Microsoft Endpoint Manager with EDU Scenarios: Enterprise Wi-Fi and .Intunewin

Introduction

Education institutions can do most of their app targeting and policy management for Windows and iOS in the Intune for Education dashboard.

There are some tasks that can only be done in Microsoft Endpoint Manager (MEM). The most common EDU scenarios in MEM are Enterprise Wi-Fi configuration and deploying legacy (.exe) applications. You will experience these common scenarios in this interactive guide.

Create and Deploy Enterprise Wi-Fi Profile

Wi-Fi is a wireless network that's used by many mobile devices to get network access. Microsoft Intune includes built-in Wi-Fi settings that can be deployed to users and devices in your organization. This group of settings is called a "profile" and can be assigned to different users and groups. Once assigned, your users get access to your organization's Wi-Fi network without configuring it themselves.

Note: We will use the full MEM Console to create and assign the Windows and iOS Wi-Fi profiles to devices. 

Windows 10 Enterprise Wi-Fi Profile

• Click in the address bar and type: https://endpoint.microsoft.com/ and then hit Enter
• Sign in with the following credentials:
  • Type Username as admin@myschool.com, hit Enter and then click Next
  • Type Password as password, hit Enter and then click Next
  • Click on Yes to stay signed in
• In the left panel click on Devices
• Click on Configuration profiles
• Click on Create profile
• In the flyout, under Platform, choose Windows 10 and later from the drop-down list.
• Under Profile Type select Templates
• Scroll down and select Wi-Fi from the templates list
• Select Create

Basics

Enter the following information:

• Click in the Name field, type Windows 10 Enterprise Wi-Fi and hit Enter
• Click in the Description field, type Windows 10 Enterprise Wi-Fi profile for All Devices and hit Enter
• Click Next to proceed

Configuration Settings

We will configure the minimum required settings to enable an Enterprise Wi-Fi profile.

• Select Enterprise from the Wi-Fi type drop-down list
• Click in the Wi-Fi Name (SSID) field, type ContosoWiFi and hit Enter
• Click in the Connection Name field, type ContosoWiFi and hit Enter (Enter a user-friendly name for this Wi-Fi connection.)
• Scroll down and then under EAP Type select the Extensible Authentication Protocol (EAP) type to authenticate secured wireless connections. For this guide, select Protected EAP (PEAP) from the drop-down list.

 For additional information on each type: https://docs.microsoft.com/en-us/mem/intune/configuration/wi-fi-settings-windows#enterprise-profile

• Scroll down, and select Username and Password from the Authentication Method drop-down list
• Click Next to proceed

Assignments

Assignment is where we will specify to which Devices the Wi-Fi profile will be deployed – using Azure AD Groups.

For this example:

• Under included groups, click on +Add All Devices
• Click Next to proceed

Applicability Rules

We will create an applicability rule to only include Windows devices that are running Windows 10 Enterprise.

• In the drop-down list for Rule, select Assign profile if
• In the drop-down list for Property, select OS Edition
• In the drop-down list for Value, select Windows 10 Enterprise
• Click Next to proceed

Review and Create

Review the Profile information

• Scroll down and then click Create

iOS Enterprise Wi-Fi Profile

• On the left side of the screen, click Devices
• Click on Configuration profiles
• Click on Create profile
• On the flyout, choose iOS/iPadOS as Platform from the drop-down list
• Under Profile Type select Wi-Fi from the drop-down list
• Click Create

Basics

Enter the following information:

• Click in the Name field, type iOS Enterprise Wi-Fi and hit Enter
• Click in the Description field, type iOS Enterprise Wi-Fi profile and hit Enter
• Click Next to proceed

Configuration Settings

We will configure the minimum required settings to enable an Enterprise Wi-Fi profile.

• Under Wi-Fi type,  select Enterprise from the drop-down list
• Click in the Network Name field, type ContosoWiFi and hit Enter
• Click in the SSID field, type ContosoWiFi and hit Enter
• Under Security type, select WPA-Enterprise from the drop-down list
• In the drop-down list for EAP Type, select the Extensible Authentication Protocol (EAP) type to authenticate secured wireless connections. For this guide, select Protected EAP (PEAP)
• Select Username and Password from the Authentication Method drop-down list
• Click Next to proceed

Assignment

• Click on +Add All Devices
• Click Next to proceed

Review and Create

Review the Profile information

• Click Create

Deploy Win32 App

Before you can deploy a Win32 App to devices in your organization you must first add the app to Microsoft Intune by preparing the app using the Microsoft Win32 Content Prep Tool.

