Using Intune Win32 Apps instead of Intune PowerShell Scripts

Update – 28 November 2022 – Check out this blog for a for another approach to do this using the Proactive Remediation feature (The example used in that blog is removing the Windows 11 built in Teams app). I am in the process of switching a number of my Win32 apps to proactive remediations now.

Sometimes, you just need to deploy a one off setting or configuration quickly, and the Intune PowerShell feature can be very handy to do this.  I have used this a lot to run PowerShell scripts on my managed Windows 10 and 11 Endpoints to do admin tasks like removing built-in Windows apps, or to enforce certain configurations.

A recent example of this was to set a registry key to disable the ‘Could not reconnect all network drives’ toast notification (which is more of an annoyance as the the network drives are actually working but this notification can generate unnecessary calls to the service desk).

So to get around this, I used the following PowerShell script to set the RestoreConnection key on every device which suppresses the toast notification.

# Creates a registry value to Disable Reconnect Network Drives Warning
# Author: Paul Warren - 20/04/2021
 
$Key = Get-Item -Path "HKLM:\SYSTEM\CurrentControlSet\Control\NetworkProvider\"
If($Key.GetValue("RestoreConnection") -eq $null) 	
	{
		New-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Control\NetworkProvider -Name RestoreConnection -PropertyType DWord -Value 0 -Force
	}
else 
	{
		Write-Host "all good"
	}

This has been working well until recently when doing in-place upgrades to Windows 11.  I noticed that after the in-place upgrade, the toast notification returned and upon investigation, the key set by this script was missing.  Because the Intune PowerShell feature is a run once type of thing, I needed to find a way to set this key again, and ensure it remained.

Another option was to also deploy the PowerShell script to my Windows 11 Dynamic Device group, but I found I had varying results doing this, and there was no guarantee that the key would not somehow be removed again.

To solve this issue, I decided that adding the registry key using PowerShell is still a good approach, but instead of using the Intune PowerShell feature, I decided to take this script and deploy it as a Win32 application.

The original script would be fine to use as the installer, but there are a few additional requirements for a Win32 App, specifically a removal script (It is always good practice to ensure that anything you “install” can also be cleanly removed), and a way to detect the application install.

I have created the following script that removes the registry key created by the original script

# Removes the registry value to Disable Reconnect Network Drives Warning
# Author: Paul Warren - 04/10/2021
 
Remove-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\NetworkProvider' -Name "RestoreConnection" -Force -ErrorAction SilentlyContinue

The next requirement is a detection method. In this example of a registry key being configured, I would normally use the registry detection method in Intune, but other uses for this may require the use of a detection script, so for the purposes of this example I will use the following script.

$regkey = 'HKLM:\SYSTEM\CurrentControlSet\Control\NetworkProvider'
$name = 'RestoreConnection'
 
$exists = Get-ItemProperty -path $regkey -name $name -ErrorAction SilentlyContinue
 
if ($exists.RestoreConnection -eq 0)
	{
		Write-Output "Registry Key Present"
		Exit 0	
	}
ELSE
	{
		Write-Output "Registry Key Missing"
		Exit 1603	
	}

In a nutshell, the script will check if the key is present with the value of 0. If it is, the process will report back to Intune that the app is installed and no further action is required. If it isn’t, the process will run the install command creating the key in the registry.

To create a Win32 App in Intune to run PowerShell scripts, you will need to start by download the Microsoft Win32 Content Prep Tool

Place all of the required scripts and any required files into one single folder.

NOTE: Everything in this folder will be added to the .intunewin file, so only put the files you need in this folder

From a Terminal Window, run the IntuneWinAppUtil.exe

Specify the source folder, the setup file and the output folder.

The utility will then create a .intunewin file which can be uploaded to Intune.

In Intune Apps – Add a new App and select the app type Windows app (Win32)

Select the intunewin file created earlier

Provide the relevant App Information

Add the following Install and Uninstall commands:

powershell -executionpolicy bypass -file Install-DisableReconnectNetworkDrivesWarning.ps1
powershell -executionpolicy bypass -file Uninstall-DisableReconnectNetworkDrivesWarning.ps1

Add in the requirements that are appropriate to your environment

For the Detection rules, I would normally use (and recommend using) a manual detection rule to detect the registry key.

But as mentioned earlier, I want to demonstrate using the detection script method.

I will then deploy this to all my Windows Devices as a Required assignment and have configured the End user notifications only to show if a restart is required.

Review the App and click on Create

Once my test device has synced with Intune, I can see that the application has been Installed

Looking at the device, I can see in the registry that the key has been successfully created and no toast notification has occured.

So this is good for installing the key like it would be using the Intune PowerShell method, but I also want to test the persistence of the App. To do this I deleted the registry key.

After a period of time, the registry key is restored due to the App being a required install and re-running the install command due to the detection method showing the app as Not Installed.

NOTE: This can take up to 8 hours for the App to re-deploy as the data inventory runs every 8 hours

In addition to using this method to ensure that whatever I configure persists, it also has a clean removal, so if I ever need to remove the configuration in the future, I can simply change the Assignment from Required to Uninstall.

I have gone on to use this approach a number of times to ensure other configurations in my environments are always set correctly, and if not, any remediation is done without the requirement of manual intervention.

P.

Categories: TechnologyTags: · · · · ·

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s