Deploying Software and Third Party Updates with Windows Intune
Applies to: Windows Intune October 2011 Release
With the addition of software distribution in this release of Windows Intune, you can now publish and deploy software packages as well as software update packages to client computers that Windows Intune manages. In this article, we will explain how this new feature works and provide best practice recommendations on using this feature to deploy these packages to Windows Intune managed computers practically anywhere.
This article is intended for IT professionals who are using Windows Intune. To learn more about other features of Windows Intune, or to sign up for a trial account, visit the Windows Intune Resource Zone on TechNet at http://technet.microsoft.com/windows/intune.
For this guide, we have created an example environment for a business called Northwind Traders. Throughout this paper, you will see examples from this environment that help to illustrate how you can set up your software for distribution by using the Managed Software workspace in Windows Intune.
In this article:
- Software Distribution Process
- Uninstalling Packages
- Best Practices for Using Windows Intune Software Distribution
Software Distribution Process
In the latest release of Windows Intune, the Software workspace has been updated to differentiate between Detected Software and Managed Software.
The Detected Software workspace contains the software inventory data that the Windows Intune clients discover and report. The Managed Software workspace is where the software that you want to deploy to your client computers is uploaded, deployed, and managed on an ongoing basis. This software is referred to as managed software packages throughout this paper.
Figure 1 shows and example of how the Managed Software workspace looks in the Windows Intune administrator console once managed software packages have been uploaded.
Figure 1. The Managed Software workspace
Before you start the process of creating managed software or update packages, we recommend that you first identify which software is a good candidate for deployment via the cloud and which Computer groups you will be using to manage the deployment. To help you in this process, we recommend that you consider the following steps:
- Determine which software can be deployed. Determine whether it is possible to distribute the relevant software by using Windows Intune. Windows Intune can help to deploy Windows Installer (MSI) files or executable (EXE) files that support silent installation. For the software update process Windows Intune can also support Windows Installer Patch files (MSP).
- Determine which computers need which software. You will need to determine which computers you would like to distribute the software to. Note the Computer group membership of these computers.
- Identify whether any existing Windows Intune groups meet your requirements. Review your managed computers and identify whether there are common software applications that apply to computers in an existing Windows Intune group. For example, if the computers in your Accounts department all require the same line-of-business (LOB) payroll application and they are all members of an existing Windows Intune group, you can use that group for deploying the application, too. However, if the group also contains computers that do not require the payroll application, it would not be a good deployment group option.
- Create new Windows Intune groups for software deployment, if required. If you determine in the previous step that your existing Windows Intune groups do not meet your deployment needs, you will need to create new groups specifically for software deployment. If you create new groups, you can choose a couple of different approaches:
Single application groups. With this approach, you create a new group for each application and then deploy the managed software package for that group. You then simply add the computers to the group you want to deploy the software to. See Figure 2 for an example.
You should be careful not to add too many computers at once. Doing so could cause network congestion on the Internet connection if several computers share the same network connection. This approach gives you the most granular level of control over the network bandwidth requirements.
Figure 2. Single application groups
Application collection groups. If you have computers to which you want to deploy the same collection of software, you can select this approach. First, create a single group for each collection of software, next deploy each software package for the collection, and then add the computers that share the requirement for that collection of software. See Figure 3 for an example.
Just as in the case of single application groups, it is important to consider the network bandwidth implications of this approach. The size of all the deployment packages in your collection, the number of computers in the group, and the bandwidth available to those computers during the deployment will all have an impact on the deployment.
Figure 3. Application collection groups
For example, suppose that the Accounts Apps group in Figure 3 consists of 20 computers at the same physical site, and you want to distribute six applications totaling a package size of 900 megabytes (MB). You would need to plan for approximately 18 gigabytes (GB), 20 × 900 MB, of data to be downloaded from the Windows Intune service to the target PCs over your Internet connection. Each PC in the group will connect to the Windows Intune service and download the required software packages for itself over the Internet. When reviewing the bandwidth for your sites you should consider the number of computers sharing the same Internet connection, the bandwidth utilization during a normal business day, which time periods typically generate peek network traffic, e.g. the start of the work day, or during a scheduled backup. If the bandwidth available to those Accounts Apps computers is restricted, you should consider methods to minimize the deployments impact, such as by staging the rollout to help manage the load of the deployment on the Internet bandwidth at that site. To do this you can add a smaller set of computers, run the deployments, once they have successfully installed the applications in the collection, you can then add the next batch.
