UPDATE: Have a look at my new post: Installing Adobe Reader DC with Intune Win32 application deployment

In this post I’ll walk you through my own experience and Install Adobe Acrobat Reader DC with Intune and PowerShell, on Azure AD joined and MDM enrolled Windows 10 devices. In a previous post I explained how to install Office 365 with Microsoft Intune using the MDM channel. When you look out there with your favorite search engine, you will find answers or at the very least directions to help you achieve this and there are various ways to your end goal. This is just one of them. Peter van der Woude has a great blog on “Combining the powers of the Intune Management Extension and Chocolatey” .

I realize the PowerShell script I provide is not finished and there is no errors handling, but that might be another topic. Feel free to leave a comment with your own solution. After all, it’s about helping each other

Intune Management Extension

With Intune Management extensions you can upload your own PowerShell scripts to Intune and target them to your users and their devices. When a PowerShell script is assigned to a user group, The Intune MDM channel will install the Intune Management Extension agent first. This agent will be responsible for deploying your PowerShell scripts. It will install the service “Microsoft Intune Management Extension” and it will setup a scheduled task “Intune Management Extension Health Evaluation” The agent will check for scripts every 60 minutes, and the health check will run once a day to see if the agent is functioning correctly. More on this later but for now I want to point to the blog of Oliver Kieselbach;

• Part 1 – Deep dive Microsoft Intune Management Extension – PowerShell Scripts
• Part 2 – Deep dive Microsoft Intune Management Extension – PowerShell Scripts

Oliver explain the workings in great detail and I strongly suggest you to read these post for a complete understanding.

Prerequisites

• Azure AD joined Windows 10 devices running version 1607 or later.
• In order to distribute Adobe Acrobat Reader DC software you need to have a valid Adobe Acrobat Reader DC Distribution Agreement in place. Click here for details.

The PowerShell script

Save the script to your local system. I suppose you could change the script provided for any other software you cannot install using default app deployment.

# Silently install Adobe Reader DC with Microsoft Intune
# In order to distribute Adobe Acrobat Reader DC software you need to have 
# a valid Adobe Acrobat Reader DC Distribution Agreement in place.
# See http://www.adobe.com/products/acrobat/distribute.html?readstep for details.

# Check if Software is installed already in registry.
$CheckADCReg = Get-ItemProperty HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\* | where {$_.DisplayName -like "Adobe Acrobat Reader DC*"}
# If Adobe Reader is not installed continue with script. If it's istalled already script will exit.
If ($CheckADCReg -eq $null) {

# Path for the temporary downloadfolder. Script will run as system so no issues here
$Installdir = "c:\temp\install_adobe"
New-Item -Path $Installdir  -ItemType directory

# Download the installer from the Adobe website. Always check for new versions!!
$source = "ftp://ftp.adobe.com/pub/adobe/reader/win/AcrobatDC/1800920044/AcroRdrDC1800920044_en_US.exe"
$destination = "$Installdir\AcroRdrDC1800920044_en_US.exe"
Invoke-WebRequest $source -OutFile $destination

# Start the installation when download is finished
Start-Process -FilePath "$Installdir\AcroRdrDC1800920044_en_US.exe" -ArgumentList "/sAll /rs /rps /msi /norestart /quiet EULA_ACCEPT=YES"

# Wait for the installation to finish. Test the installation and time it yourself. I've set it to 240 seconds.
Start-Sleep -s 240

# Finish by cleaning up the download. I choose to leave c:\temp\ for future installations.
rm -Force $Installdir\AcroRdrDC*
}

Installing Adobe Acrobat Reader DC with Intune and PowerShell

• Navigate to >Azure Portal> Intune> Device Configuration> PowerShell scripts
• Click on Add

• Give your script a name and description
• By default the script runs in system context
• Since this script is not signed, leave the default settings as they are.
• Browse to your script and select it

• Click OK
• Click Create

Your script is created and you will need to assign it to a security group.

Note:

While testing I’ve found that the script will only deploy and work when assigned to a user group. The official Microsoft documentation also mentions to target a user group;

“Select one or more groups that contain the users whose devices will receive the script, and then click Select to assign the policy to the selected groups.”

If you read the comments, you will see that many users run into problems assigning the script. I’ve opened a support case with Microsoft and the engineer confirmed, and I quote;

“For the moment the Intune PowerShell scripts must be assigned to user groups. This is the way to follow in order to achieve positive results with the deployment of PowerShell scripts.”

• Click on Assignments
• Click on Select groups
• Search for your group with user accounts
• Click on Select
• Finally click on Save

Monitor run status for PowerShell scripts

The Intune Management Extension deployment depends on device synchronization to the Intune service, which typically occurs every six to eight hours. When the devices sync with Intune, the Microsoft Intune Management Extension agent will be installed on the device. You could try to force a sync from the devices blade if you want a little more control. It might take a few tries and/or reboots.

Back on the PowerShell blade you can now see the Intune Management Extension has been installed and in turn deployed the script. As you can see, there are 8 devices and six succeeded deployments.

To further analyze the deployment click on either Device status or User status. In this example I’ve clicked on User status. As you can see, a user can have more than one succeeded or failed deployment;

Let’s have a look at the user with 4 succeeded installations. Click on Device status to see all devices;

The information presented tells us that Bart has been working on 4 different devices, on the same day and Adobe Reader DC got installed successfully. Actually this screen only tells the script was received by the client. If you want to know if Adobe Reader DC really got installed, you will have to check the device itself. I’m really hoping Microsoft will further finetune this feature with error handling and more intelligence.

Conclusion

The Intune management extension is a great addition when managing Windows 10 devices via MDM. It’s not mature yet but new features are added monthly and I expect this will also be the case for the Intune management extension. When you need a little more control and finetuning when MDM and OMA-URI is not enough, This feature just might help you toward modern management on Windows 10 devices.

FAQ

Q: Did the Intune Management Extension agent install?

• Check the Device or User status as explained above
• In Programs and Features you will see the Microsoft Intune Management Extensions installed.
• Check if the folder C:\Program Files (x86)\Microsoft Intune Management Extension exists.
• The agent will install a service “Microsoft Intune Management Extension”
• The agent will setup a scheduled task “Intune Management Extension Health Evaluation”

Q: How can I quickly test a script and deployment?

• Restart the service “Microsoft Intune Management Extension” to force a sync

Q: How do I know if my script did execute?

• Check Event log> Application and Services Logs> Windows PowerShell
• Look for Event ID’s 600
• Within the details you should look for:

HostApplication=C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -executionPolicy bypass -file C:\Program Files (x86)\Microsoft Intune Management Extension\Policies\Scripts\[GUID].ps1

Q: How to further troubleshoot?

• Check Oliver’s blog

Additional Info

Manage PowerShell scripts in Intune for Windows 10 devices