Prepare Win32 App Content for Upload to Intune

Download the Microsoft Win32 Content Prep Tool from Github – in a browser, access the following URL:

• Click in the address bar and type https://github.com/Microsoft/Microsoft-Win32-Content-Prep-Tool and then hit Enter
• In the Github file ‘explorer’ window – click on the IntuneWinAppUtil.exe
• Click Download – this will automatically download to the Windows Downloads folder.

Running the Microsoft Win32 Content Prep Tool

We will deploy WinZIP to devices using Intune and the MEM Console.

• Click in the address bar and type https://download.winzip.com/gl/gad/winzip25.exe and then hit Enter. WinZip will download immediately

Generating the IntuneWin file:

• Click on Open File under IntuneWinAppUtil.exe
• In the command prompt, type the source (WinZip) folder as c:\WinZIP
• Type the setup file as Winzip25.exe
• Type the output folder as C:\Output
• Type N (no) for “do you want to specify catalog folder”

Winzip25.exe has been converted to .intunewin and is in your c:\output folder

Deploying the Win32 App using Intune

• Click on the address bar and type https://endpoint.microsoft.com and then hit Enter
• In the sidebar click on Apps
• Click on All apps
• Click Add
• On the Select app type pane, under the Other app types, select Windows app (Win32) from the drop-down list
• Click Select to proceed

Select the App package file:

• On the Add App pane, click Select app package file
• On the App package file pane, select the browse button and double-click on Output folder (navigate to C:\Output)
• Click on winzip25.intunewin file created in the above steps.
• Click Open
• When you are finished, click on OK on the App package file pane.

Set App information:

Review app information

• In the Add Publisher field, type WinZip and hit Enter
• Click Next

Program

Enter values for the following fields.

• In the Install Command field, type Winzip25.exe /q and hit Enter

For the specific arguments your application package supports, contact your application vendor. 

• In the Uninstall Command field, type msiexec.exe /x{{784C04A3-2E5A-4E7C-A7F7-7D97E27859AD}} /quiet and hit Enter

More information: Product Codes - Win32 apps | Microsoft Docs

Return Codes : The Return Codes and Code Type fields should be automatically populated with: 0 – Success 1707 – Success 3010 – Soft Reboot 1641 – Hard Reboot 1618 – Retry

• Click Next to proceed

Requirements

Note that these settings are very subjective based on your specific device and device architecture requirements.

• In the Operating System Architecture drop-down list, select 64-bit
• Select Windows 10 1607 as the Minimum Operating System from the drop-down list
• Select Next to proceed.

Detection Rules

With Detection Rules we effectively detect the presence of the app on target devices.

• Under Rules Format, select Manually Configure Detection Rules from the drop-down list
• Click +Add
• In the Rules type, select MSI from the dropdown list.
• In the MSI Product Code field, type: {28B89EEF-4101-0000-0102-CF3F3A09B77D} and hit Enter

This code can be sourced from the product vendor or from a device that already has the application installed – and can be found in the Registry: HKEY_CLASSES_ROOT\AppID\winzip64.exe Make sure to include the brackets {}

• Click OK to save and proceed
• Click Next to proceed

Dependencies

App dependencies are applications that must be installed before your Win32 app can be installed. You can require that other apps are installed as dependencies.

Refer to https://docs.microsoft.com/en-us/mem/intune/apps/apps-win32-add#step-5-dependencies for additional guidance.

• Click Next to Proceed

Supersedence

When you supersede an application, you can specify which app will be updated or replaced. To update an app, disable the uninstall previous version option. To replace an app, enable the uninstall previous version option.

• Click Next to Proceed

Assignment

Assignment is where we will specify on which Devices the Win32 app to be installed – using Azure AD Groups. We can target the App to a User Group or a Device Group.

• When a Device Group is used, userall devices will install the app (based on the criteria defined in App profile) and the application will be available to all users that sign onto that device.
• When a User Group is used, the application will be installed on the device where the assigned user has signed in, and the application will only be available to that user.
• Click +Add Group under Required
• In the search box, type All Company to search for the All Company group, and hit Enter
• Select All Company from the list
• Click Select
• Click Next to proceed

Review and Create

Review the values and settings that you entered for the app. Verify that you configured the app information correctly.

• Scroll down and then scroll down again.
• Click Create to add the app to Intune - the Overview pane for the LOB app appears.

At this point, you have completed the steps to add a Win32 app to Intune.