Programmatic Upgrade of Intune Line-of-Business Apps
Overview
I am trying to programmatically update Intune Line-of-Business apps using the MS graph API, but am running into issues with Intune incorrectly detecting that the new version is installed, when in fact the old version is the only one still on the local machine.
I am using this guide which was originally meant to create new LOB apps, but I have adapted it to create AND update LOB apps. After resolving several issues, I have come across one roadblock which I think is related to the app manifest file.
Here is the process I followed:
*Note: when I refer to the original manifest file I am referring to the manifestXML defined on this line in the script.
- Attempt 1: First, I tried running full upgrade process using the original manifest file for both old and new versions of Zoom. The original manifest file had MsiUpgradeCode set to the ProductCode for some reason. This is a bit confusing since UpgradeCode and ProductCode are different things, but I went along with it...
- Error 1: In this case, the new version WAS installed successfully but was never detected by Intune. It caused the error:
**The application was not detected after installation completed successfully (0x87D1041C)**
- Attempt 2: Next, I try deploying the Zoom MSI with original manifest file. This successfully gets installed and detected on the local device. Then, I try to MANUALLY upload a new Zoom MSI version to Intune dashbaord.
- Error 2: It does not even allow me to complete upload, because I get an error saying something like
Upgrade Codes do not match
- Attempt 3: Therefore, I change the manifest file so that MsiUpgradeCode parameter is equal to the UpgradeCode defined in the MSI. To me, this makes more sense, since the UpgradeCode is meant to be universal across all app versions and the ProductCode is version specific.
- Error 3: I am now able to manually upload new Zoom MSI versions! After deploying again progammatically, I run into the issue where the new version is successfully detected by Intune but never installed on the local device. The old version remains.
- Attempt 4: Therefore, I change the manifest file to add MsiProductCode and MsiProductVersion. Although these params were not included in original manifest file, they seem like they would help with version-specific detection.
- Error 4: No change from Error 3. The new version is successfully detected by Intune but never installed on the local device.
Conclusion
After trying these steps, I am stuck with the new app version being successfully detected but never installed on the local device. I am really at a loss for what the manifest file should be since MS does not provide any docs on this. However, I know this is possible to do since all the graph API calls are working and Intune successfully updates MSIs all the time using the UI. Intune seems to just handle all of this configuration behind the scenes.
Any insight into what the manifest file is used for and what parameters are used for detection would be extremely helpful. Or if I am looking in the wrong place then let me know too!
Side note: This has made me greatly appreciate Win32 apps with their custom detection rules. I would honestly just use Win32s but need to support other clients with LOB apps.
More Detailed Logs
Here is a more detailed logs for what my final Attempt 4 looked like. Let me know if I may be missing anything in the app metadata or the manifest file.
Create Zoom Line of Business App
- Make POST request with the following app metadata.
2024-04-15 20:14:33.506
INFORMATION: POST https://graph.microsoft.com/v1.0/deviceAppManagement/mobileApps
2024-04-15 20:14:33.511
INFORMATION: {
"@odata.type": "#microsoft.graph.windowsMobileMSI",
"displayName": "Zoom (64-bit)",
"description": "Zoom (64-bit) 5.17.28914",
"fileName": "zoom-meetings_5.17.1.28914.msi"
"productVersion": "5.17.28914",
"identityVersion": "5.17.28914",
"productCode": "{B78381AB-543E-4971-87CD-07D5C144CAB6}",
"privacyInformationUrl": null,
"publisher": "Zoom",
"commandLine": "ZoomAutoUpdate=\"true\"",
"ignoreVersionDetection": true,
"owner": "",
"developer": "",
"notes": "",
"isFeatured": false,
"informationUrl": null,
}
- Create a new file in Intune with this Manifest XML:
<MobileMsiData
MsiExecutionContext="System"
MsiRequiresReboot="false"
MsiProductCode="{B78381AB-543E-4971-87CD-07D5C144CAB6}"
MsiProductVersion="5.17.28914"
MsiUpgradeCode="{C819B794-A45C-4F27-9860-0C86492A52CC}"
MsiIsMachineInstall="true"
MsiIsUserInstall="false"
MsiIncludesServices="false"
MsiContainsSystemRegistryKeys="false"
MsiContainsSystemFolders="false">
</MobileMsiData>
- Upload the the MSI file and commit the file according to the original PS Script linked above.
Outcome: This app successfully installs to my local device with correct files and registry keys. This app is also successfully detect by Intune.
Update Zoom Line of Business App
Next, I try to update this app in place. The recommended way to update an LOB app is to replace the MSI which is exactly what I do using the graph API, while also updating important metadata using a PATCH call.
- Create new content version for app using the following Manifest XML:
<MobileMsiData
MsiExecutionContext="System"
MsiRequiresReboot="false"
MsiProductCode="{334503B4-0A36-45A2-8206-A6B37A1F8B5B}"
MsiProductVersion="5.17.34827"
MsiUpgradeCode="{C819B794-A45C-4F27-9860-0C86492A52CC}"
MsiIsMachineInstall="true"
MsiIsUserInstall="false"
MsiIncludesServices="false"
MsiContainsSystemRegistryKeys="false"
MsiContainsSystemFolders="false">
</MobileMsiData>
IMPT: Notice, the upgrade codes match from above but the product codes and product versions are different.
- Upload the the MSI file according to the original PS Script linked above.
- Commit this file with this app metadata
2024-04-15 20:49:26.962
INFORMATION: PATCH https://graph.microsoft.com/v1.0/deviceAppManagement/mobileApps/2338ab53-3b54-414a-8946-684da43c9bd9
2024-04-15 20:49:26.962
INFORMATION: {
"@odata.type": "#microsoft.graph.windowsMobileMSI",
"displayName": "Zoom (64-bit)",
"description": "Zoom (64-bit) 5.17.34827",
"fileName": "zoom-meetings_5.17.11.34827.msi",
"productVersion": "5.17.34827",
"identityVersion": "5.17.34827",
"productCode": "{334503B4-0A36-45A2-8206-A6B37A1F8B5B}",
"publisher": "Zoom",
"committedContentVersion": "2",
"informationUrl": null,
"owner": "",
"developer": "",
"isFeatured": false,
"privacyInformationUrl": null,
"notes": ""
}
IMPT: Notice, everything is the same as above except for description, productVersion, identityVersion, productCode, and committedContentVersion since we are uploading new version.
Outcome: This MSI file successfully uploads to Intune. However, it NEVER installs to my local device. This app remains the old version, but the weirdest part is that Intune detects the new version and says it is "Installed" even though the old version is the one still installed on my local device.