How to deploy Win32 applications with Microsoft Intune: a how-to guide
Everyone can agree that packaging and creating a Windows app is a daunting task. In this blog, we will show you step-by-step how to package and deploy a Win32 app in Microsoft Intune and how to do this in a smart way just in a couple of clicks. What is a win32 app? Win32 applications are programs written for the Windows operating system. Microsoft Intune allows Win32 app management capabilities and supports both 32-bit and 64-bit operating system architecture for Windows applications. Win32 app management allows you to manage different types of files, such as .msi, .exe, .msix or any other formats. The only thing you must remember before creating a win32 app in Microsoft Intune I have to package it. Intune Win32 App Deployment Prerequisites To be able to manage win32 apps in Microsoft Intune, you should meet some criteria: Process of Intune Win32 App Deployment Step 0. Download Microsoft Win32 Content Prep Tool As we already mentioned, before you can upload a win32 app to Microsoft Intune, you must package it by using the Microsoft Win32 Content Prep Tool. The tool converts installation files into an .intunewin format. Also, it detects some of the parameters that Intune requires to determine the application installation state. You can download Microsoft Win32 Content Prep Tool on GitHub. When you download Intune Win32 Content Prep tool, it’s a .zip file and you must extract the contents to a folder. The .zip file contains IntuneWinAppUtil.exe, Microsoft License Terms, Read me file and Release notes. Use the latest version of the Microsoft Win32 Content Prep Tool otherwise, you’ll see a warning that says the app was packaged using an older version of the tool. Step 1. Win32 app preparation In this step, we’re going to package an application – wrap it into an .intunewin using Intune Win32 Content Prep tool. As an example, we will use 7zip. Make sure, that your installation file is in a specific folder, and that you know the folder’s name. Step 2. Packaging a Win32 app in Intune (.intunewin) It’s time for packaging! Open the IntuneWinAppUtil.exe and provide the folder of the installation file – in this case, the location of the 7zip installation file (7z2200-x64). Then specify the file that you’re going to package. And, finally, specify the output folder. Press Enter, and voila – the .intunewin file is ready. Once you have an application with the .intunewin format, you can create that win32 application in Intune. Step 3. Intune Win32 App Deployment Finally, we’re about to start Win32 app deployment in Microsoft Intune. For the following steps log in to Microsoft Endpoint Manager admin center. Navigate to Apps > All apps and press +App. In the App type select Other – Windows app (Win32). Open the App package file blade and browse for the just created 7z2200-x64.intunewin. The next step is to fill in some application information like Name, Description, Publisher, Category, Information URL, Privacy URL, Developer, Owner, Notes and upload an app’s logo. This icon is displayed with the app when users browse through the Company portal. In the Program section, you can configure the application installation process using commands, install and device restart behavior. Install command – normally, it’s filled in automatically. If it’s not the case – customize the app installation process. Uninstall command – msiexec /x “{12345A67-89B0-1234-5678-000001000000}” Device restart behavior – here you can select one of 4 options: Also, you can specify return codes to indicate post-installation behavior. Return code entries are added by default during app creation. But you can add more return codes or change existing ones. Code types: In the Requirements you can fill in the requirements that devices must meet to install the app: When deploying the win32 app in Microsoft Intune you must specify the detection rules – how the availability of the application will be detected. It can be done manually or by using a custom PowerShell script. Manual detection rules format – Path – specify the full path of the folder that contains the application file – File or folder – specify the file or folder that should be used to detect the app – Detection method – choose the option that should be used to detect the installation of the app (File or folder exists, Date modified, Date created, String (version), Size in MB) – Key path – identify the full path of the registry entry containing the value that should be used to detect the installation of the app. Ex.: HKEY_LOCAL_MACHINE\Software\7zip – Value name: if this property is empty, the detection will happen on the default value. The default value will also be used as a detection value if the detection method is other than file or folder existence. – Detection method: there are 5 self-explaining methods – Key exists, Key does not exist, String comparison, Version comparison, integer comparison In our example, we’re going to use the MSI detection rule. The MSI product code is populated automatically, however, if you don’t see it, add it manually. Custom PowerShell Script: That rule format enables the Intune admin to create detection rules that can check on basically anything that can be scripted, as long as the script has the correct output. It requires the configuration properties as mentioned below: Intune checks the results from the running script. It reads the values written by the script to the STDOUT stream, the standard error (STDERR) stream, and the exit code. If the script exits with a nonzero value, the script fails, and the application is not installed. If the exit code is zero and STDOUT has data, the application is installed. While uploading the win32 app to Microsoft Intune you can add dependencies – applications, that must be installed before your win32 app. In the Assignments menu, you can configure Required, Available for enrolled devices, or Uninstall group assignments for the win32 app. And, finally, after reviewing all the configurations you can add your win32 application to Microsoft Intune. Once the application is uploaded, the
Getting started with Windows Autopatch: a step-by-step guide
