Windows 365 Enterprise- Custom Images

Step by step creating and capturing a custom image for Windows 365 Enterprise

Blog series

Introduction

Windows 365 Enterprise has a great integration with Endpoint manager. So, your configurations and app deployment should primarily come from there in my opinion. But in some cases, not everything that you need to configure can be (easily) done with Endpoint manager. Sometimes you run into an installation or configuration that is just really hard to accomplish with just Endpoint Manger. An example could be installing language pack (although this process is now included in the provisioning policies). But I’m sure there are other examples out there. This leaves you no other choice than to create your own custom image and use that image to be deployed to your users. In this blog I will walk you through the steps into creating a custom Image.

Prepare your Master Image

First step is to create a new Virtual Machine in Azure. It’s important that for your image you search and select a Windows 10/11 Cloud pc. Other important steps are that you connect your VM to a network you to which you can connect, and you want to disable any boot diagnostics or monitoring options.

Install apps and configurations

Now please consider the following. When you run sysprep the machine won’t be able to start again. This means that if you want to save your master image to make some changes later on you will have to reinstall and configure all your settings again. In order to save your master image for future adjustments is best that you clone your master image VM and sysprep the clone. This way the original master image will be saved for future adjustments. If you want to save your master image vm for future use you can follow along, otherwise skip straight to the sysprep section.

Clone your VM

1 Shutdown your master image vm, until a deallocated state.
2 Create a snapshot of the disk
2a Go to your master image VM
2b Select Disks

Snapshot disk

2c Select the OS disk
2d Select Create Snapshot

Create snapshot of disk

2e Now most settings you can leave as default. I would set storage type to standard HHD

3 Create a new disk from the snapshot
3a Go to your newly created snapshot and select create disk

Create disk from snapshot

3b Here you can also leave all the defaults as is. Make sure that you select the same disk size as you original VM. By default, the size if 128 GB.

Create managed disk

4 Create a new VM from that new disk
4a Go to the newly created disk. From this disk you can now create a new Virtual Machine

Create vm from managed disk

4b Use the same settings as when you created the original Virtual Machine, the only difference should be the image, which should be your created disk.

Sysprepping and capturing your image

Now your master image VM is ready to sysprep. You have created a clone, or you used the original VM the next steps are to sysprep your machine and to create an image from that machine. So, connect to your VM. Navigate to C:\Windows\System32\Sysprep and start sysprep.exe. Use the following setting:

  • System Cleanup Action: Select Enter System Out-of-Box Experience (OOBE) to configure the behavior on startup
  • Select Generalize
  • Shutdown Options: Select Shutdown
Sysprep

After some time, the machine will disconnect. Wait until the machine is in a stopped state in the Azure Portal. When it’s in a stopped state you can select Capture.

On the create image screen it’s important to select No, capture only a managed image. Azure Compute Galleries are not supported. Give your image an easy to recognize name. Also, it’s easy to select Automatically delete this virtual machine after creating the image since the machine won’t be able to function after the sysprep and capture procedure.

Caputre image

When everything went successfully you end up with an image.
Its best to test the image by creating a new VM from this image and validate if the image works as expected.

New image

Add image to Windows 365

After you have validated the image you can add the image to Windows 365. Go to endpoint.microsoft.com and navigate Devices > Windows 365 > Custom images and select Add.

Give your image a name and a version, select the subscription where you saved your image and select the image you created.

Add image

The image will now be uploaded to the Windows 365 services. This process can take a while to complete. After the image has been successfully uploaded you can use the image in your provisioning policy. Instead of choosing a marketplace image your select custom image and you should be able to find your newly uploaded image.

Custom image in provisioning policy

This was the final post of the Windows 365 blog series. I hope the information was useful and you were able to follow the steps.

If you mis any information, please let me know and I will try to incorporate the information into the blog series.

Getting started with Windows 365 Business

Step by step deployment instructions of Windows 365 Business

Please read my introduction blog, Starting with Windows 365 if you are looking for Windows 365 basic information.

Blog series

Windows 365 Business – Prerequisites

In order for Windows 365 Business to work you will need to enable the ability for users to join devices to the Azure AD. You can enable this by going to portal.azure.com selecting the Azure Active Directory and then Devices and Device settings. Here you can select All, or scope it to a group of users.

Users may join devices to Azure AD

Before assigning any licenses its good to set the organization default settings. Here you can choose whether a user should be a standard user or local administrator, what operation system should be deployed and the language. These settings are only deployed when assigning a new cloud pc. You can also those to enroll the new devices into Microsoft Endpoint Manager, but your user will also need a separate Intune license. You can modify these settings my signing in to https://windows365.microsoft.com/

Update organization settings

Select Update organization setting:

Update organization settings

In my case I also enroll new cloud devices in Endpoint Manager since I have a suitable license.

Assign your user with a license

My test User Goofy is a user who is synced from Active Directory with AAD Connect to Azure AD. You do not need a synchronized user, a cloud only user is also fine. I’m assigning Goofy a Microsoft 365 Business Premium license. This includes Intune so I can manage the device. I’m also assigning the Windows 365 business 2 vCPU, 8 GB, 128 GB license. By assigning the Windows 365 license Microsoft immediately starts provisioning a new cloud pc for the user. This process does take some time to complete. You can monitor this process by selecting the user and by selecting Devices:

Cloud pc is provisioning

After some time you will see that the device is ready for the user to work with:

Cloud PC is ready

Since I also selected the option to enroll the device into Intune you can also find the device there.

Cloud PC in Endpoint manager

End user experience

When the user sings into Windows 365 (microsoft.com) they will see the first launch experience:

The user can then launch the Cloud pc

The user can also use the remote desktop application. If possible, I would recommend using the app, because it has better performance than the browser. The user can download the app from the Microsoft Docs.
Open the application and select subscribe and sign in with your credentials

You can now also use the new Windows 365 app which has been announced at Ingite 2022.

