How to update win32 applications with Microsoft Intune

Today a short blog about updating applications for Windows devices with Microsoft Endpoint Manager (Intune). It`s not about updating apps we deployed as required app, but which we made available for our users and are not installed on all our devices.

If we deploy Win32 apps as required to all our Windows devices, or a group of Windows 10 devices, we can just update our application package and deploy it as required to the same group of devices as required. The current installed version will be updated with the latest version and that`s it.

But what about applications we made available and are not deployed as required apps? How to make sure the application is updated on the devices on which the application is installed via the Company Portal by the user? We cannot just assign the new version to all devices, as this will also install the application on devices where the application was not installed before.

A solution for this is using an application requirement. In the requirements by default we set the OS architecture and minimum operating system version, but we also have custom requirement options. In such a custom requirement rule we can use the same controls as we have in the manual detection rules. We can for example use the presence of a file or registry key. We can expand this for example by checking the version of a file to determine if an (old) application version is installed on a device.

By using such a requirement rule, we can target the (new version of the) application to all Windows devices. Devices which have not installed the old version of the application, will be marked as not applicable and the application won`t be installed on that device. On devices on which the old application is installed, the new version will be installed.
A down-side of this approach is you actually need to create two deployments (at least temporary). One deployment to update all existing applications and the second to make the new version available to the users.

Let`s see where this requirement rule needs to be added to the app deployment.

Add the requirement rule to the app deployment

In my example I have Adobe Reader made available for my users, which is installed on a couple of Windows devices. Adobe made a new version available, which needs to be installed as soon as possible on the devices where the old version is installed.

I create an application with the latest installation files in it an target this to all my Windows devices so the old version is replaced as soon as possible with the new version.

In my Win32 app deployment I create an application requirement rule which checks if the AcroRd32.exe file is present on the device and I also check the version of this file.

The file version I use is 20.6.20042 which I got by running this PowerShell command;
(Get-Command “C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe”).FileVersionInfo.FileVersion

Now switch over to the Endpoint Manager Admin center (Intune), upload your .intunewin file, fill in the required information and browse to the Requirements tab.
Click Add under No requirements are specified.

Choose a Requirement Type of your choice. I choose File.
Here you can create your requirement rule with the settings which fits your needs.
As described, with my example I check if the file AcroRd32.exe is present under %ProgramFiles(x86)%\Adobe\Acrobat Reader DC\Reader. Besides that, I also check the file version with the Property String (version).

Finish the application deployment and assign it to the group of choice or all devices as required.

The client side

Let`s have a look at the client side to see what happens.
The Win32 application installation is handled by the Intune Management Extension. The Intune Management Extension log file can be found on the local Windows 10 device at %programdata%\Microsoft\IntuneManagementExtension\Logs and is named IntuneManagementExtension.log. The file can be opened by using a text editor or CMTrace.
In the log file we see the AcroRd32.exe file is checked and version comparison is done. The actualVersion is checked with the compareVersion. In this case applicationDetected is true, so the application will be installed.

If we take a look at the log file on a device where Adobe Reader isn`t installed we see the same check is done, but ofcourse the application isn`t detected and the installation of Adobe Reader isn`t started.

In the Endpoint manager admin center the device status is shown as Not applicable for a device where Adobe Reader isn`t installed. And the status details is (in my example) fileSystemRequirementNotMet.
And ofcourse on the other device Adobe Reader is installed.

That`s it for this short post. I hope you found it informative.

I`d really like to hear your thoughts on this approach of updating applications with Endpoint Manager (Intune) and if you have another (maybe better!) approach, please leave a comment.




7 Comments

  1. Hi,
    Do i need to change the detection rule also when updating the package when using a required setting?

    If we deploy Win32 apps as required to all our Windows devices, or a group of Windows 10 devices, we can just update our application package and deploy it as required to the same group of devices as required. The current installed version will be updated with the latest version and that`s it.

    • You should create a new intunewin package with the new version and upload that as new win32 deployment. Assign it to the same group as the old version.
      In the new deployment make sure the detection rule is updated compared to the old version.

  2. and for updating Win32 app (non requiered) can i use the same appication over again when there is a new version or do i need to add a new app instance in intune everytim when there is a new version and delete the old one?

    Thanks

    • You should create a new deployment every-time you have a new version.
      And probably you need two deployments temporary. One with the requirement rule to update the installed apps which are installed using the available assignment.
      And create the second deployment to make the new version available.
      Not ideal, but at this moment the only way to work around the limitations of app deployments in Intune.

  3. I hate that we have to come up with these crazy workarounds to what should be included as basic functionality. Sometimes I miss Configuration Manager. :0)

    I suppose you could do a version check and say if installed version is less than new version. Does anyone know how the logic works for non-integers? Example: is 20.1.3.4 > 20.1.2.3?

  4. I have deployed an application on Win32 app as available. After waiting an hour, the app is not available in my compony portal. Request you to please suggest troubleshooting steps or refer any website or URL where I can find the troubleshooting steps for the same.
    I want to deploy the same application on another device or device collection which I was deployed on another devices two days back. Is that any option to add the multiple device or device collection in single win32 application?
    Thanks in advance

    • Don`t know a location or log file to troubleshoot why your app is not shown in the Company Portal app. I suggest checking the assignment. Have seen in the past that the assignment was accidentally assigned as excluded instead of included. And make sure you assign available apps to user groups, not device groups.

      You can assign a WIN32 application to multiple security groups.

Leave a Reply

Your email address will not be published.


*