Monthly Archives: March 2017

SCCM Current Branch 1702 – Automatically close executable files before installation

A new nice feature in SCCM Current Branch 1702 is the ability to set the “Install Behaviour” on a deployment type to either automatically close specified .exe’s if the deployment is required, or to advise the user that the installation has failed because of the running .exe’s. This is useful for some deployments where certain processed cannot be running. For example if you are deploying an add-in for Outlook and you would like Outlook to not be running, or other Office applications.

One thing to note is that you need to have your client upgraded to the 1702 version otherwise it will not work. This post will quickly show how you can configure the Install Behaviour and the user experience for an Available application.

After upgrading the client to the latest version, in an existing Application (7Zip) I have right clicked on the Deployment Type and clicked on the Install Behavior tab. Click on Add and type in the executable file name and give it a display name.


This application is deployed as Available, not required. So you can see below I have the .exe open on the right hand side, I will then install 7-Zip.


Now you can see it has failed because the executable filename I specified earlier is running. If the deployment was Required, it should automatically close the specified exe’s.


SCCM Current Branch 1702 – Office 365 Installer

SCCM Current Branch 1702 introduces “Office 365 ProPlus Installer” (this feature was seen in technical previews).The Office 365 ProPlus installer allows you to specify your Office 365 ProPlus settings (exclude apps, update channels etc), download the Office 365 ProPlus files, create the Application, Deployment Type, and deploy the application if you choose to.

Before this feature was released, you needed to use the Office Deployment Tool (ODT) to download the Office 365 ProPlus and create an XML with the Office 365 configuration settings, then create an Application in SCCM.

This post will show how you can leverage the new Office 365 Installer in SCCM Current Branch version 1702 to create, download and deploy an Office 365 ProPlus package without having to use the Office Deployment Tool.

Open the SCCM console go to Software Library node, then expand Office 365 Client Management folder, click on the Office 365 Installer


Give it a name and content location:


You can use an existing XML with the Office 365 ProPlus configuration you have created, or manually create one using this wizard. I have chosen to manually create the XML:


Specify your settings. I have chosen the Office 365 ProPlus suite, and have chosen to exclude the old Groove OneDrive for Business client.


Select your architecture. I am using 32bit, and have chosen to use the Deferred channel.


I have said Yes to deploy the application.


Chosen my collection to deploy it to


Added my distribution point


I am deploying mine as Available


Settings here are left as default.


Default again


Default again


Click next to start downloading the Office 365 ProPlus files


After it has finished, you can now see there is now an Application created with a deployment type and deployed to the collection specified earlier.


Intune App Protection Policies

Intune App Policies can be used to protect company data whether the mobile device is enrolled in Intune, or another MDM solution, or not enrolled at all. As long as the users have an Intune license and the App Policy is deployed to the user, the App Policies will work for managed apps. If you have an Intune license, you can login to the Azure Portal (, click More Services, and search for Intune App Protection to start deploying App Policies.


From my testing, if a user does not have an Intune license, or the App Policy is not deployed to them, they can still use the app as normal without any protection using their work account. You can use the new Azure AD group-based license  in to license users with Intune (group), and deploy the Intune App Policies to the same group. More can be read here.

At the moment you can create App Policies for iOS and Android devices. If you have an Android you will need to install the Company Portal App, but you do not need to be enrolled or configure it.

When creating an App Policy you are able to select the following apps to protect:


Some of the settings you can configure on the apps include, preventing save as, encrypting app data, requiring PIN for access, preventing copy and paste from non-managed apps and so on. A full list of settings can be seen when you create the policy. In order to create the App Policies see Create and deploy app protection policies with Microsoft Intune. Don’t forget to deploy the policy once you have created it.

End User Experience:

The following screenshots will show the end user experience on an Android Device (with Company Portal installed but not configured or enrolled). iOS is very similar as well:

The policy I set included the Microsoft Word app. When opening it, it says that the organization now protects it, and I must set a 4 digit PIN. One thing to note is that these policies are only enforced when using apps in a Work context, not in a personal context.


Another setting I chose was to not allow cut/copy/paste outside of a managed app. When I try and copy out of Word (managed app) into the Android memo app (non managed app) and paste, I get the following:


You can also view the built-in dashboards in the Intune App Protection section in the Azure portal to view more information about your users. For example the dashboard below shows that I have checked in on my iPhone for Word and OneDrive but not others.