Managing Windows 365 Business

As an administrator you would want to administer the device. You have a couple of options. If you have enrolled the device into Intune then your options are limited. When selecting the user in the windows365.microsoft.com portal you have a couple of options:

Managing the device with Intune

Since the device is enrolled with Intune we can also push configurations to the device. I did notice some differences with enrolling normal clients into Intune. There also seem to be some differences with the Windows 365 Enterprise. When opening the device overview in Intune.

There seems to be no primary or enrolled by users, and the device model is stated Virtual Machine. If you compare this with an Windows 365 Enterprise enrollment you see that the primary user and the device model is stated

The lack of an primary user isn’t really an issue, the reason for this is properly that Microsoft uses a different enrollment process like a build enrollment token to enroll the device. The other difference doesn’t seem big until you want to create custom filter rules Create a filter for your Cloud PCs | Microsoft Learn. This option can be useful when you want to target specific Windows 365 cloud pc’s in your environment. Unfortunately this option is not available.

Otherwise, all options that you can use for managing your devices is also possible with Windows 365 business. You can deploy apps, and configurations to your devices as your company requires.

Deploy Dropbox as a Win32 App with Intune

Package Dropbox as a Win32 app to deploy it using Microsoft’s Intune

Dropbox is a widely adopted platform to save and share your documents. Although Microsoft’s OneDrive may be the most logical choose when using Microsoft products there still are companies actively using Dropbox as their cloud file storage solution. In this blog I will share how to deploy the Dropbox client in your organization by using Intune. This is what you need:

On your PC create a new folder. The folder will contain three files: The Dropbox installer you downloaded and you create 2 additional files, an install.cmd and an uninstall.cmd file.

For the install.cmd you use the following lines:

@ECHO OFF
PUSHD "%~dp0"
"Dropbox 139.4.4896 Offline Installer.exe" /NOLAUNCH

You can validate the command by running the install.cmd as an admin.

For the uninstall.cmd file you use the following lines:

@ECHO OFF
"%PROGRAMFILES(x86)%\Dropbox\Client\DropboxUninstaller.exe" /S

Also on your machine take a look in the registry which version is installed. Apparently the version that the installer states is different than what is found in the registry. You can check the version in Computer\HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Dropbox\Client

Now that you have prepared the files its time to wrap them into a intunewin file.

  • Source folder: specify the files which contains your installation files
  • Setup file: is the Dropbox offline installer files
  • Output folder: a folder where you want to save the intunewin file. Choose a different location than your source folder
  • For catalog folder choose no

Now that you have prepared Dropbox its time to deploy it via Intune. Follow this link to get to Windows Applications  https://endpoint.microsoft.com/#blade/Microsoft_Intune_DeviceSettings/AppsWindowsMenu/windowsApps

Choose Add and for App type Windows app (Win32). For package file select your Dropbox intunewin file. Fill out the required app information and choose next.

At the second step for the install command enter install.cmd and for the uninstall command choose uninstall.cmd. The install behavior should be set to System.

At the requirements choose the system architecture and a minimal operating system version. The fourth step is the detection rules. For Rules format choose Manually configure detection rules:

  • Rule type: Registry
  • Key path: Computer\HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Dropbox\Client
  • Value name: Version
  • Detection method: Version comparison
  • Operator: Equals
  • Value: 139.4.4896 ( or whatever value you installed)

Finally assign the application to a user or computer group, and wait for the installation to take place.

Hope this blog was helpful, if you have any questions feel free to post them in the comments.

Deploy Zoom as a Win32 App with Intune

Deploy the Zoom client and the Zoom Outlook plugin using the Win32 app format in Intune

In this article I will show you how to can deploy Zoom as a Win32 app using Microsoft’s Intune. When following the guidelines from Zoom, they only show you how to deploy Zoom by using the Line-Of-Business method. Although this works you get much greater flexibility when deploying Zoom as a Win32 app. You can make use of delivery optimalization and better targeting to for example only 64-bit operating systems and more. Furthermore, when you want to deploy new clients via Autopilot you cannot mix line-of-business installations with Win32 app installations. So I would always be my recommendation to use the Win32 app deployment.

You need:

Personally I always like to work with and install.cmd and a uninstall.cmd to deploy my applications. You can however just repackage the msi installer and use the commands in the installation parameters in Intune. When using the install.cmd and uninstall.cmd files I can be more flexible when I need to copy files for example.

Copy the ZoomInstallerFull.msi to an empty folder. Create two new files in the folder named install.cmd and uninstall.cmd. The Zoom msi comes with a variety of installation parameters to customize your deployment as needed. You can for example disable auto update and to configure the required firewall ports. You can also use zConfig to set configurations that cannot be changed or use ZRecommend to make settings users can change. In my example I use the following installation command, which is the command in the install.cmd file:

msiexec /i "%~dp0ZoomInstallerFull.msi" /norestart /qn ZConfig="nogoogle=1;nofacebook=1;" ZoomAutoUpdate="false" FirewallPortStart="7200" FirewallPortEnd="17210"

You can test your install.cmd by running it as an administrator. For the uninstall.cmd you use the following command:

msiexec  /x {51AFD52B-0614-4100-91E0-204AC1EF0A3B}

You can find the GUID for the application in the registry HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{51AFD52B-0614-4100-91E0-204AC1EF0A3B}

You now should have a folder containing ZoomInstallerFull.msi, install.cmd and uninstall.cmd.

Zoom installation folder

Start the Win32 Packaging tool and enter the following parameters:

  • The location of your source folder containing the ZoomInstallerFull.msi, install.cmd and uninstall.cmd.
  • The setup file is ZoomInstallerFull.msi
  • Create a new output folder where you want to save the new package.
  • Select no for creating a catalog folder
Zoom Win32 packaging parameters

To deploy the application with Intune go ahead and add a new application and for app type choose Windows app (Win32)

On the App information page, provide the Naam, Publisher, app Version and whatever information you want to share. At the program page use install.cmd for the installation command and uninstall.cmd for the uninstall command. For install behavior make sure to select system. Finally select No specific action for device restart behavior.

