How to deploy an MSI using Powershell script and Intune

In this blog post we will see how to deploy an MSI application package using a Powershell script via Microsoft Intune. I will be deploying this application on few Azure AD joined systems which are enrolled into intune already. I will be using an app called eSigner for which MSI setup file has been downloaded.

This post is applicable to any MSI Installer and its not just specific to eSigner app. In Intune, there are various ways to deploy an app depending upon the app type. You can choose the method as per your requirement.

For MSI deployments you can choose Line-of-business app from the list of app type. However, we will be using Windows app (Win32) in this demo to deploy an MSI package. For more information about how to deploy an application using Line-of-business app you can follow below link: https://techpress.net/deploying-msi-application-on-windows-10-workstations-using-microsoft-intune/

Note: Any Win32 app deployed using Intune will not be automatically removed from the device when the device is retired. The app and the data it contains will remain on the device. If the app is not removed prior to retiring the device, the end user will need to take explicit action on the device to remove the app.

Before we use Endpoint Mananger admin center to deploy the application. We need to repackage this application in .Intunewin file. The step by step process to create an .IntuneWin file are given below:

  • Create a folder and copy the MSI Setup Installer in that folder.
  • Create Two Powershell Scripts called Install.ps1 and Uninstall.ps1 in the same location where you have copied the MSI Installer.
  • Download Microsoft Win32 Content Prep Tool and Its a zip file therefore extract its contents into a folder.
  • Create an empty folder for example C:\output or anywhere you like.
  • Repackage the esigner.msi file to .intunewin using IntuneWinAppUtil.exe which can be located in Microsoft Win32 Content Prep Tool.

Contents of Install.ps1

msiexec.exe /i eSigner.msi /qn

Contents of Uninstall.ps1

This powershell script will Uninstall eSigner application completely. I have used Uninstall Strings of eSigner application. You can find the UninstallString of any applicaiton at HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall registry location.

Once you browse to this registry location, Locate the reg key which matches the Display Name of your app and find UninstallString reg entry. You do not have to run msiexec.exe three times to install an MSI application. Below script is specific to eSigner application.

Because eSigner Installs three separate components therefore there are three UninstallStrings which are used to uninstall this application. The MSI which you are deploying may only have one UninstallString. You can refer to below screenshot to understand how to find UninstallString of your application via registry editor.

UninstallString Registry Key

Once you find the UninstallString of your application, you can replace it in the below Powershell Script. If you just have one UninstallString then remove the 2nd and 3rd line and just start only one msiexec.exe process.

Start-Process "C:\Windows\System32\msiexec.exe" -ArgumentList "/x {167F8EE9-83CE-471C-A7D1-BC777F0A8638} /quiet /noreboot" -Wait -NoNewWindow
Start-Process "C:\Windows\System32\msiexec.exe" -ArgumentList "/x {3a06e0d8-7b7c-4044-bf75-2817fd4384aa} /quiet /noreboot" -Wait -NoNewWindow
Start-Process "C:\Windows\System32\msiexec.exe" -ArgumentList "/x {ABBA3283-FE97-4223-BE77-281D85A8CB6D} /quiet /noreboot" -Wait -NoNewWindow

Use below process to repackage the application / setup files to .intunewin file. Launch command prompt as administrator, change the current folder to where Microsoft Win32 Content Prep Tool is downloaded and run below command.

IntuneWinAppUtil.exe -c <setup_folder> -s <setup_file> -o <output_folder>
  • <setup_folder> = Keep your MSI file and powershell script in one folder and provide the location of that folder.
  • <setup_file> = Install.ps1
  • <output_folder> = Create an Empty folder somewhere and provide that location.
IntuneWinAppUtil.exe -c C:\temp\eSigner -s Install.ps1 -o C:\output

Once you run the above command, it will create an .intunewin file in the C:\output directory. We will use this file to deploy the package on End User Machines.

.intunewin file

App Deployment steps

Intune Windows app (Win32)

Click on Select app package file to select the .intunewin file package created earlier.

Intune Win32 App deployment

Select App package file. Browse to the location of .intunewin file to select and click on OK.

Intune Win32 App deployment

App Information

After clicking on OK. you will be able to find an App Information page. This will provide a page to Update the Information about the Application. Enter the name of Publisher on this page. Click on Next from your App Information page.

Program

Provide the install command and uninstall command.

Install Command:

powershell.exe -Executionpolicy Bypass -File .\Install.ps1

Uninstall Command:

powershell.exe -Executionpolicy Bypass -File .\Uninstall.ps1

Install behaviour: System

Device restart behaviour: No specific action

Intune Win32 App deployment Powershell

Requirements

Operating System Architecture: Select 64-bit

Minimum operating system: Select according to the operating system version being used in your enviornment.

Intune Win32 App deployment Powershell

Detection Rules

Rules Format: Select Manually configure detection rules

Rule Type: File

Path: You can provide location of the folder where your app gets installed. Most of the softwares are installed in Program Files of Program Files (x86) folder. You can install the application manually on any test machine to find out the default installation directory of the app. Once you get the location then you can provide it as a detection rule for Intune to check if the application is installed on your system or not. If the application folder exists, Intune will consider that application as Installed on your system and If the Folder is deleted Intune will show the application installation status as failed due to detection rules and also will try to deploy the application again in the next sync cycle.

Detection Method: File or Folder Exits.

Intune Win32 App deployment Powershell

Assignments

Create an Azure AD Security group which contains users who need this application. Please note that if you add users into the list, it will deploy this application on all of the users PC joined to Azure and Enrolled into Intune. If you want to deploy the app to specific devices then you should add devices in the Azure AD security group not users.

Make sure to add it to the Required section which will install the push the application on users system as soon as possible.

Required: Select the groups for which you want to make this app required. Required apps are installed automatically on enrolled devices. Some platforms may have additional prompts for the end user to acknowledge before app installation begins.

Intune Win32 App deployment Powershell

Next tab is for Review + Save. Save the application which will start the process of your uploading .intunewin file and also will start the depployment process. To monitor the installation progress, you can open the application and click on Device Install status or User Install status to check if the application has been deployed successfully. If there are any errors, it will show on the same page.

Intune Win32 App deployment Powershell

Unable to change the Install Behaviour while creating app in Intune

When you are working with MSI installer and are using Line-of-Business app or even Win32 app deployment method. Sometimes you will find that Install behaviour is greyed out and you will not be able to change it. This behaviour is because of the MSI file which does not allow the deployment in System Context or User Context and its pre populated.

If you are unable to deploy an MSI application because of the Install behaviour then you can use the steps given in the blog post. A useful tip is when you are creating .intunewin package then use Install.ps1 as your setup file instead of msi installer file. IntuneWinAppUtil.exe -c C:\temp\eSigner -s Install.ps1 -o C:\output.

Unable to change the Install Behaviour  Intune App

Conclusion

For MSI application deployment use Line-of-business app deployment method. But if you are facing any issues with the deployment using that method then you can repackage your app into .intunewin file and use powershell scripts to deploy the application. Win32 app deployment method is useful when you want to customize the installation according to business requirement for example you want to perform pre-installation checks or run post installation scripts to set the environment variables etc. Some of the MSI applications do not provide an option to install in System Context therefore to workaround this, you can repackage the application into .intunewin file providing the setup file as Install.ps1 instead of actual MSI setup file. This should allow your to change the Install Behaviour when creating an application deployment on Intune.