How to deploy a batch file using Intune

You can deploy any batch file or a powershell script using Intune. In this blog post, we will be deploying a simple batch file using Microsoft Intune which will be to start the process of removing Microsoft defender Antivirus definiton to previous version. All our organization devices are managed by Intune and are also Azure AD joined. However, method / steps shown in this blog post will also work for Hybrid Azure AD enviornments as well.

I am taking below batch file as sample script to deploy it using Intune. You can use the steps to deploy any batch file using Intune. Copy and paste the following code into a batch file and save with .bat or .cmd extenstion. For example:


SET MPPATH="C:\Program Files\Windows Defender\"
START MpCmdRun.exe -RemoveDefinitions
@echo detectioncheck>C:\Windows\Temp\Detectioncheck.txt
Batch file to check Defender

Create IntuneWin File

Create an empty folder called Deploybatch or any other name you like and place MPsignatureupdate.bat file in this folder. We will use the Microsoft Win32 Content Prep Tool to convert this script folder into the .intunewin format. Microsoft Win32 Content Prep Tool is also called as Microsoft Intune App Wrapping Tool.

  • Download Microsoft Win32 Content Prep Tool. Its a zip file therefore extract its contents into a folder.
  • Create an empty folder for example C:\output or anywhere you like.
  • Repackage the Deploybatch folder to .intunewin file using IntuneWinAppUtil.exe which can be located in Microsoft Win32 Content Prep Tool.

Run IntuneWinAppUtil.exe with below parameters:

  • Source Folder – This is the folder where the Installation Setup files or scripts are stored.
  • Source setup File – Provide the name of the executable file along with its extension.
  • Output Folder – Provide a path where .intunewin file will be generated.
IntuneWinAppUtil -c <source_folder> -s <source_setup_file> -o <output_folder>
IntuneWinAppUtil.exe -c "C:\Deploybatch" -s MPSignatureUpdate.bat -o c:\output

Deploy IntuneWin File using Intune

Now we have .Intunewin file generated. Let’s create an Intune Windows app (Win32) app from Microsoft endpoint manager admin center to deploy this package.

App Information Tab

Click on Select app package file to browse to c:\output folder and select MPSignatureUpdate.intunewin file and click on OK.

On App information tab, provide Information about the Application. Update the NameDescription and Enter the name of the publisher. Click on Next to proceed.

Program Tab

Provide the Install command, uninstall commandInstall behavior, Device restart behavior. Keep the same command for Install and Uninstall commands. Click on Next to proceed.

  • Install command:  MPsignatureupdate.bat
  • Uninstall command: MPsignatureupdate.bat
  • Install behavior: System
  • Device restart behavior: No specific Action

Requirements Tab

Provide Operating System Architecture and Minimum operating system information. Click on Next to proceed.

  • Operating System Architecture: 64-bit
  • Minimum operating system: Select according to the operating system version being used in your enviornment. For Example: Windows 10 1607.

Detection Rules

Select Manually configure detection rules and click on +Add to add a detection rule.

  • Rules Format: Select Manually configure detection rules
  • Rule type: File
  • Path: C:\Windows\Temp
  • File or folder: Detectioncheck.txt
  • Detection Method: File or Folder exists.

Assignments Tab

Create an Azure AD Security group which contains users or devices where this batch script needs to be deployed. Please note that if you add users into the list, it will deploy this batch file on all of the users devices joined to Azure and Enrolled into Intune. If you want to deploy the app to specific devices then you should add devices in the Azure AD security group not users.

Make sure to add it to the Required section which will install the application on users devices as soon as possible.

Required: Select the groups for which you want to make this app required. Required apps are installed automatically on enrolled devices. Some platforms may have additional prompts for the end user to acknowledge before app installation begins.

Intune Policy Refresh Cycle

The Device will Sync / Check in and download / execute the batch script on target device. It may take some time for the process to start. Therefore, if you are testing it on a test device, you can force initiate Intune refresh cycle on the device which will speed up the download and installation process.

Also, you can restart the device as well which also triggers device check-in process. Manual sync is not mandatory on all user’s devices as the device check-in process happens automatically. But if you are testing the script on a test device then this can speed up your testing and can save some time.


In this blog post, we have seen how to deploy a simple batch file using Intune. Simply convert the batch script folder into .intunewin file and create a Win32 app on Intune. I prefer to target the app to Azure AD security group containing Devices not users. This way I make sure the script will be executed only on devices which would be in an azure ad security group.