Zoom installation parameters on Intune

At the Detection rule page I like to use the version number to detect if the application is installed. I you want to deploy an other version in the future you can use the Supersedence option which makes detecting on a specific version easier.  So fo the Detection rules choose Manually configure detection rules:

  • Rule type: Registry
  • Key path: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{51AFD52B-0614-4100-91E0-204AC1EF0A3B}
  • Detection method: Version comparison
  • Operator: Equals
  • Value: 5.9.2481 (or whatever version you are deploying)
Zoom detection rules Intune

Finally deploy the application to a group in your organization.

To install the Zoom plugin for Microsoft Outlook you can use the same procedure. Create a folder which contains: ZoomOutlookPluginSetup.msi, install.cmd and uninstall.cmd.

Install.cmd

msiexec /i "%~dp0ZoomOutlookPluginSetup.msi" /norestart /qn

uninstall.cmd

msiexec /x "{BC6BA982-1260-4284-8B1F-68184984021B}" /q

Start the Win32 Packaging tool and enter the following parameters:

  • The location of your source folder containing the dp0ZoomOutlookPluginSetup.msi, install.cmd and uninstall.cmd.
  • The setup file is dp0ZoomOutlookPluginSetup.msi
  • Create a new output folder where you want to save the new package.
  • Select no for creating a catalog folder

Deploy the package using Intune using the same options as for the Zoom client. For detection rules use:

  • Rule type: Registry
  • Key path: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{BC6BA982-1260-4284-8B1F-68184984021B}
  • Detection method: Version comparison
  • Operator: Equals
  • Value: 5.9 (or whatever version you are deploying)

Hopefully you found the article informative. I you have any question or comments feel free to use the comments section below.

Deploy Acrobat Reader DC with Intune

Use Intune to deploy an up to date version of Adobe Acrobat Reader DC using the Win32 app deployment.

One of the first applications that is put on the list to distribute with Intune is Acrobat Reader DC. There are several blogs that describe how to do this, however they all use the default Adobe Acrobat Reader DC Distribution executable. Only installing this executable will get you the 2015 version 2015.07.20033, which is by now (2021) extremely out dated. This article will focus on how to deploy an up to date version of Adobe.

First you still need the default Adobe Acrobat Reader DC Distribution executable, which you can download from https://get.adobe.com/uk/reader/enterprise/ . Select your required operating system, language and version. Once you have downloaded the exe you will need to extract the contents of the exe. You do this by adding the following switches after the exe. Specify your own output location.

.\AcroRdrDC1900820071_nl_NL.exe -sfx_o"C:\InstallFiles\Blog\Extract" -sfx_ne 

Next you need to download the latest update from Adobe. Writing this blog this is the September 2021 update, which you can download from https://www.adobe.com/devnet-docs/acrobatetk/tools/ReleaseNotesDC/continuous/dccontinuoussept2021.html Download the Reader update. Make sure to choose correct bit version. In my case I need the AcroRdrDCUpd2100720091.msp file.

Place the download update in the same folder where you extracted the content of the executable. In the same folder you create two files. The first is named install.cmd and the second is called uninstall.cmd

The content of the install.cmd file is:

msiexec /i "%~dp0AcroRead.msi" ALLUSERS=1 /qn TRANSFORMS="AcroRead.mst" /Update "%~dp0AcroRdrDCUpd2100720091.msp" /norestart

Here its important that you reference the correct update file which in this case is AcroRdrDCUpd2100720091.msp.

You can use the Adobe Customization Wizard DC to further customize your Adobe installation . This will generate the mst file which is also referenced in the install.cmd file. I wont to in to detail, there are plenty of blogs which will explain this.

The contents of the uninstall.cmd file is

msiexec /x "%~dp0AcroRead.msi" /q

The content of your Adobe folder should look quite similar like this:

Test you installation by running the install.cmd and the uninstall.cmd files before continuing to the next steps.

You are now ready to put all the contents of your Adobe folder into a Win32 package and distribute it to your clients. First use the Win32 wrapper to combine all the files into a single package. If you need more information on how to do this please read this article.

  • Source folder: Is the location where all the Adobe files are located
  • Setup file: in this case it’s setup.exe
  • Output folder: location where the intunewin file is saved
  • Catalog folder: choose no

When you have your .intunewin file you can upload this to Intune and start deploying it. I won’t go in to detail but some points to take in to account:

At Program:
  • Install command: install.cmd
  • Uninstall command: uninstall.cmd
At Detection Rules use:
  • Manually configure detection rules and use the Registry Rule type:
  • Key Path: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-1043-7B44-AC0F074E4100}
  • Value Name: DisplayVersion
  • Detection method: String Comparison
  • Operator: Equals
  • Value: 21.007.20091 (or whatever version you install)

Hope this article gives you some more information on how to deploy an up to date version of Adobe Acrobat Reader with Intune.

Endpoint Manager and Windows Defender Application Control

HOW TO: Deploy Windows Defender Application Control with Microsoft Endpoint Manager

Windows 10 has a variety of security features build in. These features are not enabled by default, but if configured correctly they can significantly increase the security of the devices. The main advantage of Windows 10 Enterprise are the security features. These security features ‘harden’ the operating system. By hardening your OS, you protect yourself and the Enterprise against viruses, ransomware, and possible hackers. This blog series explains the different “Defender” functionalities that are available in Windows 10 Enterprise and how to configure them by using Microsofts Endpoint Manager (Intune).  

