MSEndpointMgr
building the script

How to Automatically Update Apps in Intune with Dynamic Win32 App Deployment  

Greetings, fellow IT admins! Repackaging setup files and editing your Win32 app again can be tedious and time-consuming. Thankfully, I bring you good news! There is a way to deploy a Win32 app and have it always install the latest version of the app on the computer. 

To achieve this, we will deploy a PowerShell script as a Win32 app. This script will grab the latest version from the vendor’s site, download it, and then install it on the end computer. IT admins will not have to repackage the same app over and over again, edit their Win32 apps with every patch, and all your new devices/users will always get the latest version of the application.  

PowerShell Script Logic Overview 

The core logic of deploying Win32 applications via Intune with dynamic updates involves scripting the automated process of fetching the latest version of an application from the internet, downloading it, and executing the installation on the endpoint. The script can be summarized into several key steps: 

  1. Define the Application’s Permalink: The script starts by specifying the permanent link (permalink) to the latest version of the application. This link is usually provided by the software vendor and points to an executable or MSI package that always downloads the most recent version available. 
  2. Download the Latest Application Version: Utilizing PowerShell’s Invoke-WebRequest cmdlet, the script fetches the application package from the specified permalink. 
  3. Execute the Installation: With the latest version downloaded, the script then executes the installer. For MSI packages, this might involve msiexec with appropriate switches; for executables, direct execution with parameters might suffice. 
  4. Post-Installation Verification: Finally, the script can verify the successful installation by checking for the application’s presence, version number, or other success criteria. 

How to Automatically Update Apps in Intune with Dynamic Win32 

Finding the Permalink 

The hardest and most important step is finding the permanent download link (aka permalink) for the target application, which will enable the download of the latest version of the application. Find the permalink by either exploring the vendor’s website, reading documentation and release notes, or simply reaching out to the vendor and asking them for it. 

For this example, we will deploy Zoom. See the appendix section below to see a few common apps and their permalinks. 

Building the Script 

Once you find the permalink, it’s time to build the script. You can copy the full script from my GitHub here. I have added comments in the script to assist you in understanding it. 

<#
.SYNOPSIS
    Script to install or uninstall latest version of Zoom via PowerShell. This script can be packaged as win32 app and then deployed via intune.

.DESCRIPTION
    This script allows you to install or uninstall Zoom on a Windows system.
    
.NOTES
    Author: Lovepreet Singh (Recast Software)
    Date: March 13, 2024
    Version: 3.0
    
    This script is provided as-is and without warranty. Use it at your own risk.

.Usage
    Copy and paste the below commands in Command prompt (run as admin), Or in Intune install/unisntall command section.

    For Install:&gt; Powershell.exe -NoProfile -ExecutionPolicy ByPass -File .\Install_Zoom.ps1 --install
    For Uninstall:&gt; Powershell.exe -NoProfile -ExecutionPolicy ByPass -File .\Install_Zoom.ps1 --uninstall
    
#>

param (
    [switch]$Install,
    [switch]$Uninstall
)

#Give a app name and specify the permalink
$AppName = "Zoom"
$DownloadURL = "https://zoom.us/client/latest/ZoomInstallerFull.msi?archType=x64"

# Specify the full path to the MSI file. In my case i am storing this in the Temp folder.
$MSIFilePath = "$env:TEMP\$AppName.msi"

if ($Install) {
    $InstallCommand = "msiexec /i '$MSIFilePath' /qn"

    # Suppress progress reporting
    #By suppressing the progress bar, the download speed increases 10x. This is a global variable used by powershell itself.
    $ProgressPreference = 'SilentlyContinue'     

    # Download the MSI file
    Invoke-WebRequest -Uri $DownloadURL -OutFile $MSIFilePath

    # Install Zoom silently and enable Zoom auto updates
    Start-Process -FilePath "msiexec" -ArgumentList "/i `"$MSIFilePath`" /qn /lex zoommsi.log ZoomAutoUpdate=1" -Wait