After you have determined which software you want to distribute and identified the group strategy that you will be using to deploy that software, you will need to follow the steps below to complete the process for all software packages and software updates.
Figure 4. Windows Intune software distribution process
We will now provide further detail on each step in the process.
The process for publishing and distributing third-party updates is very similar to that of publishing and distributing software; however, where there are some differences, we will specifically call those out to help you use both. For more information on deploying both software and update packages, visit Windows Intune Online Help.
Step 1: Prepare Software Installer Files
To distribute the software or update package, you will first need to obtain the necessary installation or update files to support a deployment installation. These files need to include either an installation executable file such as Setup.exe, a Windows Installer file such as application.msi, or a Windows Installer patch file such as application.msp. If your installation file requires other files or folders to complete a client installation, you will need to ensure that you have organized all of those files into a single folder that you can access on the administrators computer so that they can be added to the software package by the Wizard. Whichever file type you select, you need to ensure that you can automate the installation so that no user interaction is required. For EXE files this typically requires the use for command line arguments to turn off the default user experience and set the package to install silently. This will enable the Windows Intune agents to automatically download and install the software by using the SYSTEM security context.
Typically you will not need to specify command line augment for MSI or MSP files as the installer packages should detect the installation is occurring in the SYSTEM context and automatically install in silent mode. However this does depend on how the software published created the package, so you should test the package before trying to deploy it with Windows Intune. If an application installation cannot be automated, it cannot be deployed by using Windows Intune.
Step 2: Upload Package
To create a managed software package, you will need to start the Software Upload Wizard and provide your Windows Intune administrator Live ID. This wizard, which is shown in Figure 5, walks you through the process of creating the managed software package. It also handles the compression, encryption, and upload of that package to your Windows Intune online storage space; which utlizes the Windows Azure storage platform.
Figure 5. The Windows Intune Software Upload Wizard
During this process, you will need to provide information to support the deployment process, the required information will vary depending on whether you are uploading a software installation package or a software update package. It will also depend on if you are uploading an EXE, MSI, or MSP file type (MSI and MSP files typically contain additional data to help manage an automated installation process). The following list explains the information you may be required to provide:
Software setup files location. The path to the setup files on the Windows Intune administrator's computer. These are the files that will be compressed and uploaded to create the managed software package that you want to distribute.
Publisher. A text field for the name of the software publisher.
Name. The title of the software being deployed.
Description. A text field to enter a description.
Required Architecture. A drop-down list that offers a selection of 32-bit, 64-bit, or any operating system architectures.
Required Operating System. A drop-down list where you can specify which of the supported operating systems this application can be installed on. The options are Any, Windows XP, Windows Vista, and Windows 7. Selecting an earlier operating system gives you the option to specify whether to include newer operating systems. See Figure 6 for an example.
Figure 6. Required Operating System selection options
Detection Rules. If you are uploading an EXE file you will be asked to provide details on how to detect if the software is already installed. We highly recommend that you select Detect whether the software is installed by using the following rules (recommended), instead of using the default detection rules option. If you select the default detection rules Windows Intune will download and install the software package even if the software is already installed on the targeted client computer. If you select either a specific file, registery entry or MSI product code for the agents to check you can stop the software from being downloaded and installed unnecassarily.
Prerequisites*(required for updates only)*. If you are uploading a software update you will be asked to provide details on how to detect the presences of the software that needs to be upgraded, you can do this by selecting from detecting either a specific file, registery entry or MSI product code for the agents to check to determine the need for the update.
Command-line arguments. You can specify command-line arguments that will be parsed to the setup program when it is launched on the client computer. Typically, this is where you will enter the arguments that enable silent installation modes of the setup package. To see the commandl line arguments support by a specific installation package you can typically launch the installer from the command line with the /? or -? argument. This will usually display a window listing the supported arguments. For example, The Microsoft Lync 2010 installer supports the /silent argument to disable the user interface during the installation routine on the client computer.
