Modern Workplace Management - Installing Applications in Order

When developing a process for your Auto-Pilot one of the exercises we normally have to undertake is going through the base applications that we want to set as a standard for all of our endpoints.

One of the obstacles that we may face is that by default we are unable to set a priority or an order list of all of the applications that are to follow, so if we have applications that may have more of a specific dependency than others this can in turn cause issues.

There have been workarounds where an application dependency has been put in place of another application. It doesn't give you great control over the order as such, but it does allow the administrator to know that a specific application will not be installed unless a specific one has been installed first.

My suggested method can be categorized as a workaroud, but perhaps with the creativity of a solution perhaps. The aim of this scenario is to come up with a solution which will help us achieve having a say in which applications can be installed first.

As this feature isn't ready by default yet in Intune, it may sit as a a workaround for now.

Looking at the application types in Intune, the one which fits the closest to a familiarity of an MEMCM. type of package would be the Win32 App, which has to be converted into an IntuneWin file.

My suggestion is that we look to shape and mould a Win32 app, into something similar of an application group in MEMCM. So the idea is to create an application via Win32 App, which contains multiple applications inside of it and then the front base of the installing priority would be defined by a script based installation i.e. PowerShell.

Say for example we have five applications;

The triangle just represents the Auto-Pilot/Enrolment container, and the applications are literally just applications which are aimed specifically to this process. But the selection is at total random. What we want to do is transform it into this.

So what we want is to be able to break the randomization cycle and actually have full control as to what applications install and to which order we want them to be installed.

There are various elements to this so we want to make sure we cover all basis in not just deployment, but also logging as well as successful detection of installations.

First we need to select the applications that we want to add and then we need to be able to obtain all of the installation files so that we can have one consolidated structure. Somewhat like the folder structure below;

To make things flow easier I've removed any spaces from the folders which contain the installation files of each application which we are looking to have.

We will be using a PowerShell Script which will act as the main executable which will then define the order in which we will install the applications and that will be what controls the process.

So below is an example of installing Application 1

What we are doing here is that we have a log file which is then creating locally on the machine with a timestamp, and then the first section is to install Application 1.

Once installed it will then follow exactly where the application has been installed
( Note: Locations and paths can be changed however you see fit)

It will then check to make sure that the executable for application 1 is there and if it is then it will confirm in the log file that application 1 has been successfully installed.

Where the log file is concerned you could place this in the C:\ProgramData\Microsoft\IntuneManagementExtension folder to make the locating of the logs easier and more standardised. The C:\Temp location is really an example of where you can essentially create the log.

Now though we had some sort of a detection method, we ideally want to create more of an official one so that if we are deploying applications which either are exactly the same or perhaps to the same groups in Intune, we don't want to overlap or essentially overwrite this process so we need a unique identifier to mark that this process has been completed.

The best way to do this is by using a registry key to identify its status as well as its successful detection going forward.

So now we will slightly edit the script to show how we would incorporate this into the powershell script and this is now what we have below.

So we have the Create Registry Key line which will set a registry key in which all of the detection methods for each application will be placed in for when we approach them.

So when we look at App 1 , it will run its course of installation but this time it won't just create a log entry to confirm it has been installed but it will now create a registry key value within the key created earlier and will then label this as a value of 1 which would be determined as installed.

If for whatever reason App 1 failed, then we can simply create the same key value but this time mark it as a value of 0  being not installed.

So now if we look at a more complete version of the PowerShell Script this is an idea on how it would look.

So we now see the same types of conditions set for App1 and App2.

Now to complete the overall process we need the final key to confirm that this has actually finished so that the detection method for our Win32 Application passes. So we refer to the last line which will create a registry key value called ApplicationGroup1Status  which we would then mark as 1  for being completed/installed.

Once we have defined everything (and tested hopefully!) then we should be in a position to convert this into an IntuneWin file.

So first we need to obtain the converter tool which can be grabbed from here.

Once downloaded run the utility and enter the details like the following example below;

This should then create your intunewin file.

Now that we have our Application Group 1 intunewin file ready we can now proceed to add this to Intune and into our AutoPilot process. So firstly

• Log into Device Management
• Select the Apps - Windows
• Click the + button create a new app.

Select the Windows app (win32) application and browse to the location in which you have created the intunewin file and select this.

Click OK and then proceed to create the app information for your Application Group then click next.

Proceed to the next page and enter the install and uninstall command for your Application Group.

( Note: If you do want to use an uninstall script then you can create one, but for the purpose of this example you can put in a line if you are not using or intend to uninstall this).

Next is the key element of this whole process which is the Detection Rule . We will define these rules using the registry key which would be created in our script example earlier. Configure the detection rule as seen below.

Skip any unnecessary pages and proceed to deploy the application to your group which is mapped to the Auto Pilot enrolment profile, or if using any other methods proceed to deploy the Application Group to where your Auto Pilot profile is mapped to.

Accept these settings and this should complete the process of creating an Application Group and then deploying it through your AutoPilot enrolment process.

This workaround/solution does contain a lot of elements of rewriting or reinventing the wheel somewhat. And perhaps the drawbacks would be we essentially have to define more in the overall process of detecting and logging when it comes to our mandatory applications which we want for our endpoints when going through the Auto-Pilot process.

But for those who require a lot of applications and also are having to go through setting a lot of dependencies to reduce the chance of further randomization, this method does help in taking back control of how you would want things to be done.