Skip to content

Update Intune docs for MSI installer #418

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
wants to merge 3 commits into
base: main
Choose a base branch
from
Draft

Update Intune docs for MSI installer #418

Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
bb3b4fc
Update Intune docs for MSI installer
tashian Jun 18, 2025
0751ef0
More updates
tashian Jun 25, 2025
7e02f5e
Update MSI instructions
tashian Jul 1, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
37 changes: 12 additions & 25 deletions tutorials/connect-intune-to-smallstep.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
---
updated_at: May 13, 2025
updated_at: July 01, 2025
title: Connect Intune to Smallstep
html_title: Connect Intune to Smallstep
description: Configure Intune to deploy the Smallstep Agent and distribute certificates and configuration to Mac clients.
Expand All @@ -16,8 +16,8 @@ To configure the connection, let’s first set up an Application in Entra ID. Th
You will need:

- A [Smallstep team](https://smallstep.com/signup)
- A [Microsoft Azure / Entra ID](https://azure.microsoft.com/en-us/pricing/purchase-options/azure-account?icid=azurefreeaccount) Tenant
- A [Microsoft Intune](https://www.microsoft.com/en-us/security/business/microsoft-intune) Tenant
- A [Microsoft Azure / Entra ID](https://azure.microsoft.com/en-us/pricing/purchase-options/azure-account?icid=azurefreeaccount) Tenant. A Global Administrator role is required to grant tenant-wide API consent.
- A [Microsoft Intune](https://www.microsoft.com/en-us/security/business/microsoft-intune) Tenant. An Intune Administrator role is required.
- A test device to enroll for management. This can be a Windows VM, but you may need a physical device or additional Wi-Fi adapter if you are testing an Enterprise Wi-Fi connection.

Client requirements:
Expand Down Expand Up @@ -46,19 +46,18 @@ In the Entra Admin Center, [Register an Application](https://entra.microsoft.com
- Leave all other values alone
- Select **Register**

In your new App Registration, copy the **Application (client) ID** value, which you will register with Smallstep later.
Find your new App Registration, and copy the **Application (client) ID** value, which you will register with Smallstep later.

Next, visit the **Certificates & secrets** blade.

Select **+ New client secret**, and use the following properties:

- Name the secret “Smallstep Secret”
- Choose a validity period that matches your security policies. When you rotate the client secret, you will need to update it in your Smallstep settings.
- Select **Add** to create the secret

Copy the **Client Secret Value**, which you will register with Smallstep later.

Choose a validity period that matches your security policies. When your client secret expires, you will need to update it in your Smallstep settings.

### 2. Grant API Permissions

Now we’ll connect the App Registration to Intune by adding application permissions.
Expand Down Expand Up @@ -98,25 +97,17 @@ In this step, we’ll add the Smallstep Agent to Intune for distribution to devi

1. In Intune,
1. Start at [Windows Apps](https://intune.microsoft.com/#view/Microsoft_Intune_DeviceSettings/AppsWindowsMenu/~/windowsApps)
2. Choose **+ Create,** and then select **Windows App (Win32)**
3. [Download the Smallstep agent package](https://github.com/smallstep/step-agent-plugin/releases/latest) and select it for upload in Intune.
2. Choose **+ Create**, and then select **Windows App (Win32)**
3. [Download the Smallstep agent `.intunewin` package for `amd64`](https://files.smallstep.com/intune/step-agent-plugin_amd64.intunewin) and select it for upload in Intune. (Contact Smallstep if you need an `arm64` installer).
- For the App Information tab:
- Under Publisher, use “Smallstep”
- Choose “Next”
- For the Program tab:
- For Install Command, use:
```
step-agent-plugin-Setup_amd64_<version>.exe /silent
```
Replace `<version>` with the version of the Smallstep Agent being distributed.
- For Uninstall Command, use:
```
msiexec /x "{EDB2FA84-917D-4156-AA1A-4BC5BB10C682}"
```
- Note the minor version number. You'll need it below.
- Choose “Next”
- For the Requirements tab:
- Operating System Architecture: 64-bit
- Minimum operating system: Windows 10 1607
- For **Check Operating System Architecture**, choose "Yes"
- Select "Install on x64 systems"
- Use minimum operating system: Windows 10 1607
- Choose "Next"
- For the Detection rules tab:
- Rules format: Manually configure detection rules
- Choose **+ Add**
Expand All @@ -131,10 +122,6 @@ In this step, we’ll add the Smallstep Agent to Intune for distribution to devi
- Value: `<smallstep-agent-minor-version>`
- Make sure you replace this with the current **minor** version (using SemVer conventions) of the Smallstep Agent being distributed. For example: `51` for version `0.51.0`.
- Choose “Next”
- For the Dependencies tab:
- Choose “Next”
- For the Supersedence tab:
- Choose “Next”
- For the Assignments tab:
- Assign the app to devices as desired.
- On “Review and Create” click **Create**
Expand Down