Microsoft always likes to rebrand their functionalities, and the name defender is now used generally for all the security features, not only covering Windows 10. You can think of Defender for Endpoint, Defender for Azure etc. This is also true for the functionalities of this blog series. Windows Defender Application Control is the new name for services which were once called Application Control Guard, or even Configurable Code Integrity (CCI).

This series touches upon the following subjects:

  1. Windows Defender Application Control
  2. Windows Defender Application Guard
  3. Windows Defender Credential Guard
  4. Windows Defender Device Guard

Prerequisites

  1. A physical test client with Windows 10
  2. Microsoft subscription with Endpoint Manager

Windows Defender Application Control

Simply stated: Windows Defender Application Control (WDAC) controls whether an application may or may not run on a Windows 10 device. If the application is trusted the application can run, otherwise the application is blocked. There is a lot more to it of course but in essence this is what is does. Some may remember AppLocker which was introduced in Windows 7 and it allowed organization to control which applications could run on a device. If stated like this the functionalities of AppLocker and WDAC are very alike, but WDAC takes it a lot further. Not only does WDAC now has the capability to also control drivers, it can also make use of Microsoft’s Intelligent Security Graph. By using the Intelligent Security Graph, you do not have to whitelist applications individually, but you automatically trust the application is Microsoft trusts the application. This will save you a lot of time maintaining the WDAC policies. Furthermore, you have the option to automatically approve applications that have been deployed by using software distribution solutions, such as Microsoft Endpoint Manger.

Securing your environment by building and maintaining WDAC policies or any other security solution will take time. The policies you create will change over time since applications and other software change. You should understand that this is not a one-time configuration, and this should be evaluated on a regular basis. Before you start implementing WDAC I would recommend to start by reading and understanding the documentation of Microsoft. Make sure that the requirements of your business needs are clear.

There are so many variables that go into designing this solution that it is impossible to cover all the steps. This series of articles should give you a basic understanding on how to use these security features to your advantage. What are the high level steps in this article:

  1. Create a baseline policy
  2. Update baseline policy
  3. Test a WDAC policy
  4. Deploy a WDAC Policy
  5. Monitor your WDAC Policy
  6. Enforcing WDAC policy

In this article we create a policy for a fully managed device. You can also create policies for lightly managed devices. The difference between the two is that with fully managed devices all the software installed on the device is managed by IT and users cannot install any applications. On lightly managed devices users can install applications. If you are planning to start with WDAC it is recommended to start by treating your devices as if they are lightly managed. After that slowly build up the security around the device until they are “fully managed”.

1.      Create a baseline policy

You start with a baseline. Creating a baseline policy depends on what type of device you are using. Each type of device has its own drivers and specifications, depending on the manufacturer of the device. So, it is important to capture baseline policies for each type of device. If you have multiple types of devices you can use each baseline for the specific device type, or you can merge the baseline into one baseline policy which you can then use for all of them. Microsoft has provided some example policies in C:\Windows\schemas\CodeIntegrity\ExamplePolicies. For this article we start from scratch.

Take a Windows 10 device which is as clean as possible to start the inventorying phase. To start use the following PowerShell command. This command will scan the entire device and creates a baseline XML. This will take some time to complete.

$CIPolicyXML = "C:\temp\WDAC_Policy_DellLatitude5500.xml" 
New-CIPolicy -MultiplePolicyFormat -filePath $CIPolicyXML -ScanPath C: -level FilePublisher -UserPEs -Fallback Hash 

Powershell Explained:

-MultiplePolicyFormatYou can add the -MultiplePolicyFormat parameter when creating policies which will be deployed to computers which are running Windows build 1903+.
-filePathWhere to save the xml
-ScanPath C:What directory do you want to scan
-level FilePublisherSpecifies the primary level of detail for generated rules
-UserPEsCommand scans for user-mode executables (applications) along with kernel-mode binaries such as drivers and creates rules at the Publisher level.
-Fallback HashTo catch any applications not discovered using the primary file rule level specified by the -Level parameter

2. Update baseline policy

Scanning your device will take a considerable time. When the scanning is complete you can add extra rules to the XML file. Understand WDAC policy rules and file rules (Windows 10) – Windows security | Microsoft Docs

  • Option 13 is used so that applications installed by a software distribution solution are automatically allowed.
  • Option 14 enables the use of the Microsoft Intelligent Security Graph so that well known applications are automatically approved.
  • Option 16, so no reboot is required when applying WDAC policies.
  • Option 17, so you can combine policies.
  • Activating Hardware Virtualized Code Integrity and set it to enabled. To be used with care, some applications and drivers are incompatible with HVCI and can cause software malfunction and blue screens.
Set-RuleOption -FilePath $CIPolicyfileXML -Option 13
Set-RuleOption -FilePath $CIPolicyfileXML -Option 14
Set-RuleOption -FilePath $CIPolicyfileXML -Option 16
Set-RuleOption -FilePath $CIPolicyfileXML -Option 17
Set-HVCIOptions -Enabled -FilePath $ CIPolicyXML

3. Test a WDAC policy

When your XML has finished building you can convert the XML to a CIP file. First open the XML file and copy the <PolicyID> , this can be found at the bottom of the XML file and looks something like {DF4B2E6F-F05F-4D3C-AE70-000F6CCD445C}. The name of the CIP file must match the Policy GUID. To create a CIP file run:

ConvertFrom-CIPolicy -XmlFilePath $CIPolicyXML -BinaryFilePath “C:\temp\{DF4B2E6F-F05F-4D3C-AE70-000F6CCD445C}.cip”

The CIP file is now ready to be tested. Copy the CIP file to C:\Windows\System32\CodeIntegrity\CIPolicies\Active and reboot the machine.

The WDAC policy was created  in audit mode, meaning that no applications will be blocked. However, the event log will show if an application would have been blocked if the policy were being enforced. In the Event Viewer under Applications and Services Logs > Microsoft > Windows > Code Integrity > Operational you will see all the warnings. Make sure to run different application and check the event viewer for warnings and errors.