Autopatch, which is available for public review since April, as it will become generally available very soon.* *According to Microsoft, Windows Autopatch will launch in July 2022 It’s worth getting educated about this new feature of Microsoft Endpoint Manager and its potential impacts on you as an IT admin will be. What is Windows Autopatch Windows Autopatch is a cloud service that automatically manages Windows, Microsoft 365 Apps for enterprise, Microsoft Edge, and Microsoft Teams updates for enterprises in order to improve security and productivity in organizations. Windows Autopatch is aiming to make life of IT admins easier so they can focus on the tasks that matter, taking over patching Microsoft products. Along with this, Microsoft Autopatch solves other challenges, that IT departments face today: it closes security gap – keeping software up to date protects endpoints from CVEs; it closes productivity gap it optimizes IT admin resources – by automating updates, IT admins can create more value in other areas forces the implementation of Modern device management minimizes end-user disruption – by releasing update rings, user disruptions are minimized. “The takeaway if you’re an IT admin? You can continue using the tools and processes you’re accustomed to for managing and deploying updates—or you can take a hands-off approach and let Windows Autopatch do it for you,” said Lior Bela, a Sr. Product Marketing Manager at Microsoft. This service is responsible to take control of: Windows quality updates – Windows Autopatch aims for at least 95% of eligible devices to be patched in 21 days of release. Microsoft 365 apps for enterprise – Aims to keep at least 90% of eligible devices on supported version of Monthly Enterprise Channel Microsoft Edge – Progressive rollout of Microsoft edge for eligible devices Microsoft Teams – To benefit from standard automatic update channel Prepare your endpoints for Windows Autopatch To get started with Windows Autopatch, make sure that you meet the infrastructure requirements. Licensing: Microsoft 365 E3 Microsoft 365 E5 Windows 10/11 Enterprise E3 Windows 10/11 Enterprise E5 Windows 10/11 Enterprise VDA. Additionally, Azure Active Directory Premium and Microsoft Intune are required. Supported operating systems: Windows 10/11 Pro Windows 10/11 Enterprise Windows 10/11 Pro for Workstations Device management: Devices must be corporate-owned – Windows Autopatch doesn’t support BYOD devices Devices must be managed by either Intune or Configuration Manager Co-management Devices must be in communication with Microsoft Intune in the last 28 days Devices must be connected to the Internet. Devices must have a Serial number, Model and Manufacturer. If you’re on-prem (SCCM)… If you are using ConfigMgr, you can’t use Windows Autopatch ☹. Co-management is a solution ? Intune must be set as the Mobile Device Management (MDM) authority or co-management must be turned on and enabled on the target devices. Setup & device regististration Tenant onboarding To enroll your tenant, you must use one of the following built-in roles: Azure AD Global Administrator Intune Service Administrator Modern Workplace Intune Administrator To enroll your tenant to Windows Autopatch, log in to Microsoft Endpoint Manager admin center, go to Tenant administration > Tenant enrollment (under Windows Autopatch) and hit Run management check to check if your Intune devices are ready to enroll. Once the assessment is done, the Readiness assessment tool will report one of four possible results: Ready – no action required before enrollment Advisory – you can enroll your tenant but there are some issues that must be fixed before deploying the first device Not ready – enrollment will fail if you don’t fix these issues Error – you’re using the Azure AD role, which doesn’t have permissions to enroll the tenant. For Advisory and Not ready settings, Microsoft provides you with steps that you have to follow to fix the issues. Once done with Readiness, you can enroll your tenant by pressing Enroll. This will take some time as this will create new Azure AD security groups and policies. Afterward, you need to provide Windows Autopatch with administrator access and fill in some information, like your phone number, email, name and preferred language. Click Complete. When the setup is complete you will see the notification. Now you can register devices. Onboarding devices to Windows Autopatch Go to Devices and under Windows Autopatch click on Devices. To register the device, click on Windows Autopatch Device Registration hyperlink. The Azure Active Directory group blade opens. Add either devices through direct membership, or other Azure Active Directory dynamic or assigned groups as nested groups in the Windows Autopatch Device Registration group. Once devices or Azure AD groups containing devices are added to the Windows Autopatch Device Registration group, Windows Autopatch discovers these devices and runs software-based prerequisite checks to try to register them with its service. Windows Update Rings in Windows Autopatch Now it’s getting interesting. You need to assign devices to Update Rings created by Windows Autopatch: Modern Workplace Devices – Test Modern Workplace Devices – First Modern Workplace Devices – Fast Modern Workplace Devices – Broad Each of the update rings has a specific objective and has assigned a set of policies to control the rollout of updates in each management area. Ring Device count Description Test Windows Autopatch doesn’t automatically add devices to this ring. You must manually add devices to the Test ring. The recommended number of devices in this ring, based upon your environment size, is as follows:– 0–500 devices: minimum one device– 500–5000 devices: minimum five devices– 5000+ devices: min 50 devicesDevices in this group are intended for your IT Administrators and testers since changes are released here first. This release schedule provides your organization the opportunity to validate updates prior to reaching production users. First 1% The First ring is the first group of production users to receive a change.This group is the first set of devices to send data to Windows Autopatch and are used to generate a health signal across all customers. For example, we can generate a statistically significant signal saying that critical errors are trending up in a specific release for
