Intune Application Model Deployment Guide | MEM

Let’s go through Intune Application Model Deployment Guide. In this video guide, you will see how to use Intune application model to deploy applications. Following is the step-by-step guide to creating Intune Application model.

NOTE! – Intune application model is adding new features with every new version of Intune. Check out the references section this post to get the latest updated documentation from Microsoft.

Introduction

Intune Simple MSI Deployment Options is called Line-Of-Business app (“strangely though”). With this Intune Line of business application, option, you can only deploy simple MSI apps.

LOB MSI App deployment - Intune Application Model Deployment Guide
LOB MSI App deployment – Intune Application Model Deployment Guide

In this post, I’m not going to cover the “Simple MSI app” deployment using Intune Line of Business App. I have already covered that long back “https://www.anoopcnair.com/intune-azure-end-end-msi-lob-app-deployment-video-guide/”

In this post, I’m going to cover Windows App(Win32) (the real Intune App Model). Windows App (Win32) is a beast which is similar to SCCM Application model.

MSI LOB Application Vs Intune Application Model

Intune LOB applications are technically deployed through Windows 10 built-in MDM agent.

Intune Application model uses a special package called IntuneWin. Most importantly, the IntuneWin package is NOT handled by Windows 10 built-in MDM agent.

IntuneWin app installation is handled by a new agent called Intune Management Extension. This client agent is created by Intune team only for IntuneWin application deployments. Also, this Intune extension agent is not part of the core Windows 10 OS.

MSI Vs IntuneWin - Intune Application Model Deployment Guide
MSI Vs IntuneWin – Intune Application Model Deployment Guide

Create IntuneWin Packages

You need to use a special package called “IntuneWin” to create the Intune Application Model. Vimal explained how to create IntuneWin packages using the Command Line tool by Microsoft here.

You can use a GUI tool called “Smart Package Studio” to create IntuneWin packages. IntuneWin packages can be used while creating the Intune App model as you can see in the below sections.

You can check out my previous post to get more details about converting MSI packages into IntuneWin. You can check out the following post to learn more – Convert MSI to IntuneWin Packages Smart Package Studio IntuneWin Tool

Learn How to Convert MSI Packages to IntuneWin Package - Home
IntuneWin – Intune Application Model Deployment Guide

Specify the Software Setup File

  • Navigate to Client apps > Apps > Add from Intune blade.
  • Select Windows app (Win32)Intune application model – from the provided drop-down list from Apps blade

Upload the App Package File (IntuneWin)

Configure App Information

  • Select App information to configure the app. Make sure you provide the following information wherever required. Some of the information will get populated automatically depending on the package.
    • Name:
    • Description:
    • Publisher:
    • Category:
    • Display this as a featured app in the Company Portal
    • Information URL:
    • Privacy URL:
    • Developer:
    • Owner:
    • Notes:
    • Logo:
  • Select OK.
Intune Application Model Deployment Guide | MEM 2
App Information – Intune Application Model Deployment Guide

Configure App Installation Details

  • Select Program to configure the app installation and uninstall command lines for the Intune application. You can get the information from Smart Package IntuneWin Package.
  • Add the complete uninstall command line to uninstall the app based on the app’s GUID. You can get MSI product code from the above Intune packaging tool.
  • Select OK.
Intune Application Model Deployment Guide
Intune Application Model Deployment Guide

Configure App Requirements

In the Add app pane, select Requirements to configure the requirements that devices must meet before the app is installed.

  • In the Add a Requirement rule pane, configure the following information.
    • Minimum operating system:
    • Disk space required (MB):
    • Physical memory required (MB):
    • Minimum number of logical processors required:
    • Minimum CPU speed required (MHz):
  • Click Add to display the Add a Requirement rule blade
  • Select the Requirement type to choose the type of rule that you will use to determine how a requirement is validated.
  • File: When you choose File as the Requirement type, the requirement rule must detect a file or folder, date, version, or size.
    • Path
    • Property
    • Associated with a 32-bit app on 64-bit clients
  • Registry: When you choose Registry as the Requirement type, the requirement rule must detect a registry setting based on value, string, integer, or version.
    • Key path
    • Value name
    • Registry key requirement
    • Associated with a 32-bit app on 64-bit clients
  • Script: Choose Script as the Requirement type, when you cannot create a requirement rule based on file, registry, or any other method available to you in the Intune console.
    • Script file
    • Run script as 32-bit process on 64-bit clients
    • Run this script using the logged on credentials
    • Enforce script signature check
    • Select output data type
  • Select OK.
Configure App Requirements - Intune App Model Deployment
Configure App Requirements – Intune App Model Deployment

