publisher created the package.

If an application installation requires user context it probably cannot be deployed by using Microsoft Intune.

Test the software package in System Context

You should test the package before trying to deploy it with Microsoft Intune to confirm that the package installs silently in System Context. Below is one example of how you can test your package.

1. Download PSTools (see http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx).

2. Open an elevated admin Command Prompt (Run as administrator).

3. Change to the folder that contains PSexec (unless psexec is in a folder in your PATH already) and type the following line (-i is for interactive, -s is to run as system).

      psexec -i -s cmd.exe

4. Hit ENTER.

5. Another Command Prompt window will open after hitting “Enter” above. Verify that you are now running as System by executing the command whoami. The reply should be “nt authority\system“.

clip_image003

6. If you are not sure what switches to use, try executing the package with a switch of /? or /help. See the list of known switches below for some common examples.

In my example using Skype, even though it’s an MSI package I still needed to find additional switches because it’s trying to install with user interaction:

clip_image001

The package needs to install with no UI prompts (aka “Unattended” mode) as the Intune service uses the Windows Update service account to install software. For my Skype example, since Intune adds a /Quiet switch for MSI’s, we just need to add the /passive and /qn switches to turn off any user interaction attempts.

7. Change directory to the deployable package and run it with the appropriate silent switches. If the installation fails completely, you will need to research what possible switches will force the package to install via the System account. If your software manufacturer is unable to assist with this task then you can search in Bing for “How to deploy ‘X’ silently.”

Lastly, I often recommend a test deployment of the software as Available to Users, then manually installing it from https://portal.manage.microsoft.com on at least 1 machine to confirm everything is working as intended before deploying it to everybody. If it doesn’t appear to do anything then check the following log to confirm your package has attempted installation:

C:\Program Files\Microsoft\OnlineManagement\Logs\updates.log

Also note that if the package starts installation and the log shows it not progressing for several hours, then it is likely hung waiting for user interaction.

Deploying scripts or batch files

The Intune Service is normally only able to deploy MSI or EXE files but many customers would like to use the service to deploy custom scripts or batch files. Even if you convert them to EXE’s you may find some limitations deploying in the SYSTEM context. However, there are a few 3rd party solutions you can use to accomplish this and an Internet search for the phrase ‘Intune deploy script’ should get you started. Keep in mind that even though 3rd party solutions exists, this is not a scenario officially supported by Microsoft.

List of most common switches for software deployment

  • Lync 2010 (EXE) – /silent
  • Skype (EXE) /verysilent
  • Skype (MSI) /passive /qn
  • IE10 (EXE) /quiet /passive /norestart
  • IE11 (EXE) /quiet /norestart
  • Notepad ++ (EXE) /s
  • Firefox (EXE) -ms
  • Adobe Reader (EXE) – /sAll /rs /msi EULA_ACCEPT=YES

 

Joel Stevens, Support Escalation Engineer
Microsoft Enterprise Cloud Group


Comments (2)

  1. Oleksii says:

    Seems during installation of MSI using MDM Intune removes sourse files from systemprofile\appdata\local\mdm\{GUID}.msi

    When MSI tries to self-heal an error appeares

  2. Noor says:

    What is the switch for OneDrive for Business (new gen client)?

Skip to main content