NOTICE: it is easier to use Device Configuration Scripts now that this feature has been released in Intune.
A second case, comparable to EMS case: distributing Office templates and macro’s to your users on Windows 10 mobile managed Azure AD Joined devices.
In this case I will show you how to package and distribute a Powershell script (OnedriveMapper in this case) through Intune to MDM enrolled Windows 10 devices.
Requirements:
- A test user with an EMS licence (or seperate Azure AD Premium and Intune)
- Source file of the script
- Advanced Installer (free license)
Steps:
First, let’s start a ‘Simple’ project in Advanced Installer, this does not require a license. Navigate to Files and Folders and create a Program Files folder for your script, add your script there. My script also writes a log file, so I also created a folder for the script under Application Data to keep user specific logs:
Now we can set a registry to automatically run this script upon login (the famous ‘Run’ key):
As the screenshot should show, I’ve added a REG_SZ key under HKCU\Software\Microsoft\Windows\CurrentVersion\Run with the name of my script, and execution instructions as the parameter. Advanced Installer has a nice option to insert the final file path upon MSI installation (‘File’ button). Be sure to enclose in quotes, as the path may include spaces:
Powershell.exe -WindowStyle Hidden -ExecutionPolicy ByPass -File “[#OneDriveMapper_v2_41.ps1]”
Now, OnedriveMapper also requires a few additional settings I won’t screenshot but will list here seperately, configuring these will let the script run smoothly:
- HKLM\Software\Policies\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize (DWORD, value 1)
- HKCU\Software\Policies\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize (DWORD, value 1)
- HKLM\System\CurrentControlSet\Services\Webclient\Start (DWORD, value 2)
- HKLM\System\CurrentControlSet\Services\Webclient\Parameters\FileSizeLimitInBytes (DWORD, value 3221225472)
- HKLM\System\CurrentControlSet\Services\Webclient\Parameters\ServerNotFoundCacheLifetimeInSec (DWORD, value 10)
- HKLM\System\CurrentControlSet\Services\Webclient\Parameters\SupportLocking (DWORD, value 0)
I then also copied the first key that causes the script to run to the HKEY_USERS\.DEFAULT section, this will ensure the script also works for users who have never logged onto the machine.
Now configure the Install Parameters:
Note: if you’re deploying OnedriveMapper to a clean device, I recommend forcing a reboot after install to ensure the WebDav client actually starts.
Now just press the build button in the top left and you’ll end up with a single, clean and working MSI file. Log in to the Intune console, and go to the Apps section.
Click Add Apps and load the on demand configuration tool:
Ensure you have selected “Windows Installer through MDM”, the other methods won’t work.
Accept all other default settings or configure as you please and press Upload.
Once the upload completes, you’ll see the app in the Intune Console, but this won’t distribute the application yet, for that you’ll have to click ‘Manage Deployment” and configure a user based deployment:
And voila, within the hour your devices will have the script and registry keys, and the next time your user logs in the script will execute!
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main]
“DisableFirstRunCustomize”=dword:00000001
[HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Main]
“DisableFirstRunCustomize”=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WebClient]
“Start”=dword:00000002
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WebClient\Parameters]
“FileSizeLimitInBytes”=dword:c0000000
“ServerNotFoundCacheLifetimeInSec”=dword:0000000a
“SupportLocking”=dword:00000000
Worked well with the Internet Explorer way. Now it installs yet does not run. Am I missing somethin?. Can take the PowerShell and right click and run, it will map. It just does not run upon start up. Added the Edge registry and even took it off. Moved policies to HKEY_LOCAL_MACHINE and well as run command
Hi Jos,
Following on from Darren’s post below. We managed to get the MSi to deploy once the MDM elements were sorted. One last error we need some guidance on please. The HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run entry is going in fine for the first user but not for anyone else logged in.
Any ideas why it isn’t duplicating??
Hi Jos,
Just been following this article, If I deploy the MSI with ‘Windows Installer for MDM’ it never gets seen by the machines and therefore never gets deployed. If I use ‘Windows Installer for PC Agent’ it deploys everything except the Reg Key ‘HKCU\Software\Microsoft\Windows\CurrentVersion\Run’
Any Ideas what I can try?
Kind Regards
Darren
Bedankt voor het delen Jos, heeft me op de goede richting geholpen bij doorvoeren van wat IE instellingen.
Echter is HKEY_USERS.DEFAULT volgens my van het system account en niet het default account. Nieuwe accounts krijgen bij mij in ieder geval de settings niet me en als ik diverse artikelen lees via Google zou dat dus komen doordat het van het system account is.
Groet,
Peter
My MSI fails on modifing the SoftwarePoliciesMicrosoftInternet ExplorerMainDisableFirstRunCustomize value which fails the deployment via InTune – is this required?
[…] Can now be deployed to MDM Intune managed Windows 10 devices […]