Configure App Detection Rules

  • Select Detection rules to configure the rules to detect the presence of the app.
  • In Rules format field, select how the presence of the app will be detected.
  • Manually configure detection rules – You can select one of the following rule types: ( You can get the information from Smart Package IntuneWin Package )
  • MSI
    • MSI product code
    • MSI product version check
  • File
    • Path
    • Detection method
    • Associated with a 32-bit app on 64-bit clients
    • Select No (default) to expand any path variables in the 64-bit context on 64-bit clients.
    • Examples of file-based detection
  • Registry – Verify based on value, string, integer, or version.
    • Key path
    • Value name
    • Detection method
    • Associated with a 32-bit app on 64-bit clients
  • Use a custom detection script
    • Script file
    • Run script as 32-bit process on 64-bit clients
    • Enforce script signature check
  • Select Add > OK
Configure App Detection Rules - Intune Application Model Deployment
Configure App Detection Rules – Intune Application Model Deployment

Configure App Return Codes for Intune Application Model

  • Select Return codes to add the return codes used to specify either app installation retry behavior or post-installation behavior.
  • In the Return codes pane, add additional return codes, or modify existing return codes.
    • Failed
    • Hard reboot
    • Soft reboot
    • Retry
    • Success
  • Select OK.

Upload App – Intune Application Model

In the Add app pane, verify that you configured the app information correctly and Select Add to upload the app to Intune.

Dependencies

Application dependencies are applications that must be installed before the actual application (which you are going to deploy) can be installed. Intune application model provides options to include dependencies.

Dependencies - Intune Application Model
Dependencies – Intune Application Model

NOTE! – The maximum number of dependencies you can have in Intune application model is 100 dependencies.

More details about the dependencies can be learned from Micrsoft documentation here.

Deployment of Application in Intune

  • Select Assignments.
  • Select Add Group to open the Add group pane that is related to the app.
  • For the specific app, select an assignment type:
    • Available for enrolled devices
    • Required
    • Uninstall
  • Select Included Groups and assign the groups that will use this app.
  • In the Assign pane, select OK to complete the included groups selection.
  • Select Exclude Groups if you want to exclude some devices/users.
  • Select OK.
  • Select Save.

Resources

Intune Tenant Status Page – How to Get the Release Version of Intune Tenant?

In this post, you will learn how to get the details of your Intune version of your tenant. Many times I was wondering why I didn’t had the newer features in my Intune console? Microsoft mentioned in the blog post that these features are released. But those new Intune features are not available in my Intune? What is Intune Tenant Status blade?

Update – Service Health section doesn’t have anything to do with the cases raised by a customer, it’s any service incidents/outages active on that tenant.

[Related TopicList of Intune Versions since 2009] Coming Soon

You can get better answers to all the above questions related to Intune new features and versions in the new Intune Status page.

Intune Version Details – Where in Intune console?

  • Login to Azure Portal – https://portal.azure.com/
  • Navigate to Intune blade
  • Click on Intune > Tenant Status
  • Intune Tenant Status blade – Tenant Details section will give you the following details
    • Tenant Name – [email protected]
    • Tenant Location – Asia Pacific 0201
    • MDM Authority – Microsoft Intune
    • Account Status -Active
    • Service Release – 1812
    • Total Enrolled Devices – 1000?
    • Total Licensed Users – 4000?
    • Total Intune Licenses – 6000?
  • Intune Tenant Status blade -> Connector Status section will give you the following details
    • Header Details – Connector Status – 0 unhealthy
    • Status – Connector Name – Time Stamp
      • Not Enabled – APNS Expiry Date – 08‎-‎02‎-‎2019‎ ‎11‎:‎20‎:‎06
      • Healthy – DEP Last Sync Date – 08‎-‎02‎-‎2019‎ ‎11‎:‎20‎:‎06
      • Warning – VPP Last Sync Date – 07-‎02‎-‎2019‎ ‎1‎:‎23‎:‎12
      • Not Enabled – Managed Google Play App Sync – N/A
      • Healthy – Microsoft Auto Pilot Last Sync Date – 08‎-‎02‎-‎2019‎ ‎11‎:‎20‎:‎06
  • Intune Tenant Status blade -> Intune Service Health section will give you the following details
    • Intune Service Health – 0 total
      • Status – ID – Title – User Impact – Start Time – Updated
      • No active Intune incidents or advisories
    • Intune Service Health – 0 total
      • You don’t have permissions to see this. Click to add your account to the appropriate role in portal.office.com to gain access
      • Status – ID – Title – User Impact – Start Time – Updated
      • See past Incidents/Advisories
  • Intune Tenant Status blade -> Intune News section will give you the following details
    • Intune News – 0 active
      • You don’t have permissions to see this. Click to add your account to the appropriate role in portal.office.com to gain access
      • Act By – Category – Message Title – Published – Message ID
Intune Tenant Status Page
Intune Tenant Status Page

Access Issues – Intune Tenant Status

Intune Blade Access

Do you have access issues with Intune tenant status? You need to have related access to Intune blade. More details about Intune RBAC blog post.