4. Deploy WDAC policy – pilot

Before this section explains how to deploy WDAC policies with Endpoint Manager, a little side step. I was preparing this blog by reading documentation and trying to the deploy the WDAC policy in my lab. I’ve followed the documentation from Microsoft Deploy Windows Defender Application Control (WDAC) policies by using Microsoft Intune (Windows 10) – Windows security | Microsoft Docs. Everything went fine until I was not able to upload the bin file that was created. Every time I tried to create the policy I received the error: Unable to save due to invalid data. Update your data then try again: Exception has been thrown by the target of an invocation. After a while I found this article stating that OMA-URI policies with payload over 350k bytes were no longer supported Support Tip: Custom OMA-URI’s not always applying to Windows 10 Devices – Microsoft Tech Community . Well the payload for a WDAC policy is way bigger then 350k bytes so that would explain why I wasn’t able to add the policy. Even by stripping a WDAC policy to its bear minimum it would still be bigger than 350k bytes… I’m hoping this will be resolved in the future, so I will leave the original procedure in place, but also provide an alternative method to deploy the WDAC policy.

Original method

You have created a baseline policy and tested the policy on a device. Ideally you want to test the policy on multiple devices which are being used by multiple people within your organization. Running a pilot will better determine if your baseline policy fits the business needs. So, its time to deploy the policy to several devices by using Configuration Manager.

To deploy the policy with Endpoint manager the policy first must be converted to a bin file.

ConvertFrom-CIPolicy -XmlFilePath $CIPolicyXML -BinaryFilePath “C:\temp\{DF4B2E6F-F05F-4D3C-AE70-000F6CCD445C}.bin”
  • In Endpoint Manager go to Configuration Profiles and add a new policy. For platform select Windows 10 and later for profile select Custom.
  • Give your policy a name, and go to the next step
  • In configuration settings Add a new OMA-URI setting
    • Provide a clear name
    • OMA-URI is ./Vendor/MSFT/ApplicationControl/Policies/<POLICYID> /Policy. Here you replace <POLICYID> with the value of the policy ID without the brackets
    • For Data type select Base64 (file) and upload the bin file
  • Assign the deployment to a group with test devices / users

Alternative Method

For the alternative distribution method, we are going to use the IntuneWinAppUtil.exe utility from Microsoft. The goal is to copy the CIP file to C:\Windows\System32\CodeIntegrity\CIPolicies\Active folder. However this brings on a new problem, because in order to copy something in that directory you need administrative permissions. Even though the account installing the application should have this permissions, it is not permitted to copy files to that location. Or I haven’t found a good way of doing this, if you know the solution please let me know because I haven’t found a better way. I did however found one way of completing this and it seems a little bit devious, but if it works it works. It involves creating a scheduled task which then copies the files to the right location.. In order to make it work all the necessary information is wrapped into a Win32 Intune package to deploy it to the device. The tool for doing this will also be used for the monitoring agent later on in this blog. To learn and read more about this packaging method check out my previous blog.

To start create a folder containing the following:

-Your CIP file
– A Powershell script to Deploy the CIPolicy  (Deploy-CIP.ps1 Adjust the script to match your CIPolicy id.)


#Create CIP directory
New-Item -Path "c:\" -Name "CIP" -ItemType "directory"

#Start logging
$logfile = 'c:\CIP\CopyCIPolicy.txt'
Start-Transcript $logfile -force

#Copy items to CIP directory
Copy-Item -Path ".\{DF4B2E6F-F05F-4C3D-AE70-000F6CCD445C}.cip" -Destination "C:\CIP" -Force
Copy-Item -Path ".\Copy-CIP.ps1" -Destination "C:\CIP" -Force

#Create scheduled task
$Time = New-ScheduledTaskTrigger -Once -At 12:00
$User = "SYSTEM"
$Action = New-ScheduledTaskAction -Execute "powershell.exe" -Argument "-ExecutionPolicy Bypass -file `"C:\CIP\Copy-CIP.ps1`""
Register-ScheduledTask -TaskName "CopyCIPolicy" -Trigger $Time -User $User -Action $Action -Force
Start-ScheduledTask -TaskName "CopyCIPolicy"

Stop-Transcript

#Exit code
Return 0

– A Powershell script to Copy the CIPolicy  (Copy-CIP.ps1 Adjust the script to match your CIPolicy id.)

Copy-Item -Path "C:\CIP\{DF4B2E6F-F05F-4C3D-AE70-000F6CCD445C}.cip" -Destination "C:\Windows\System32\CodeIntegrity\CiPolicies\Active" -Force

– A Powershell script to remove the CIPolicy (Remove-CIP.ps1 Adjust the script to match your CIPolicy id

#Cleaning up resources

Stop-ScheduledTask -TaskName "CopyCIPolicy"
Unregister-ScheduledTask -TaskName "CopyCIPolicy" -Confirm:$false
Remove-Item -Path "c:\CIP" -Recurse -Force 

#remove policy from C:\Windows\System32\CodeIntegrity\CiPolicies\Active

Remove-Item -Path "C:\Windows\System32\CodeIntegrity\CiPolicies\Active\{DF4B2E6F-F05F-4C3D-AE70-000F6CCD445C}.cip" -Force


#Exit code
Return 0
  • Run the IntuneWinAppUtil.exe and specify:
    • The source folder location
    • The setup file, which is Deploy-CiPolicy.ps1
    • Output folder
    • You do not need a catalog folder

To deploy the application use endpoint.microsoft.com:

  • Add and new Windows app (Win32)
  • Fill in the app information
  • For the install command use powershell.exe -ExecutionPolicy Bypass .\Deploy-CIP.ps1
  • For the uninstall use powershell.exe -ExecutionPolicy Bypass .\Remove-CIP.ps1
  • Run as system
  • Specify your requirements
  • For Detection rules make use of a File manually detection rule. Here you can use C:\Windows\system32\CodeIntegrity\CiPolicies\Active and for File use {DF4B2E6F-F05F-4C3D-AE70-000F6CCD445C}.cip (change the name to your CIP policy), detection method File or folder exists

5. Monitor your WDAC Policy

As mentioned previously in this blog you can view the Event Viewer to check if applications are blocked. In larger deployments this is not really practical to check each individually device for events.  Ideally you want to have a central location for all the Event logs. For this you can use a Log Analytics Workspace.

