Today a short blog about updating applications for Windows devices with Microsoft Endpoint Manager (Intune). It`s not about updating apps we deployed as required app, but which we made available for our users and are not installed on all our devices.
If we deploy Win32 apps as required to all our Windows devices, or a group of Windows 10 devices, we can just update our application package and deploy it as required to the same group of devices as required. The current installed version will be updated with the latest version and that`s it.
But what about applications we made available and are not deployed as required apps? How to make sure the application is updated on the devices on which the application is installed via the Company Portal by the user? We cannot just assign the new version to all devices, as this will also install the application on devices where the application was not installed before.
A solution for this is using an application requirement. In the requirements by default we set the OS architecture and minimum operating system version, but we also have custom requirement options. In such a custom requirement rule we can use the same controls as we have in the manual detection rules. We can for example use the presence of a file or registry key. We can expand this for example by checking the version of a file to determine if an (old) application version is installed on a device.
By using such a requirement rule, we can target the (new version of the) application to all Windows devices. Devices which have not installed the old version of the application, will be marked as not applicable and the application won`t be installed on that device. On devices on which the old application is installed, the new version will be installed.
A down-side of this approach is you actually need to create two deployments (at least temporary). One deployment to update all existing applications and the second to make the new version available to the users.
Let`s see where this requirement rule needs to be added to the app deployment.
Add the requirement rule to the app deployment
In my example I have Adobe Reader made available for my users, which is installed on a couple of Windows devices. Adobe made a new version available, which needs to be installed as soon as possible on the devices where the old version is installed.
I create an application with the latest installation files in it an target this to all my Windows devices so the old version is replaced as soon as possible with the new version.
In my Win32 app deployment I create an application requirement rule which checks if the AcroRd32.exe file is present on the device and I also check the version of this file.
The file version I use is 20.6.20042 which I got by running this PowerShell command;
(Get-Command “C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe”).FileVersionInfo.FileVersion
Now switch over to the Endpoint Manager Admin center (Intune), upload your .intunewin file, fill in the required information and browse to the Requirements tab.
Click Add under No requirements are specified.
Choose a Requirement Type of your choice. I choose File.
Here you can create your requirement rule with the settings which fits your needs.
As described, with my example I check if the file AcroRd32.exe is present under %ProgramFiles(x86)%\Adobe\Acrobat Reader DC\Reader. Besides that, I also check the file version with the Property String (version).
Finish the application deployment and assign it to the group of choice or all devices as required.
The client side
Let`s have a look at the client side to see what happens.
The Win32 application installation is handled by the Intune Management Extension. The Intune Management Extension log file can be found on the local Windows 10 device at %programdata%\Microsoft\IntuneManagementExtension\Logs and is named IntuneManagementExtension.log. The file can be opened by using a text editor or CMTrace.
In the log file we see the AcroRd32.exe file is checked and version comparison is done. The actualVersion is checked with the compareVersion. In this case applicationDetected is true, so the application will be installed.
If we take a look at the log file on a device where Adobe Reader isn`t installed we see the same check is done, but ofcourse the application isn`t detected and the installation of Adobe Reader isn`t started.
In the Endpoint manager admin center the device status is shown as Not applicable for a device where Adobe Reader isn`t installed. And the status details is (in my example) fileSystemRequirementNotMet.
And ofcourse on the other device Adobe Reader is installed.
That`s it for this short post. I hope you found it informative.
I`d really like to hear your thoughts on this approach of updating applications with Endpoint Manager (Intune) and if you have another (maybe better!) approach, please leave a comment.