Return codes*(required for EXE installations only)*. These codes are used to determine the status of the installation after the setup routine has completed. These are only requred for installation routines using EXE files. The standard return code is 0 for a successful installation and 3010 for a successful installation that requires a restart of the client computer. If your application uses custom return codes, you can add those codes here so that an installation returning a custom code can be reported as a successful installation. If the installation returns any other code that is not listed here, it will be interpreted as a failure and returned as an alert to the Windows Intune console.
Finally, a summary page appears, which states that you are ready to start the upload process. When you click Upload, the wizard creates a compressed and encrypted package on the administrator's computer and then uploads it to the Windows Intune service. During the upload process, you will be able to track the process, as shown in Figure 7.
Figure 7. The progress of the upload
The communications between the Windows Intune service and the administrator's computer are encrypted to ensure the security of the traffic. Furthermore, if network connectivity is lost during this upload process, the wizard will retry until it can complete the upload.
Step 3: Deploy Package
After you have completed the upload of the software or update package, it is stored in your Windows Intune online storage space and listed under the Managed Software or Updates workspace. You are now ready to start deploying the package to the groups you want. For software update packages you approve those using the same process as Microsoft updates using the Updates workspace and approving them to the target computer groups. For managed software packages use the following steps to assign a new software package to one of your Windows Intune groups:
In the Windows Intune administrator console, click the Software workspace.
Click Managed Software, and then click the software package that you want to deploy.
On the toolbar, click Deploy, as shown in Figure 8.
Figure 8. Clicking Deploy
When the Deploy software page appears, click the software deployment group that corresponds to the software that you want to deploy. In the Deployment column, click the arrow next to the list box, and then click Install, as shown in Figure 9.
Figure 9. Setting the Group Deployment option to Install
Click OK to save the installation option.
After you have completed these steps, the software will be ready for deployment to the target computers.
Step 4: Client Download and Installation
After the Windows Intune administrator has approved a package for deployment, it is made available to the target computers. By default, the Windows Intune client agents will check in every eight hours, as dictated by the Windows Intune Agent Settings policy. The client will start the process of downloading the installation package, as long as the client computer meets all of the software package requirements. For example, if the package has a 64-bit operating system requirement only 64-bit client computers will install the package; 32-bit client computers will not download or install the package even if the client computer is in an approved group.
Next, the client will start the process of downloading the packages that have been approved to a temporary folder on the local hard disk. The folder path is:
During this download, the package remains compressed and encrypted to minimize the download bandwidth requirements and to ensure the security of the data. In addition, if there is an interruption in the network connectivity of the client computer, the agents will automatically continue the download as soon as the computer is back online. The package is only decompressed, decrypted, and launched after the download has completed.
The user does not need to be logged on for the application to be installed; the process will launch by using the SYSTEM security context. However, the computer must be turned on. This process will work seamlessly, as long as the software installation routine has been configured to install without the need for user interaction, as discussed previously.
If the installation package requires user interaction for completion, the installation routine will start but will timeout after sixteen hours, the installation will then be cancelled and an alert sent back to the Windows Intune Administration console.
Step 5: Monitor Deployment Status
After you have uploaded the software package and approved it to be deployed to the required computers, you can use the Managed Software workspace to monitor the deployment status. As the clients check in with the Windows Intune service, they will be informed of the availability of the software package for them, in much the same way that they receive update notifications.
You can monitor the status of these installations in the Managed Software workspace of the Windows Intune administrator console, as shown in Figure 10.
Figure 10. Monitoring in the Managed Software workspace
The following statuses exist for these installations:
- Installed. Reports on managed software that has successfully been installed and reported back to the Windows Intune service.
- Failed. Reports on installations that executed, but did not report a successful return code.
- Pending. Tracks clients that are approved for deployment, but have not attempted an installation as yet. This is usually because the client computer has not checked back with the Windows Intune service since the deployment approval was issued.
- Not Meeting Requirements. Logs when a client computer is a member of a group that has received approval for a deployment, but does not meet the requirements set by the administrator during the creation of the software package.