Intune Service Health Access

You need to have following access to review or check whether you have appropriate access. You should have Service Administrator or global administrator access to check Intune Service Health section. (Intune Tenant Status)

  • To assign these permissions, sign in to the Microsoft 365 admin center with Global Administrator permissions.
  • Select Users > Active Users, and then select the account that requires access.
  • Select Edit for Roles, select Service Administrator or Global Administrator
  • Save your edit to assign the permissions.

Intune News Access

View Intune news communications from the Intune service team, you need to have additional permissions. Otherwise, you will get access denied errors as you can see below.

You don’t have permissions to see this. Click to add your account to the appropriate role in portal.office.com to gain access.

To view information for Intune News details, your user account must have the Global Administrator or Service Administrator role in AAD. Otherwise, you need be assigned the Message Center reader role in the Office Admin portal.

  • Sign in to the Microsoft 365 admin center with administrator permissions.
  • Select Users > Active Users, and then select the account that requires access.
  • Select Edit for Roles, select Teams Communications Administrator,
  • Save your edit to assign the permissions.

Resources

List of Online SCCM Intune Communities – 2019

Happy new year 2019 and wishing you all blessed year 2019! I would like to through back the list of Online SCCM Intune communities. Hopefully, these communities will help you to keep you updated with SCCM and Intune.

#Throwback A complete List of Online SCCM Intune Communities which you should be part of – in 2019 #MSIntune #Intune #SCCM #ConfigMgr #ITPros #MVPBuzz

I thought of giving the details of all the online IT Pro communities related to SCCM, Intune, Azure, and Windows. I’m going to provide all the online IT Pro communities. The following is the list of Online SCCM Intune IT Pro Communities for 2019.

Online SCCM Intune Communities - SCCM Intune Online IT Pro 2019 Communities
Online SCCM Intune Communities
Facebook
Linkedin
Twitter
Reddit
Technet Forum

Online SCCM Intune Communities

Online SCCM Intune Communities -Online SCCM Intune Community
SCCM Intune Online Community 2019

SCCM Intune Online IT Pro Communities of 2019 – SCCM Community Groups – Facebook Community Groups – Linkedin Community Groups. Online Community Online IT Community More Details below. I would recommend joining the following online communities. Online SCCM Intune Communities?

Resources

Why Should You Download & Install Windows 10 SDK & Tools

Intune Certificate Deployment Step by Step Guide

The first before deploying SCEP certificate is to check the prerequisites of Intune certificate deployment. I’m going share the details of Microsoft PKI related certificate deployments in this video post. If you have a non-Microsoft PKI environment, you need to check the supportability of Intune.

SCEP does not support all third-party Certificate Authority (CA), providers.  In the recently Ignite Microsoft announced new 3rd party certificate authority partners. Recently, Intune included support for Device based SCEP deployment. Intune already supported User-based SCEP certificate.

Newly Announced Certificate Authority Partners

Intune Certificate Deployment

  1. Entrusted Datacard
  2. GlobalSign
  3. EJBCA
  4. COMODO
  5. Digicert
  6. IDNOMIC

The above is the list of  3rd party CA partners supported by SCEP. Hence you can deploy SCEP Certificate from these CAs via Intune. If you have a customer looking for any of the other third part CA to support SCEP, you can contact Microsoft and they will able to help you with the onboarding process.

Prerequisite for SCEP Certificate Deployment via Intune

Following are the Prerequisites for Intune Certificate Deployment. SCEP Certificate deployment to users and devices.

  1. PKI or CA infrastructure
  2. NDES Server
  3. Azure AD App Proxy Connector
  4. Microsoft Intune Certificate Connector:

I would recommend reading Microsoft documentation to get more details about SCEP or Intune certificate deployment prerequisites.

How to Create a SCEP certificate Certificate

Before deploying SCEP Certificate, you need to deploy PKI or CA chain of certificates to your devices or users.

  1. Root CA Cert
  2. Intermediate or Issuing CA cert 1
  3. Intermediate or Issuing CA cert 2
  4. Intermediate or Issuing CA cert 3 etc..
  5. SCEP Certificate issuing from CA

You need to make sure all the intermediate or Issuing CA certs have already reached the device. Once all the required certs are already there in the machine, you can deploy SCEP Certificate to the user or device. The device certificate can be secured using TMP chip.

As I mentioned in the above video, you can log in to the Azure portal with correct Intune RBAC access and create a SCEP certificate deployment profile.