    # Remove the downloaded MSI file
    Remove-Item -Path $MSIFilePath -Force
}

#Below is the Uninstall parameter of this script. At first i wanted to copy the Install parameter and just replace the /i with /x to uninstall. But this is a bad idea. Why?
# Maybe the user will uninstall after 6 months, by then Zoom might have a new version with new MSI, with a differnt msi product code, so the uninstall can fail, instead we will below mentioned method

elseif ($Uninstall) {

    $Query = "SELECT * FROM Win32_Product WHERE Name LIKE '%$AppName%'"

    # Query for products that match the criteria
    $Product = Get-WmiObject -Query $Query | Select-Object -ExpandProperty IdentifyingNumber

    
    # Un-Install Zoom silently
    Start-Process -FilePath "msiexec" -ArgumentList "/x $Product /qn" -Wait

}

Packaging the Script 

Now that you have the .ps1 script file downloaded and edited (if needed), it’s time to package it. We will use the Microsoft Win32 Content Prep Tool. Download it here

For more information on this tool visit https://learn.microsoft.com/en-us/mem/intune/apps/apps-win32-prepare.

Using the Win32 Content Prep Tool 

Refer to this article to learn how to package using the Win32 content prep tool. There are three major differences for us in this scenario compared to the article: 

We will use “Install_Zoom.ps1” as the setup file instead of “Zoom.msi”.  

We will use our custom Install and Uninstall commands in Intune win32 application setup. 

For Detection Rule, we will use the file version. 


Note: while this method is great for ensuring that new users and devices will always get the latest version available, it is not perfect. For example, when a newer version of Zoom is released after 5.17.11.34827, the detection rule will read it as already installed because “Greater than or equal to 5.17.11.34827” will be true for all new versions. 

Thankfully, Zoom has a prebuilt MSI switch (ZoomAutoUpdate=1) as shown in the script, which will always keep Zoom updated. However, this switch may not be available for other applications. 

Customization Examples 

Sysadmins can tailor the script to suit specific needs or environments. Below are examples of potential customizations: 

Custom Installation Paths: By adding parameters to the installation command, you can specify custom installation directories, which is useful for managing disk space or adhering to organizational policies. 

Start-Process 'msiexec' -ArgumentList '/i downloadedApp.msi TARGETDIR="C:\CustomPath" /qn' -Wait&nbsp;<br>&nbsp;

Version Check and Conditional Installation: Introduce logic to compare the currently installed version (if present) with the version available for download. Only proceed with the download and installation if the downloaded version is newer. This involves querying the installed applications using Get-WmiObject or Get-ItemProperty and parsing version numbers. 

$installedVersion = (Get-ItemProperty 'HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\*').DisplayVersion&nbsp;
$latestVersion = "X.Y.Z" # This would be dynamically determined or fetched&nbsp;

if ($installedVersion -lt $latestVersion) {
    # Download and install logic here
}

Handling Special Installation Flags: Some applications require special flags for silent installations or additional configurations. Embedding these into the script ensures that installations are unattended and conform to required settings. 

Start-Process 'downloadedApp.exe' -ArgumentList '/S /NoRestart' -Wait&nbsp;<br>&nbsp;

Logging and Notifications: Enhancing the script with logging functionality can help in troubleshooting and auditing. Additionally, integrating notification mechanisms, such as sending an email or posting to a web service when the installation process completes or fails, keeps relevant stakeholders informed. 

Try {
    # Installation logic here 
    Write-Output "Installation successful" | Out-File -FilePath "installation.log"
    # Optionally send a success notification 
} Catch {
    Write-Output "Installation failed" | Out-File -FilePath "installation.log"
    # Optionally send a failure notification 
}

Automatically Update All Apps 

If you are looking for a more complete and comprehensive third-party application lifecycle management tool, which will create, deploy, update, retire, and delete your applications automatically, check out Application Manager by Recast Software.  

This eBook also gives some good perspective on the challenges and risks of manually patching apps. 

Appendix 

Recast Software

Makers of Right Click Tools for Microsoft #MEMCM, used by hundreds of thousands of organizations, impacting millions of devices (and people). #ConfigMgr #SCCM

Add comment

Sponsors

Categories

MSEndpointMgr.com use cookies to ensure that we give you the best experience on our website.