Microsoft Intune: How to deploy Windows Features

This blog article covers how to deploy Windows Features like Windows Sandbox or Hyper-V with Microsoft Intune.

  1. Spoilt For Choice
  2. The approach
  3. PowerShell script for installation/uninstallation (WindowsSandbox.ps1)
  4. Custom Detection Script (DetectWindowsSandbox.ps1)
  5. Create Windows app (Win32) package
  6. Deploy Application with Microsoft Intune

Spoilt For Choice

Like so often, Microsoft Intune offers several ways to deploy Windows features. Windows features can be deployed via Intune PowerShell Scripts, Proactive Remediations Scripts or Windows Apps (Win32). Since the PowerShell Scripts and Proactive Remediations Scripts option does not allow you to easily uninstall the features after deployment, my favorite method is to deploy them via Windows Apps (Win32).

The approach

For the installation/uninstallation we use a PowerShell script, convert this via Win32PrepTool into the .intunewin format, and then distribute the package via Windows app (Win32). The detection is done by a custom detection script.

PowerShell script for installation/uninstallation (WindowsSandbox.ps1)

Param(
[Parameter(Mandatory=$true)]
[ValidateSet("Install", "Uninstall")]
[String[]]
$Mode
)
 
If ($Mode -eq "Install") 
{
	Enable-WindowsOptionalFeature -FeatureName "Containers-DisposableClientVM" -All -Online -NoRestart
}
 
If ($Mode -eq "Uninstall")
{
	Disable-WindowsOptionalFeature -FeatureName "Containers-DisposableClientVM" -Online -NoRestart
}

If you want to deploy a different Windows feature than Windows Sandbox, only the FeatureName value needs to be adjusted. A few examples:

Windows FeaturesPowerShell
Hyper-V-FeatureName “Microsoft-Hyper-V”
Microsoft .NET Framework 3.5-FeatureName “NetFx3”
Windows Sandbox-FeatureName “Containers-DisposableClientVM”
Windows Subsystem for Linux (WSL)-FeatureName “Microsoft-Windows-Subsystem-Linux”
Selection of Windows features that can be deployed

Custom Detection Script (DetectWindowsSandbox.ps1)

Since Windows features are only installed during a reboot process, I recommend using a custom detection script as the detection method. This way the status can be checked immediately via PowerShell with Get-WindowsOptionalFeature. Other detection methods such as File or Registry can detect the detection only after a reboot, after the installation of the application.

$featureName = "Containers-DisposableClientVM" 
if((Get-WindowsOptionalFeature -Online -FeatureName $featureName).State -eq "Enabled")
{
    Write-host "Windows Optional Feature $featureName is enabled" 
    Exit 0
}
else
{
    Write-host "Windows Optional Feature $featureName is not enabled"
    Exit 1
}  

If you want to deploy a Windows feature other than Windows Sandbox, only the $featureName variable needs to be adjusted.

Create Windows app (Win32) package

With the Win32PrepTool (IntuneWinAppUtil.exe) we now create the package. The tool is available on GitHub:
https://github.com/microsoft/Microsoft-Win32-Content-Prep-Tool

We start the command prompt (cmd.exe) as administrator and start the Win32PrepTool (IntuneWinAppUtil.exe).

Win32PrepTool SettingsComments
Please specify the source folder:Here you have to specify where the installation/uninstallation PowerShell script (WindowsSandbox.ps1) is located.
Example: C:\Temp\Source
Please specify the setup file:Here you have to specify the name of the installation/uninstallation PowerShell script.
Example: WindowsSandbox.ps1
Please specify the output folder:Here you can specify where the package should be stored.
Example: C:\Temp
How to use Win32PrepTool (IntuneWinAppUtil.exe)

Deploy Application with Microsoft Intune

Now we are ready and can deploy the application with Microsoft Intune:

Apps – Windows – Add – Windows app (Win32) – Select – Select app package file: select the previously created intunewin package (WindowsSandbox.intunewin)

Windows app (Win32) SettingsComments
App information – Name:Enter any name for the Windows feature
Example: Windows Sandbox
App information – DescriptionEnter any Description for the Windows feature
Example: Windows Sandbox provides a lightweight desktop environment to safely run applications in isolation. 
App information – PublisherEnter Publisher
Example: Microsoft
App information – LogoUpload Logo for the Windows feature
Example: sandbox.png
Program – Install commandpowershell.exe -ExecutionPolicy Bypass -file WindowsSandbox.ps1 -Mode Install
If your PowerShell script is named differently, this must be adapted
Program – Uninstall commandpowershell.exe -ExecutionPolicy Bypass -file WindowsSandbox.ps1 -Mode Uninstall
If your PowerShell script is named differently, this must be adapted
Program – Install behaviorSystem
Requirements – Operating system architecture64-bit
Requirements – Minimum operating systemSelect the minimum operating system for the installation
Example: Windows 10 21H1
Detection RulesUse a custom detection script:
Select previously created custom detection script (DetectWindowsSandbox.ps1)
DependenciesIs not required. Can be skipped
Supersedence (preview)Is not required. Can be skipped
AssignmentsSelect Assignments and Create Application
How to Deploy Application with Microsoft Intune

Last but not least, it should be noted that the installation and uninstallation of Windows features always happens during the reboot process. Therefore, a manual reboot must always be scheduled as soon as a Windows feature is installed or uninstalled.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s