You can deploy any batch file or a powershell script using Intune. In this blog post, we will be deploying a simple batch file using Microsoft Intune which will be to start the process of removing Microsoft defender Antivirus definiton to previous version. All our organization devices are managed by Intune and are also Azure AD joined. However, method / steps shown in this blog post will also work for Hybrid Azure AD enviornments as well.
I am taking below batch file as sample script to deploy it using Intune. You can use the steps to deploy any batch file using Intune. Copy and paste the following code into a batch file and save with .bat or .cmd extenstion. For example:
@ECHO OFF SET MPPATH="C:\Program Files\Windows Defender\" CD %MPPATH% START MpCmdRun.exe -RemoveDefinitions @echo detectioncheck>C:\Windows\Temp\Detectioncheck.txt
Create IntuneWin File
Create an empty folder called Deploybatch or any other name you like and place MPsignatureupdate.bat file in this folder. We will use the Microsoft Win32 Content Prep Tool to convert this script folder into the .intunewin format. Microsoft Win32 Content Prep Tool is also called as Microsoft Intune App Wrapping Tool.
- Download Microsoft Win32 Content Prep Tool. Its a zip file therefore extract its contents into a folder.
- Create an empty folder for example C:\output or anywhere you like.
- Repackage the Deploybatch folder to .intunewin file using IntuneWinAppUtil.exe which can be located in Microsoft Win32 Content Prep Tool.
Run IntuneWinAppUtil.exe with below parameters:
- Source Folder – This is the folder where the Installation Setup files or scripts are stored.
- Source setup File – Provide the name of the executable file along with its extension.
- Output Folder – Provide a path where .intunewin file will be generated.
IntuneWinAppUtil -c <source_folder> -s <source_setup_file> -o <output_folder>
IntuneWinAppUtil.exe -c "C:\Deploybatch" -s MPSignatureUpdate.bat -o c:\output
Deploy IntuneWin File using Intune
Now we have .Intunewin file generated. Let’s create an Intune Windows app (Win32) app from Microsoft endpoint manager admin center to deploy this package.
- Login on Microsoft Endpoint Manager Admin Center.
- Click on Apps and then click on All Apps.
- Click on + Add and Select Windows app (Win32) from the app type.
App Information Tab
Click on Select app package file to browse to c:\output folder and select MPSignatureUpdate.intunewin file and click on OK.
On App information tab, provide Information about the Application. Update the Name, Description and Enter the name of the publisher. Click on Next to proceed.
Provide the Install command, uninstall command, Install behavior, Device restart behavior. Keep the same command for Install and Uninstall commands. Click on Next to proceed.
- Install command: MPsignatureupdate.bat
- Uninstall command: MPsignatureupdate.bat
- Install behavior: System
- Device restart behavior: No specific Action
Provide Operating System Architecture and Minimum operating system information. Click on Next to proceed.
- Operating System Architecture: 64-bit
- Minimum operating system: Select according to the operating system version being used in your enviornment. For Example: Windows 10 1607.
Select Manually configure detection rules and click on +Add to add a detection rule.
- Rules Format: Select Manually configure detection rules
- Rule type: File
- Path: C:\Windows\Temp
- File or folder: Detectioncheck.txt
- Detection Method: File or Folder exists.
Create an Azure AD Security group which contains users or devices where this batch script needs to be deployed. Please note that if you add users into the list, it will deploy this batch file on all of the users devices joined to Azure and Enrolled into Intune. If you want to deploy the app to specific devices then you should add devices in the Azure AD security group not users.
Make sure to add it to the Required section which will install the application on users devices as soon as possible.
Required: Select the groups for which you want to make this app required. Required apps are installed automatically on enrolled devices. Some platforms may have additional prompts for the end user to acknowledge before app installation begins.
Intune Policy Refresh Cycle
The Device will Sync / Check in and download / execute the batch script on target device. It may take some time for the process to start. Therefore, if you are testing it on a test device, you can force initiate Intune refresh cycle on the device which will speed up the download and installation process.
Also, you can restart the device as well which also triggers device check-in process. Manual sync is not mandatory on all user’s devices as the device check-in process happens automatically. But if you are testing the script on a test device then this can speed up your testing and can save some time.
In this blog post, we have seen how to deploy a simple batch file using Intune. Simply convert the batch script folder into .intunewin file and create a Win32 app on Intune. I prefer to target the app to Azure AD security group containing Devices not users. This way I make sure the script will be executed only on devices which would be in an azure ad security group.
- How To Check Microsoft Defender Antivirus Signature Version From Intune
- Block USB Drives With Exceptions Using Microsoft Intune
- Move Windows Known Folders To Onedrive Using Intune
- Retrieve Uploaded LOB MSI / Win32 App Setup Files From Microsoft Intune
- Uninstall Zoom Using Powershell Script And Intune Win32 App