Signing or Not – Intune Win32 App Detection and Requirement Scripts

Not signing your Win32 App detection scripts may sound as a very strange suggestion, and it's certainly not ideal from a security standpoint, but depending on how many applications you have that are using scripts for detection and/or requirement rules you may run into unexpected results…

Microsoft Intune Policy Limitations

When using Microsoft Intune for application deployments it's important to know that the platform was not designed to support a large set of applications, not only from a maximum size of each application perspective, but also from the sheer number of applications point of view.

Increasing the maximum size of each application can be easily addressed by placing a support case, but you still will have very real challenges of actually uploading and deploying applications larger than 8 GB. You can read more about that scenario here: Deploying Large Applications using Microsoft Intune.

If you use scripts as Win32 app detection and requirement rules/methods, you will quickly learn that signing those PowerShell scripts will lower the number of apps you can have in Intune. The reason is that signed scripts are larger in size, and Intune has a default maximum policy limit of 4 MB (total) in the JSON file that is sent down to the client.

Reaching the Policy Limit

When you hit the 4 MB policy limit you typically run into clients simply won't accept new applications anymore, or just being unhappy in general, which is even worse. Should you run into this, like when reaching the default size limit for applications, you have to reach out to Microsoft support and request a policy size increase.

Notes from the Lab

To test the limits in my lab tenant, I wrote a script that created a few hundred Win32 apps in Intune, all configured with both detection rules and requirement as PowerShell scripts. The two scripts combined was about 5 kb. The script also assigned all of these apps to a group that contained one of my test devices. Even after generating 600 applications, I was under the policy limit.

Resources

Here are some additional resources for verifying or troubleshooting Intune policy limits, as well as how you can verify how signing the scripts will impact your environment. After all it will depend on how many apps you have, whether you use requirement scripts, detections scripts, and the size of the signed scripts.

Note: As usual, verify this in a lab tenant first, not in your production tenant.

Patch My PC KB – Intune Policy Size Limit Considerations
https://patchmypc.com/intune-policy-limit-considerations

Deploy Code Signing Certificate with Intuneby Thomas Kurth
Deploy Code Signing Certificate with Intune – Workplace Ninja's (wpninjas.ch)

About the author

Johan Arwidmark

5 1 vote
Article Rating
Subscribe
Notify of
guest
2 Comments
Newest
Oldest Most Voted
Inline Feedbacks
View all comments
Nick
Nick
6 months ago

Hello Johan, thank you for the information!. How can we check the current size of the Json in a specific endpoint/client?


>