High Level Approach to Migrating Win32 Apps from SCCM to Intune

 To leverage the full potential of #MSIntune, besides other workloads Applications should also move from #SCCM to Intune. This needs to be thoroughly Assessed, Planned, Tested and Implemented so the applications are migrated to Intune without any impact to users and business.

Why does this article only cover Win32 Apps

While there are several types of line-of-business (#LOB) app however most common type is Win32. #Win32apps are typically developed in-house and offer more control within #Intune than a Windows LOB app. Intune supports both 32-bit and 64-bit operating system architecture for this file type.

Deploying the Win32 app from Intune has the following advantages:

You can now deploy .exe files by converting them to the .intunewin format.
You can use detection logic to make sure that an app will be downloaded to the device and installed only if it's not detected as per a set rule.
You can create rules to require that the app is applicable to, downloaded to, or installed in the device only if it meets a specific criterion.
From the Intune user interface, you don't natively have the ability to deploy a single update to a Windows 10 device. If you have a critical update that has to be deployed to devices, you can use the Win32 app deployment approach.
You can set dependencies for a Win32 app. This setting enables you to determine either the sequence in which the app would be installed or the priority of the apps.

Nevertheless, the approach (Assessment->Plan/ Design->Test->Implement -> Handover) described here can be followed for any other type of application as well.

Assessment

Start with assessment to get an understanding of the current SCCM setup and how the Application Management is done via SCCM. Some of the questions could be:

=> Checking the Pre-requisites like:

Devices have Windows 10 version 1607 or later (Enterprise, Pro, and Education versions)

Devices must be enrolled in Intune and either Microsoft Entra registered, or Microsoft Entra joined, or Microsoft Entra hybrid joined

Windows application size has a maximum of 30 GB per app.

Co-management Workload (Client Apps) must be enabled.

Article content
Switching "Client apps" Workload

=> Type and number of Apps that are actively being deployed via current SCCM setup

=> Are the Collections or on-prem AD groups leveraged for Application Installation/ Uninstallation?

=> Installation/ Uninstallation commands and Detection logic for the Apps

Planning and Design

Before actually converting the applications to .intunewin format and onboarding into Production environment proper planning and designing is required so there is no impact to the business.

Some of the key aspects to consider during Design phase are:

=> Approach for Application Migration (Phased or Big Bang). User or Application Based Deployment?

=> Pros and Cons of leveraging the Installation/ Uninstallation groups in On-Prem AD or Microsoft Entra ID

=> Naming conventions for Applications on Intune and Microsoft Entra ID Installation and Uninstallation group

=> Use Cases

=> Risks, if any

Testing

Test plan and strategy is needed to ensure there is seamless transition from SCCM to Intune and there is no impact to the business when deploying applications via Intune in Production environment.

As a good practice the applications should be first converted into .intunewin format in the non-prod environment and tested on the test devices.

Microsoft Entra ID groups for installation and uninstallation should be created and tested in non-prod environment before the same is replicated into the Production environment.

Document end to end testing results including all success and failures.

Article content
The flow behind deployment of a Win32 application from Intune
Implementation

Post successful testing and sign-off, we can move to Implementation in the Production environment.

The same .intunewin files can be onboarded to Production environment and the similar Microsoft Entra ID groups can be created for Installation and Uninstallation and assigned to the Applications.

Handover

Educate the BAU/ Operations team on the new Application deployment process via Intune

References:

Understand line-of-business apps for your managed environment | Microsoft Learn

Manage Win32 apps with Intune - Training | Microsoft Learn

Win32 app management in Microsoft Intune | Microsoft Learn

Comments

Post a Comment

Popular posts from this blog

4 Most common Issues while registering devices with Microsoft Intune MDM

Image
  The built-in Mobile Device Management (MDM) for Office 365 helps you secure and manage your users' mobile devices like iPhones, iPads, Androids, and Windows phones. You can create and manage device security policies, remotely wipe a device, and view detailed device reports. During implementation or deployment, there are some common issues which occur in many of the environment  1-   Windows Update Sometimes you will notice that Windows Update is showing-Up-To-Date but in actual, the version needed for the MDM Registration is not updating automatically and eventually fails every time in the loop Solution Suggested Go to this  link  upgrade your Windows 10 to the latest version You will find a home page like the screenshot below. Click on UPDATE Now button. It will download a .exe file. Run the file and click on UPDATE Now button and press YES. Here it will update your Windows 10 to the Latest Version Note:  You can still work during downloading a...
Read more

Managing Windows Updates with Intune: Best Practices with Update Rings

Image
  Keeping Windows devices up to date is one of the most critical, and often most overlooked, aspects of endpoint security. With Microsoft Intune, you can manage Windows updates centrally using Update Rings , giving you control over when updates install, how users experience restarts, and how you test updates before broad deployment. In this guide, I’ll walk you through: What update rings are Why they’re essential for patch compliance How to configure them in Intune Best practices for rollout and user experience 1. What Are Windows Update Rings in Intune? Update rings in Intune allow you to: Define when and how Windows updates are delivered Set deadlines for installation and restarts Delay feature updates (e.g., to test before production) Control user experience during updates They apply to Windows 10 and 11 devices enrolled in Intune, including those provisioned via Autopilot. 2. Why Update Management Matters Without structured update management, you risk: Devices missing crit...
Read more

The Intune Device Lifecycle: From Onboarding to Retirement (Best Practices)

  Managing endpoints isn’t just about deployment, it’s about handling the entire device lifecycle : from onboarding and day-to-day management to secure deprovisioning when a device is no longer in use. Microsoft Intune provides a streamlined, policy-driven approach to each phase of this lifecycle, and when done right, it reduces IT overhead, increases security, and improves the user experience. In this post, I’ll walk you through the key stages of managing a device in Intune from start to finish, and how to handle each one effectively. Stage 1: Provisioning & Onboarding This is where the device journey begins, and it sets the tone for everything that follows. Tools and features to use: Windows Autopilot for zero-touch setup Enrollment Status Page (ESP) to control setup sequence Dynamic groups to assign configurations automatically Baseline security policies (compliance, Defender, encryption) Goal: Make the first experience smooth, secure, and consistent for every user. Sta...
Read more