To create a Log Analytics Workspace follow these steps Create a Log Analytics workspace in the Azure portal – Azure Monitor | Microsoft Docs. Then open the workspace and select Advanced Settings and Data. Search for Microsoft-Windows-CodeIntegrity and add both, also add Operations Manager. Do not forget to save the configuration.

After you have a Workspace enable logging in endpoint.microsoft.com by going to Reports and selecting Diagnostics settings. Select Add diagnostic setting. Select all the different log types and for destination details select Send to Log Analytics Workspace and select your subscription and Workspace.

Enable logging Endpoint Manager

Go back to the Analytics Workspace and now go to Agents Management. Here you can download the log agent and make sure to note the Workspace ID and the Primary key.

The downloaded Analytics agents needs to be repackaged using the IntuneWinAppUtil.exe. Check out my previous blog for more in-depth information.  The first step is to extract the contents of the AnalyticsAgent.exe.

  • Place the downloaded MMASetup-AMD64.exe into a folder
  • Run .\ MMASetup-AMD64.exe /c and specify a folder location on where to put the extracted data.
  • Run the IntuneWinAppUtil.exe and specify:
    • The source folder location
    • The setup file, which is setup.exe
    • Output folder
    • You do not need a catalog folder
  • You now have the monitoring app packaged into the Intune format

To deploy the application use endpoint.microsoft.com:

  • Add and new Windows app (Win32)
  • Fill in the app information
  • For the install command use setup.exe /qn NOAPM=0 ADD_OPINSIGHTS_WORKSPACE=1 OPINSIGHTS_WORKSPACE_ID=”<WORKSPACEID>” OPINSIGHTS_WORKSPACE_KEY=”<PRIMARYKEY>” OPINSIGHTS_WORKSPACE_AZURE_CLOUD_TYPE=0   AcceptEndUserLicenseAgreement=1″
    You need the Workspace ID and the Primary key from your workspace. View the reference in the docs Install Log Analytics agent on Windows computers – Azure Monitor | Microsoft Docs
  • SPecify your requirements
  • For Detection rules make use of a Registry manually detection rule. Here you can use Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HealthService\Parameters\Management Groups\AOI-<WORKSPACEID> where you change WORKSPACEID to your Workspace ID
  • Assign your application to a group

After the deployment is finished the Monitor Agent starts uploading Event logs to the Workspace. To view the Event Logs open the Workspace and select Logs. Here you can enter Query based on Kusto Query Language to search the Event Viewer logs. For example you can use the following query to display all the logs with a Warning or Error in the Code Integrity Events category.

Event
| where Source == "Microsoft-Windows-CodeIntegrity"
| where EventLevelName == "Warning" or EventLevelName == "Error"
| project TimeGenerated, Computer, RenderedDescription
| sort by TimeGenerated desc 

6. No more testing, time for enforced mode

When your done with testing and you have validated everything to work as expected it is time to turn on the enforced mode. To enforce the policy option 3 is removed from the XML which is the configuration for audit mode.

$CIPolicyXML = "C:\temp\WDAC_Policy_DellLatitude5500.xml"
Set-RuleOption -FilePath $CIPolicyXML -Delete -Option 3

After the audit mode is removed repackage the XML to a CIP for local testing or to a bin file if you deploy the policy with Endpoint Manager.  

Endpoint Manager Win32 App Deployment (MSI and EXE)

HOW TO: deploy Win32 application using Endpoint Manager.

With Endpoint Manger you can deploy a variety of different applications to Windows clients.  I have made blog posts about using MSIX packages to provide a modern way to distribute applications. Sometimes MSIX might not be the right solution for you. This blog is about deploying Win32 applications using the Windows App (Win32) capabilities. This form of distributing gives you a lot of control on how and when an application should be installed.

A note of caution, if you start to use Windows App (Win32) app deployment for your environment it is highly recommended that you do not combine Windows App (Win32) with Line-of-Buisiness app installations. Especially if you are planning to use Microsoft Autopilot, the combination of Win32 apps and Line-of-Business apps will cause installations to fail. So, if you decide to use Windows App (Win32), use it for all your applications.

Before you can upload a Win32  application to Endpoint Manager you will need to prepare the application. Essentially you repackage the application and all the dependent files into an .IntuneWin package, which can then be uploaded to Endpoint Manger. To package an application you will need to download the Win32 Content Prep Tool from GitHub.

You will then need to gather all required media to install the application and place them into one folder. I have created two examples, one for .exe applications and one for .msi application. For both types of installations, it is recommended to create two batch files, one for installation and one for the uninstallation. This will provide better control when deploying the application.

For the Citrix Workspace, which is an .exe I have created the following batch files: install.cmd and uninstall.cmd and placed them in a folder togheter with the exe installation file.

