Since Microsoft Intune is a cloud based service it’s being updated frequently and this time around Microsoft has some great additions in store. In this blog post I will talk about the new capability to deploy a Windows Installer package (MSI) for devices that are managed through MDM, in other words being treated as a Mobile Device. Previously, you were only able to deploy appx, xap and appxbundles for Mobile Devices, but today you’re now able to also manage MSI installations. This is a great feature if you ask me, and proves that Microsoft is evolving the management capabilities for devices being managed as Mobile Devices through OMA-DM.
Windows Installer for Windows 10 devices through MDM
Importing and modifying software in Microsoft Intune are handled by the Microsoft Intune Software Installer Publisher and requires .NET Framework 4 Full and a restart before you can begin to use it. In order to publish and deploy a Windows Installer file for Windows 10 devices that are managed as MDM devices, there are a few rules and restrictions that you need to be aware of before you go ahead:
- You can only upload a single file with the extension .msi
- The file’s product code and product version are used for app detection
- The default restart behavior of the app will be used. Intune does not control this
- Per user MSI packages will be installed for a single user
- Per machine MSI packages will be installed for all users on the device
- Dual mode MSI packages currently only install for all users on the device
- App updates are supported when the MSI product code of each version is the same
You can read more about app deployment with Microsoft Intune on the following link:
Publish a Windows Installer software
Update! With the release of Windows 10 1511 (TH2), you’re now able to deploy Windows Installer packages through the MDM agent. Although it seems that you’re only able to run the installation ‘As soon as possible’, while scheduling is not yet available.
Before we can deploy a Windows Installer software to any device, we need to publish it within Microsoft Intune first. In this demonstration I will publish 7-zip, that you can download here.
- Go to manage.microsoft.com and login with your Global Administrator account for Microsoft Intune.
- Click on Apps and then click on Add Apps.
- The Microsoft Intune Software Publisher will now start. Click on Next at the Before you begin page.
- Select Software installer for how this software is being made available to devices and select Windows Installer through MDM (*.msi) as the software installer type. Click Browse and select the MSI file, in this case I’ve downloaded 7-zip 9.20 x64 to C:\Install.
- Enter the following information:
Publisher: Igor Pavlov
Name: 7-zip 9.20 x64
Description: Compression software
URL for software information: https://www.7-zip.org
Category: Other AppsWe will skip the icon and making the app a featured app this time around, since this is just a demonstration. Click Next.
- Select the architecture of the Windows Installer package. In this case I’ve chosen the 64-bit version of 7-zip. Do not make any selection as for the operating system and click Next.
- On the Command line arguments page, supply any parameters for the Windows Installer. Remember that these parameters that are intended for the package, not for msiexec. Click Next.
- If you’re satisfied with what you’ve configured as shown in the summary, click Upload.
- Microsoft Intune Software Publisher will now start to upload your Windows Installer package with the configurations you’ve made.
- Once the upload has completed, click Close.
- Go to Apps in the console and make sure your new app is selected. Click on Manage Deployments.
- Select a group that contains your Windows 10 devices that are managed as mobile devices. Click Next.
- Choose Required Install in the Deployment column, and select As soon as possible in the Deadline column. If you’d choose Available Install instead in the Deployment column, the app will be made available in the Company Portal app for users to install it on demand. Click Finish.
App deployment information
At this point we’ve published the 7-zip app to Microsoft Intune and deployed it to a group of mobile devices. Since we choose the Deadline option of As soon as possible, it means that during the next synchronization Microsoft Intune will scan devices in the select group(s) and then deploy the app. This results in that the app is not deployed immediately as the meaning of the Deadline option would suggest. Below is a list of options that are available as Deadlines and what they in fact mean:
|None||Deploys the app based on the agent policy settings|
|As soon as possible||During the next synchronization, Microsoft Intune scans devices in the selected groups, and then deploys the app. For more information about how to schedule synchronization, see Use policies to manage computers and mobile devices with Microsoft Intune|
|One week||This option deploys the app package one calendar week from the current day|
|Two weeks||This option deploys the app package two calendar weeks from the current day|
|One month||This option deploys the app package one calendar month from the current day|
|Custom||This option lets you set a specific date and time for the app package to deploy|
I’m really excited about the fact that more and more features that previously have been possible to perform with the Intune agent are coming to mobile devices. In fact, being able to deploy a Windows Installer package through OMA-DM is really cool. In the near future I hope to see more features like this coming to the mobile device management area, making it ever better than it already is.
What advantages does the Intune Client has? It looks like it’s better to manage W10 with the MDM agent.
How are you enrolling your Windows 10 device with Intune? I’ve found that If I use auto-entrollment via AAD or enroll via Work Access within Windows 10, the machine registers as a mobile device and MSI deployments never run.
If I install the Intune Client Software instead, the device enrolls as a Computer and MSI deployments install successfully.
As it states in the post, this functionality is not working for devices managed as mobile devices as of yet. Microsoft has claimed that there’s an announcement coming in regards to this (and most likely additional things).
Should this now work with the new build?
[…] Microsoft Intune now makes it possible to deploy MSI based installs to Windows 10 devices through MDM. Pretty freaking cool, previously you’d have needed something like an agent installed on the machine. Now we make it happen in MDM and Nickolaj has a great post on Deploying a Windows Installer package with MDM. […]
What I find weird as an Windows Installer guru is that the ProductCode and ProductVersion are used for product detection. Common sense would be that the UpgradeCode would be used alongside ProductVersion as that’s what is being used by Windows Installer to determine whether a older/newer ProductVersion is installed of the same (!) product using the Upgrade table.
I think that Microsoft has some work to do here, but I wanted to highlight this functionality because I believe it’s the right focus forward.