How to Deploy a Batch File Using Intune

You can deploy any batch file or PowerShell script using Intune. To illustrate the deployment of a batch file through Intune, we will use an example batch file that initiates the process of rolling back Microsoft Defender Antivirus definitions to a previous version.

Intune manages all our organization’s devices and is also Entra joined. However, the methods and steps outlined in this blog post will also be effective for Entra hybrid joined environments.

Step 1 – Create a Batch File

Copy and paste the following code into a batch file and save it with a .bat or .cmd extension. For example:

MPsignatureupdate.bat

@ECHO OFF
SET MPPATH="C:\Program Files\Windows Defender\"
CD %MPPATH%
START MpCmdRun.exe -RemoveDefinitions
@echo detectioncheck>C:\Windows\Temp\Detectioncheck.txt
Batch file to check Defender
Step 1 – Create a Batch File

Step 2 – Create an IntuneWin File

The next step is to create an Intunewin file. Follow the below steps:

  • Create an empty folder called “Deploybatch” or any other name you prefer, and place the “MPsignatureupdate.bat” file into this folder.
Step 2 - Create an IntuneWin File
Step 2 – Create an IntuneWin File
  • Create an empty folder for example C:\output or anywhere you like.
  • Use the below command to create a .intunewin file. (For detailed guidance on .Intunewin file, refer to this link: How to create an Intunewin file)
    • Source Folder: This is the folder where the installation setup files or scripts are stored.
    • Source Setup File: Provide the executable file’s name and its extension.
    • Output Folder: Provide a path where the .intunewin file will be generated.
IntuneWinAppUtil -c <source_folder> -s <source_setup_file> -o <output_folder>

Create IntuneWin File

IntuneWinAppUtil.exe -c "C:\Deploybatch" -s MPSignatureUpdate.bat -o c:\output
Step 2 - Create an IntuneWin File
Step 2 – Create an IntuneWin File

Step 3 – Create Win32 App Deployment on Intune admin center

Now that we’ve generated the .intunewin file, let’s proceed to create an Intune Windows app (Win32) using the Intune admin center. This will allow us to deploy the packaged application.

  • Login to the Intune Admin Center.
  • Navigate to “Apps” and then select “All Apps“.
  • Click on “+ Add” and choose “Windows app (Win32)” as the app type.

App Information Tab

  • Browse to .Intunewin file we created in previous steps.
Step 3 – Create Win32 App Deployment on Intune admin center
  • Provide Name, Description, and Publisher Information
    • Name: Defender Update Script Deployment
    • Description: Keep Default or to change click Edit Description.
    • Publisher: Microsoft
Step 3 – Create Win32 App Deployment on Intune admin center

Program Tab

Provide the install command, uninstall command, install behavior, and device restart behavior. Then click “Next” to proceed.

  • Install command: MPsignatureupdate.bat
  • Uninstall command: MPsignatureupdate.bat
  • Installation time required (mins): Specify how much time your application would take to complete the Installation. If it will take longer than the specified time, the Installation will fail. The default is 60 minutes and the Maximum time you can specify is 1 day (1440 minutes).
  • Install behavior: System
  • Device restart behavior: No specific Action
Step 3 – Create Win32 App Deployment on Intune admin center

Requirements Tab

You can specify the requirements that devices must meet in order to deploy the app. If your devices are a mix of 32-bit and 64-bit types, then check both the boxes for 32-bit and 64-bit in the Operating system architecture drop-down. Else, just go with 64-bit.

  • Operating System Architecture: 64-bit
  • Minimum operating system: Select according to the operating system version being used in your environment. For Example: Windows 10 1607.

Detection Rules

Select Manually configure detection rules and click on +Add to add a detection rule.

  • Rules Format: Select Manually configure detection rules
  • Rule type: File
  • Path: C:\Windows\Temp
  • File or folder: Detectioncheck.txt
  • Detection Method: File or Folder exists.
Step 3 – Create Win32 App Deployment on Intune admin center

Assignments Tab

Click on Add group to add an Azure AD group containing users or devices. You can also click on Add all users or Add all devices.

Step 3 – Create Win32 App Deployment on Intune admin center

Review + Create

Review the deployment and click on Create to start the deployment process.

Sync Intune Policies

The device check-in process might not begin immediately. If you’re testing this policy on a test device, you can manually kickstart Intune sync either from the device itself or remotely through the Intune admin center.

Alternatively, you can use PowerShell to force the Intune sync on Windows devices. Another way to trigger the Intune device check-in process is by restarting the device.

Conclusion

In this blog post, we covered the process of deploying a basic batch file using Intune. The key steps involve converting the batch script folder into a .intunewin file and creating a Win32 app within Intune.

My preference is to target the app specifically to an Entra ID security group that includes devices, rather than users. This approach ensures that the script is executed exclusively on devices belonging to the specified Entra ID security group.

Leave a Comment

Discover more from TechPress

Subscribe now to keep reading and get access to the full archive.

Continue reading