Install.cmd:

@ECHO OFF
PUSHD "%~dp0"
"CitrixWorkspaceApp.exe" /silent /noreboot /forceinstall

uninstall.cmd

@ECHO OFF
PUSHD "%~dp0"
"CitrixWorkspaceApp.exe" /silent /uninstall
Citrix Workspace package content

For Acrobat Reader, which is an .msi I have also created the following batch files: install.cmd and uninstall.cmd. These files are added to the installation files.

msiexec /i "%~dp0AcroRead.msi" ALLUSERS=1 /qn /norestart
msiexec /x "%~dp0AcroRead.msi" /q
Acrobat Reader package content

Once you have gathered all the necessary installation media and you have validated that your batch files are working, by running the install.cmd and uninstall.cmd files you are ready to package. To package the applications run IntuneWinAppUtil.exe from an elevated PowerShell prompt. You are prompted for the source folder, which is the folder that contains all the installation files. The setup file is the actual executable and you need to specify an output folder where the .IntuneWin  file will be saved. At this point we do not need a Catalog folder. After the Utillity is ready you will end up with an .IntuneWin file.

Endpoint Manager

Now its time to distribute the application using Endpoint Manger. Login to endpoint.microsoft.com and select Apps and all Apps to Add a new application. Make sure to choose Windows app (Win32) as an app type. The first step is to select your .IntuneWin file and to provide information about the application. I will first start with Citrix Workspace and then add Acrobat Reader.

Application information

The second step specifies how to install the application. For the install and uninstall commands you will need to enter the batch files you created in the beginning. In my case the Install command is install.cmd and the uninstall command is uninstall.cmd. For installation behavior you can choose between system and user. This will determine where the application will be installed, either in the system context or in the user profile, this depends on your application.

Application installation controls

Choosing a restart behavior after the application is installed. Of course, this all depends on your application and whether it requires a reboot. Depending on your needs the following actions are explained:

Determine behavior based on return codes – The device will restart bases on the configured return code.
No specific action – Will suppress a restart during the installation of Win32 apps.
App install may force a device restart – This option means that the Win32 app installation can complete without suppressing restarts. With this configuration a Hard reboot return code will notify the user that a restart of the device will be triggered in 120 minutes. A Soft reboot return code will notify the user that a restart is required to finish the installation.
Intune will force a mandatory device restart – After a successful Win32 app installation the device will be rebooted immediately with no notification.

You get several default return codes. In most cases these return codes will work for you application . . The code configures the post-installation behavior of the Win32 app. If your application uses different access codes, you can use them here. The actions are explained:

Failed – The Failed return code indicates that the Win32 app installation failed.
Hard reboot – The Hard reboot return code indicates that the device is required to restart to complete the installation. Additional Win32 apps cannot be installed on the device without restart. The user will be notified about the required restart.
Soft reboot – The Soft reboot return code indicates that the next Win32 app can be installed without requiring a restart, but a restart is necessary to complete the installation of the installed Win32 app. The user will be notified about the restart.
Retry – The Retry return code indicates that the Win32 app installation is retried three times. The installation will wait for 5 minutes between each attempt.
Success – The Success return code indicates the Win32 app installation was successful.

The third step in the process is to specify the requirements. For the most part these are self-explanatory. You can however use custom requirement types such as specific files, registry settings or even scripts to determine whether an application should be installed or not. I will not be going into detail in this blog. For now, I only choose to install on 64-bit machines with a minimum operating system of Windows 10 1903.

Installation requirements

The fourth step are the detection rules. The detection rules are used to check if the application is present on the device. If the rules are not met Endpoint Manager will try to install the application on the device.

For .exe installations you might decide to just validate if the application is present. In my case I just check if SelfService.exe is present, in the path C:\Program Files (x86)\Citrix\ICA Client\SelfServicePlugin\.

EXE Application detection rule

The fifth step is to create dependency rules. Software dependencies are applications that must be installed before this application can be installed.  Specifically, the device must install the dependent apps before it installs the Win32 app. You can add Win32 app dependencies only after your Win32 app has been added and uploaded to Intune. After your Win32 app has been added, you will see the Dependencies option on the pane for your Win32 app. Any Win32 app dependency needs to also be a Win32 app. It does not support depending on other app types, such as single MSI LOB apps or Microsoft Store apps.

Since this is the first Win 32 app there is no option to create any dependencies. After Citrix Workspace is added a dependency will be created with Acrobat Reader. So, I just select next and I assign the application to a user group, as required.

For Acrobat Reader the steps are the same with a few exceptions. For the detection rules I will use a MSI rule type instead of a file location. Normally the MSI product code is filled in automatically. If this is not the case, you can check your registry settings. For 64-bit machines browse to HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall. Here you will find an overview of all the installed applications. In my case for Acrobat Reader I can find the MSI GUID.

MSI application detection rule
Find the MSI GUID in the Registry settings

Since Citrix Workspace has been added to Endpoint Manger this can be used as a dependency. Acrobat Reader and Citrix are do not require each other to function, this is purely for demonstration purposes. To add a dependency simply select to add a dependency and select the application, in this case CitrixWorkspace.exe. By creating dependencies means that before Acrobat Reader is installed the Citrix Workspace application must be present. If Citrix Workspace is not present Endpoint Manager will install it first.

Application dependencies

Now the configuration is ready, and the applications start deploying to the clients. What happens on the client? Well first the Intune Management Extensions is installed on the client. This extension is used for the installation as well as the deployment of custom PowerShell scripts on devices. You can use the extension for troubleshooting purposes. The log file IntuneManagementExtension.log can be found in C:\ProgramData\Microsoft\IntuneManagementExtension\Logs.

User notification

Update MSIX package with Intune

In my previous blog I showed how easy it was to package and deploy an application using MSIX and Intune. In this blog I want to show how easy it is to update and application. Applications evolve and time to time they get updated with the latest patches or security updates. To update applications with Intune can be challenging. Sometime you have to create a new deployment of an application. This requires you to first uninstall the application, otherwise you would get conflicts.

So for this blog I have the following situation. I have deployed the Citrix Receiver application to my users. The Citrix receiver was been updated and is now the Citrix Workspace application. I want to remove Citrix Receiver and replace this with the new Citrix Workspace application. Let me show you how easy this process is when you use MSIX.

So I have my test machines on which the Citrix Receiver MSIX is deployed.