What is Patch Management: stages, best practices, challenges, automated patch management
Patch management is the practice of deploying software updates, or “patches”, to protect a system or network from vulnerabilities. Patch management plays a crucial role in IT system lifecycle management and vulnerability management. A patch is an update provided by a software vendor to fix a technical issue or remediate a security vulnerability. Patches can also include new features and functionalities for the software. Patches secure, upgrade and optimise software (applications and OS). In this blog, we’ll cover everything you need to know about patch management, including best practices and challenges of patch management. Types of patches There are 3 common types of patches: Security patch. One of the main reasons why you should implement patch management is to secure and protect your organization from data breaches. The majority of cyberattacks happened because of outdated software. Patches are created to cover up newly discovered security holes. Unfortunately, these security holes are discovered after they have been exploited. Bug-fixing patch. These patches fix application errors and bugs. They can have a big impact on your organization. For that reason, efficient patch management, which ensures that your applications are updated with the most recent and bug-free version, can provide immediate value for your company. Performance & feature patch. These patches can make the experience of using the applications better, making them load faster. Also, with these patches, software vendors add new features that make using the applications easier and faster. Process of patch management Patch management is a complex and never-ending process. Here are 8 stages of the patch management cycle from discovering an application update to deployment to all users. o update an application firstly you should detect the new version of the application, download and test it before pushing it to the users. If the update is secure and works, you should create a package with a new version of the app. For Microsoft Intune, you should wrap the file into .intunewin, upload it to Intune and deploy it to the assigned users. As soon as you find out that there is a new update available, you must go through the whole process again. And again. Benefits of patch management A well-implemented patch management system can offer many benefits to an organization, including: Improved security: Patch management can help to ensure that all devices in an organization are up to date with the latest security patches, which can help to reduce the risk of a security breach. Reduced downtime: By keeping devices up to date with the latest patches, a patch management system can help to minimize the amount of downtime that may be caused by unpatched devices. Increased compliance: Organizations that are compliant with industry regulations may find that a patch management system helps them to stay compliant by ensuring that all devices are kept up to date with the latest patches. Challenges of patch management Patch management is one of the most important, but challenging aspects of your job. Here are the 3 biggest challenges of patch management. Time-consuming According to the Ivanty report (2021), 71% of IT and security professionals find patching complex and time-consuming. Coming back to patching cycle, you must continually identify and assess vulnerabilities, monitor and test patches, and deploy the patches to their systems. Based on the Ivanty survey results, IT & security professionals spend 53% of their working time each month detecting and prioritizing vulnerabilities and 19% testing patches. The biggest problem here is how to find out if there is an update available. Many people think of something like Patch Tuesday with Microsoft. However, it’s not like that in most cases – there is no system. And let’s consider this: for example, Chrome releases a full OS update about every four weeks. Minor updates, such as security fixes and software updates, happen every 2–3 weeks. Only for patching Google Chrome, an IT specialist must go through the patch cycle 2-3 times a month. But what about other applications? On average, a company uses 110 applications (Statista, 2021). It’s difficult to calculate how much time IT admins should spend on patching all the software to prevent the companies from breaches. Patches can break something 72% of managers are afraid that applying security patches right after release could “break stuff.” That’s true: there is a risk that some things can go wrong with updating software. This can occasionally happen, even if the vendor extensively tested a patch before a patch was released to the public. Sometimes, the reason for a patch failure is that you install the patch and forget to reboot the system. To address this challenge and not “break everything,” you must test the updates first in a test environment and then deploy them. 3. Do I have to patch everything? Implementing an inventory management solution can cause another challenge – only highly prioritized vulnerabilities will be patched. This doesn’t solve the problem entirely – your company’s endpoints are still at risk, and there is no guarantee that you won’t be hacked. Read more about the challenges of patch management: Top 5 challenges of patch management Patch management best practices How can you improve your patch management process? Fortunately, there are a number of solutions on the market that can make patch management in your organization effective and address the challenges. Below are some best practices to consider for implementation. Create an inventory list of software used in your organization A list of all software, operating systems and devices the company uses is a vital piece of your patch management process. If you have a clear overview of all your endpoints and software installed, you know what you have to protect. With Windows Autopatch it became easier to patch Microsoft products, but you still must patch third-party apps like 7-zip, Adobe and Chrome yourself. Because if you are not patching, this will create multiple attack vectors into your endpoints. Read more about Windows Autopatch here: Getting started with Windows Autopatch: step-by-step guide 2. Monitor application releases and updates With so