  1. Azure portal
  2. Intune Blade
  3. Device Configurations – Profiles
  4. Create Profile
  5. Platform – Windows 10 or later
  6. Profile Type – SCEP Certificate
  7. SCEP Certificate Type – User or Device
  8. More details available https://www.anoopcnair.com/learn-intune-create-deploy-scep-profile-windows10-devices/

Intune Certificate Deployment SCEP Certificates

Troubleshoot on Intune Certificate Deployment Issue?

I have already shared a post about the Intune application, certificate or profile deployment troubleshooting options. I would recommend readin that post for more troubleshooting details from Intune side.

Other part of troubleshooting is done from CA, NDES, NDES Intune connector, Azure App Proxy connector etc…

https://howtomanagedevices.com/intune-troubleshooting/

Troubleshoot Intune Deployments – Applications Policies Profiles Intune Issues

Troubleshooting Intune deployments are challenging for new admins in device management world. The above video will help you to troubleshoot Intune deployment issues.

Phases of Intune Troubleshooting

There are FOUR (4) phases in Intune Deployment Troubleshooting. All these four steps are explained in this videos. You can find more details below.

  • Server/Cloud Console Side – Intune Health check
  • Server/Cloud Console Side – Intune Troubleshooting Blade
  • Server/Cloud Console Side – Deep dive into Intune App Deployment Troubleshooting
  • Client Side (Device Side) – Troubleshooting Logs/Events etc

It was far more difficult to troubleshoot on Intune issues at the time of Silverlight console. But after migrating to Azure portal Intune troubleshooting became more easy.

How to Start Intune Troubleshooting

  • Login to Azure portal – http://portal.azure.com
  • Navigate to Intune Blade
  • Click on Troubleshoot node
  • Click on Select User button
  • Search and select the user id which you want to troubleshoot
  • Click Select to start Intune troubleshooting
  • Troubleshooting blade will give you all the details of selected user
  • Drill down each part of troubleshooting guide get into the root of the Intune issue

Troubleshoot Intune Issues

Most of us know how to start troubleshooting with Intune Silverlight console. Intune troubleshooting made easy after the migration to Azure portal. More details https://www.anoopcnair.com/start-troubleshooting-intune-policy-deployment-issues/ Troubleshooting on Windows 10 MDM issues are pretty new for most of us. The importance of MDM policies are getting increased day by day. In this blog post you will see tips to start MDM way of Windows 10 troubleshooting.

How to Troubleshoot Windows 10 Event Logs

Windows 10 MDM Issues Troubleshooting using registry WMI and Event Logs. More detailed discussions are available in the following blog post – https://www.anoopcnair.com/windows-10-mdm-troubleshooting-guide/

Intune Error Codes Table

Intune error codes can find the details of Intune Apps, Intune Policies, and Intune compliance policies.  you’ll be able to review applications installation status and enrollment status for devices. Here’s a list of user details you can view for each user in the Troubleshooting portal:

  • User status
  • Group assignment
  • Application and policy Assignments
  • App protection Status
  • Compliance issues
  • Device status
  • Device details such as OS type and version

Resource

How to Delete Azure AD Device https://howtomanagedevices.com/delete-azure-ad-devices/

Delete Azure AD Devices – AAD Device Management

Azure Active Directory is an identity solution from Microsoft. But Azure AD helps to perform device management actions also. Most organizations use Intune to manage AAD devices. In this video, you will learn how to delete Azure AD Devices.

The Devices registed to Azure AD are visible in Azure portal. You can login to Azure portal with Azure AD admin privileges to delete devices from there. You can also delete Azure AD devices if you have Intune Administrator access.

How to Get Devices into Azure AD Management?

You have two options to get a device under the Azure AD Management.

  • 1.Registering – iOS, Android, and Windows
  • 2.Joining – Windows

In bith the above scenarios Azure AD devices can be managed by MDM Solution like Intune. Registering a device to Azure AD enables you to manage a device’s identity. When a device is registered, Azure AD device registration provides the device with an identity that is used to authenticate the device when a user signs-in to Azure AD. You can use the identity to enable or disable a device. You can also Delete Azure AD devices and remove their identities from AAD.

Delete Azure AD Devices

How To Disable an Azure AD Devices

  • Login to Azure Portal with required permissions
  • Go to Azure Active Directory blade in Azure portal
  • Select All Devices option
  • Search the devices with Device Name or You can search with User Name
  • Select one device and click on Disable button as shown in the above video

How To Delete Azure AD Devices

  • Login to Azure Portal with required permissions
  • Go to Azure Active Directoty blade in Azure portal
  • Select All Devices option
  • Search the devices with Device Name or You can search with User Name
  • Select one device and click on DELETE button as shown in the above video

Resource

Learn How to Delete or Disable Devices from Azure Active Directory

What is device management in Azure Active Directory?