CitrixReceiver

The fist step is to create a new MSIX package for the Citrix Workspace application. I wont go over all the steps (check out the previous blog). But here it is important that you name your package the same as the application you want to replace. So if you previously deployed an application with the name CitrixReceiver, create a new package with the name CitrixReceiver. Furthermore it is important that you increment the version of your package.

Update_MSIX
Update Name and Versions

When your MSIX package is ready and tested, you can upload it to Intune. Simply go to your previous deployment. In my case this was the CitrixReceiver deployment. Select Properties and go to App package File. Here you can select and upload the new version of your application.

Upload new version of your MSIX package

When the application is finished uploading Intune will redeploy the application to your clients.

MSIX updating to Workspace
Citrix Workspace App is finished updating

Recap

I showed you how easy it was for you to update an existing MSIX application with Intune, by simply redeploying it. Knowing how easy your application management can be, I would encourage everyone to give MSIX a try.

Deploy MSIX with Intune

I think we can all agree that application deployment is probably the most challenging part of an Intune implementation. The wide variety of Line of Business applications and different installation types can give you sleepless nights. It’s true that Microsoft has made some real improvements in application deployment with the support for most applications extensions. But there are always some applications that simply can’t be deployed with Intune or are very hard to deploy and manage.

With the introduction of MSIX I dare to say that you can now practically deploy any application successfully with Intune. In this blog I describe how you can create and deploy an MSIX package with Microsoft Intune.  In this blog I will cover:

  • Create a Self-Signed Certificate (testing purposes)
  • Deploy a certificate with Intune
  • Create a MSIX package
  • Deploy the MSIX package

Please note that in order to install MSIX packages you must enable Application Sideloading.

Create a self-signed certificate

Before you can deploy a MSIX package you need a certificate to sign your package. The signing of a package is a required step in the creation of the package. This is necessary because this is the only way you can assure that package is valid and came from a trusted provider. Preferably you should use a Code Signing certificate from a 3rd party provider. For now I use a self-signed certificate so that the deployment can be tested, but for you production environment I wouldn’t recommend this.

To create a self-signed certificate, you can start PowerShell as an administrator from any VM. Enter the following cmd, where you replace <Your Organisation> with a name of your choosing:

New-SelfSignedCertificate -CertStoreLocation Cert:\CurrentUser\My -Subject “CN=<Your Organisation>” -KeyAlgorithm RSA -KeyLength 2048 -Provider “Microsoft Enhanced RSA and AES Cryptographic Provider” -KeyExportPolicy Exportable -KeyUsage DigitalSignature -Type CodeSigningCert
Self_Signed-Certificate

To Export the certificate open certmgr, your certificate is located in the Personal Certificates folder. Select the certificate –> all Tasks –> Export. Choose Next –> Yes, Export the private Key –> Choose Next –> For Encryption choose AES265 and enter a Password –> Enter a save location –> and choose Finish. You now have the certificate with a pfx extension.

Export Certificate

We also need a certificate with the cer extension, so run the export Wizard again. Select the certificate –> all Tasks –> Export. Choose Next –> No, do not export the private key –> Choose Next –>   Enter a save location –> and choose Finish.

You now have the certificate to sign your MSIX package and you have a certificate to distribute it via Intune.

Deploy Certificate Using Intune

Before you can install the MSIX package on any machine the certificate to sign the application must be trusted by the machine. Otherwise the application wont start. To install the certificate on the machine we can use Intune to distribute the certificate.

From the Intune Management Portal go to –> Device Configuration –> Profiles and choose Create Profile. Here you enter the name and description of the Profile. For the platform you choose Windows 10 and later, for Profile type select Trusted certificate. In the new blade you select the .cer certificate that you exported. After you created the Profile you than assign the profile to a group with has a test device in it.

Certificate_Intune

Create a MSIX Package

For this blog I wanted to package an application that I had some trouble with in the past, the Citrix Receiver.

I have copied the Citrix Receiver installation file and the pfx certificate to the packaging VM and have launched the MSIX Packaging Tool. Here I want to create a new package, so I select ‘Application Package’.

MSIX_New_Package

Select Create package on this computer and choose Next.  The packaging tool will now check some prerequisites and make sure that the drivers are installed.

MSIX_Prereqs

In the next screen select the installation file. For now, I leave the installer arguments empty. For Signing preference, I select Sign with a certificate. This step is important. If you don’t select a certificate the application won’t be able to install.

MSIX_certificate

Now provide some information for you package. Give your package a Name and a Display name. The Publisher name is provided from the certificate. The display name must be the same as the certificate, if these values don’t match the application won’t install. The installation location is not a mandatory field but is recommended.

MSIX_Information

By clicking next you will now enter the installation stage. The installation of your application will now start.  You can just run through the installation as you normally would. When the installation is completed you can continue by clicking Next.

MSIX_Citrix_Installation

If the application requires any first launch tasks, they can now be performed otherwise press Next and continue Yes, move on. The package will now be created.

MSIX_Capturing

Finally provide a save location for the package and choose Create.

MSIX_Save_Package

Deploy MSIX with Intune

Now that the MSIX package is ready we can start deploying it with Intune. Simply go to the Intune management portal –> Client apps –> Add App. Here you select Line-of-business app. Here you can upload the MSIX package you created.

MSIX_Intune

When you click the app information blade you can see that most of the information is already filled out with the information from the MSIX package. After adding the app, just wait till the application is uploaded. The final step is to assign the application to a group.

After some time check your test machine to confirm that the application is deployed.

MSIX_Installation_Conformation

Recap

As you can see the packaging and distribution of an application with MSIX and Intune is really easy. But it doesn’t stop here, after you deployed one version of the application you might want to provide the application with an update. With MSIX this process is even easier. So in my next blog I will show you can can upgrade the Citrix Receiver application to the new Citrix Workspace application!