As you monitor this workspace, you will be able to see the deployment status update as each client reports back to the Windows Intune service. If there are any failed installations, these will also generate a Software alert, which will be visible in the main System Overview view of the administrator console.
If the software deployment package is an MSI or MSP file that supports the uninstallation option it is also possible to update a deployment and approve the package for uninstallation.
This process is simply a matter to returning to the deployment screen, as shown in Figure 9, and selecting the Uninstall option. Once you have selected to uninstall the package Windows Intune will inform the client computer to remove the package the next time it checks in with the service. The Windows Intune administration console will then be used to track the status of the uninstallation on each client.
This option will only be available for packages that support the uninstall option, the option will be grayed out in the case of EXE files, as shown in Figure 9.
Best Practices for Using Windows Intune Software Distribution
This release of Windows Intune provides a powerful new way to deploy software to your managed computers virtually anywhere. To make sure that you have the best experience of using this new functionality in Windows Intune, we've compiled some best practices.
Always consider the bandwidth implications of a deployment. When you first start your software deployments, we recommend that you start with small-scale deployments to help you determine the impact that they might have on your network infrastructure. Before deploying any large software packages, ensure that the target computers are going to be connected to an Internet connection that is capable of supporting the download. We recommend that you use the Windows Intune Agent Settings policy to help configure the bandwidth usage policy during business hours, as shown in Figure 11.
Figure 11. The Background Intelligent Transfer Service (BITS) policy setting
If your network has a web proxy that supports caching, you should enable this to help manage the download requests where possible.
Test silent installation switches. It is important that the installation process completes silently because any installation that tries to prompt for user input will be blocked. The methods that are available to configure this vary among software, so you must take some time to test the deployment package before rolling it out to all of your users. To help in this testing, we recommend that you create a Test deployment group that contains computers (or virtual machines) that represent operating systems and configurations that you support in the Windows Intune environment. You can then deploy to this group first, monitor the status of the installation, and check for any deployment issues that might arise, before end users are exposed to them.
Create custom Detection Rules where possible. If you create your deployment packages with custom detection rules you will help to ensure that user customizations are not overwritten if a Windows Intune deployed application is installed over the top of it. This will also help to minimize the bandwidth used for deployments as clients that have the package already installed will not download the package unnecessarily.
Deploy updates based on software already managed by Windows Intune. If possible we recommend you deploy the software with Windows Intune first and then deploy updates to it using the Update software Wizard. This will make sure the correct update is deployed to the correct client computer as Windows Intune will already have a record of the deployment of the original software. If you chose to deploy updates to applications that as not already managed by Windows Intune you should ensure the software you are trying to update is correctly identified in the Prerequisites step of the Update upload wizard. This will make sure the package is downloaded only by the computers that need it.
Manage storage space. To view the total storage space used by both software and update packages you can go to the Administration workspace and select the Storage Use option. During the trial period, 2 GB of complimentary Windows Intune online storage space are provided to store updates or applications until distribution. Paid subscriptions will include an increased amount of storage space, but customers will have the option to purchase additional space if required. If you find that your managed software storage is starting to fill up, you can easily manage the list of stored applications and updates. Software and update packages do not need to be stored in managed software storage after they have been deployed to the required computers you can remove those packages from the managed storage, if required.
Check for automatic update options. Many software vendors now offer options to automatically check and update their software directly from the client computer. If you plan to manage your software updates with Windows Intune you should disable this automatic process on the client computer so you can manage when your software updates are deployed. The process of this will vary from product to product so check with the software vendor for details of the specific software.
These best practices will help you to organize your software and update package deployments in a manner that is both efficient and scalable.
While software deployment has always been a challenge across larger organizations, the process of deploying software across the Internet is significantly more complex. The Windows Intune Managed Software and Updates workspaces simplify how your business can deploy and manage software and 3rd Party updates across your managed computers, wherever they are.
This guide has taken you through some of the tasks that you will need to perform to set up, deploy, and manage your software and software updates by using Windows Intune.
For the latest Windows Intune information, visit the Windows Intune Resource Zone on TechNet at http://technet.microsoft.com/windows/intune, the Windows Intune product website at http://www.windowsintune.com, or check out the Windows Intune Blog at http://blogs.technet.com/windowsintune.