The Intune Win32 app requirements feature is quite underrated and often overseen in my experience. The ability to specify a custom PowerShell scripts allow us to check for specific hardware or device properties in order to determine if an app or firmware update should be installed or not. So there's no need to build multiple and complex dynamic Azure AD groups for the assignment of your apps.

Use cases from the field

From recent projects I've discovered the following use cases to deploy Win32 apps only to specific hardware types:

  • Install specific device drivers or hardware vendor's software which is not available within the Windows update catalog  (e.g. hotkey features, firmware updates)
  • Install a VPN client only on notebooks and tablets (e.g. Palo Alto GlobalProtect Client)

Win32 app requirements

Intune Win32 app requirements are evaluated by the Intune Management Extension to check if a device fulfills defined requirements for an application installation. Requirements support both built-in and custom rules.

Built-in rules

Wit the built-in capabilities we can check for:

  • Operating system architecture
  • Minimum operating system
  • Disk space required
  • Physical memory required
  • Minimum number of logical processors required
  • Minimum CPU speed required

Additional rules (custom)

Additionally we can build rules based on:

  • Filesystem (file, folder checks)
  • Registry (checking presence of keys and values)
  • Script (executing PowerShell scripts and checking return codes and values)

PowerShell possibilities

Because I've fulfilled the use cases mentioned in the beginning with PowerShell requirements scripts I'm going to focus on this rule type.

When the Intune Management Extension performs the prerequisites check and runs the custom PowerShell script it checks for exit code 0 from the PowerShell process otherwise the prerequisites are considered as not fulfilled. Upon return of exit code 0 standard script output is detected in more detail.

Within the Win32 app prerequisites script you can specify which data type from the PowerShell output stream you want to use for matching your prerequisites. Based on the data type different operators are available. The following data types are available:

  • String (1)
  • Datetime (2)
  • Integer (3)
  • Floating Point (4)
  • Version (5)
  • Boolean (6)

The decimal values enclosed by parentheses are the values which are used by the Intune Management Extension (IME) to determine the matching. They are also used within the IntuneManagementExtension.log log-file and might help you for troubleshooting purpose.

As an example you could select "Integer" and expect a value of "1" to be present in the PowerShell output stream (PowerShell examples are below). Writing to the PowerShell output stream with your prerequisites script is done easily with: Write-Output "1".

Be aware that if your end devices not fulfill the configured prerequisites the app will not be installed.

Requirement scripts examples

Check for a specific hardware model

The following script checks if the device matches the hardware model(s) defined in the PowerShell array.

In Intune we can validate the Win32 app requirements with the following configuration and upload the script above:

Check for device type

To check for portable devices like notebooks and tablets you can use this script as Win32 app requirements and perform the same configuration as for the first example.

Admin experience

Intune Portal

In Intune you will see the installation status of your app and maybe some devices in the diagram showing "not applicable".  These are the devices which do not meet the prerequisites check. Therefore the app will not be installed.

Intune Management Extension

The Intune management extension log shows some interesting information how the requirements are evaluated and shows the process described before:

Intune Management Extension Insights

Retrieving existing requirement scripts

Unfortunately an existing requirement script can not be viewed within the Intune portal. This makes it difficult to check what requirements are configured. But with the Graph API and the Intune-PowerShell-SDK we can retrieve the content of the uploaded PowerShell script.

Follow the Intune-PowerShell-SDK instructions to connect to the Graph API BETA endpoint and afterwards retrieve the requirement script with the following PowerShell code and your Win32 app's ID:

The script content is stored as base64 encoded string and converted with the above PowerShell snippet.

Hint: to get your application id you can easily use the web browser and navigate to your Intune app and copy the id from the URL.  It will look like the following where the guid at the end corresponds to the id:

https://devicemanagement.microsoft.com/#blade/Microsoft_Intune_Apps/SettingsMenu/0/appId/0a2b8969-24c9-4305-bbc1-e3cc2562c29b

Reference