From bb3b4fc9f63f248e2adf4b5146c10e389d403485 Mon Sep 17 00:00:00 2001
From: Carl Tashian <carl@smallstep.com>
Date: Wed, 18 Jun 2025 17:11:11 +0100
Subject: [PATCH 1/4] Update Intune docs for MSI installer

---
 tutorials/connect-intune-to-smallstep.mdx | 38 ++---------------------
 1 file changed, 3 insertions(+), 35 deletions(-)

diff --git a/tutorials/connect-intune-to-smallstep.mdx b/tutorials/connect-intune-to-smallstep.mdx
index c0e5054f..92ba8c19 100644
--- a/tutorials/connect-intune-to-smallstep.mdx
+++ b/tutorials/connect-intune-to-smallstep.mdx
@@ -1,5 +1,5 @@
 ---
-updated_at: May 13, 2025
+updated_at: June 18, 2025
 title: Connect Intune to Smallstep
 html_title: Connect Intune to Smallstep
 description: Configure Intune to deploy the Smallstep Agent and distribute certificates and configuration to Mac clients.
@@ -98,43 +98,11 @@ In this step, we’ll add the Smallstep Agent to Intune for distribution to devi
 
 1. In Intune,
     1. Start at [Windows Apps](https://intune.microsoft.com/#view/Microsoft_Intune_DeviceSettings/AppsWindowsMenu/~/windowsApps)
-    2. Choose **+ Create,** and then select **Windows App (Win32)**
-    3. [Download the Smallstep agent package](https://github.com/smallstep/step-agent-plugin/releases/latest) and select it for upload in Intune.
+    2. Choose **+ Create,** and then select **Line-of-business app**
+    3. [Download the Smallstep agent `.msi.` package](https://github.com/smallstep/step-agent-plugin/releases/latest) and select it for upload in Intune. Both `amd64` and `arm64` installers are available.
     - For the App Information tab:
         - Under Publisher, use “Smallstep”
         - Choose “Next”
-    - For the Program tab:
-        - For Install Command, use:
-          ```
-          step-agent-plugin-Setup_amd64_<version>.exe /silent
-          ```
-          Replace `<version>` with the version of the Smallstep Agent being distributed.
-        - For Uninstall Command, use:
-          ```
-          msiexec /x "{EDB2FA84-917D-4156-AA1A-4BC5BB10C682}"
-          ```
-        - Choose “Next”
-    - For the Requirements tab:
-        - Operating System Architecture: 64-bit
-        - Minimum operating system: Windows 10 1607
-    - For the Detection rules tab:
-        - Rules format: Manually configure detection rules
-        - Choose **+ Add**
-            - Rule Type: Registry
-            - Key Path:
-              ```
-              HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{EDB2FA84-917D-4156-AA1A-4BC5BB10C682}}_is1
-              ```
-            - Value Name: `VersionMinor`
-            - Detection Method: Integer Comparison
-            - Operator: Greater than or equal to
-            - Value: `<smallstep-agent-minor-version>`
-                - Make sure you replace this with the current **minor** version (using SemVer conventions) of the Smallstep Agent being distributed. For example: `51` for version `0.51.0`.
-        - Choose “Next”
-    - For the Dependencies tab:
-        - Choose “Next”
-    - For the Supersedence tab:
-        - Choose “Next”
     - For the Assignments tab:
         - Assign the app to devices as desired.
     - On “Review and Create” click **Create**

From 0751ef00ce81c266ea55da860a513bebe5cf4a1b Mon Sep 17 00:00:00 2001
From: Carl Tashian <carl@smallstep.com>
Date: Wed, 25 Jun 2025 22:37:18 +0100
Subject: [PATCH 2/4] More updates

---
 tutorials/connect-intune-to-smallstep.mdx | 11 +++++------
 1 file changed, 5 insertions(+), 6 deletions(-)

diff --git a/tutorials/connect-intune-to-smallstep.mdx b/tutorials/connect-intune-to-smallstep.mdx
index 92ba8c19..44e919ad 100644
--- a/tutorials/connect-intune-to-smallstep.mdx
+++ b/tutorials/connect-intune-to-smallstep.mdx
@@ -1,5 +1,5 @@
 ---
-updated_at: June 18, 2025
+updated_at: June 25, 2025
 title: Connect Intune to Smallstep
 html_title: Connect Intune to Smallstep
 description: Configure Intune to deploy the Smallstep Agent and distribute certificates and configuration to Mac clients.
@@ -16,8 +16,8 @@ To configure the connection, let’s first set up an Application in Entra ID. Th
 You will need:
 
 - A [Smallstep team](https://smallstep.com/signup)
-- A [Microsoft Azure / Entra ID](https://azure.microsoft.com/en-us/pricing/purchase-options/azure-account?icid=azurefreeaccount) Tenant
-- A [Microsoft Intune](https://www.microsoft.com/en-us/security/business/microsoft-intune) Tenant
+- A [Microsoft Azure / Entra ID](https://azure.microsoft.com/en-us/pricing/purchase-options/azure-account?icid=azurefreeaccount) Tenant. A Global Administrator role is required to grant tenant-wide API consent.
+- A [Microsoft Intune](https://www.microsoft.com/en-us/security/business/microsoft-intune) Tenant. An Intune Administrator role is required.
 - A test device to enroll for management. This can be a Windows VM, but you may need a physical device or additional Wi-Fi adapter if you are testing an Enterprise Wi-Fi connection.
 
 Client requirements:
@@ -46,19 +46,18 @@ In the Entra Admin Center, [Register an Application](https://entra.microsoft.com
 - Leave all other values alone
 - Select **Register**
 
-In your new App Registration, copy the **Application (client) ID** value, which you will register with Smallstep later.
+Find your new App Registration, and copy the **Application (client) ID** value, which you will register with Smallstep later.
 
 Next, visit the **Certificates & secrets** blade.
 
 Select **＋ New client secret**, and use the following properties:
 
 - Name the secret “Smallstep Secret”
+- Choose a validity period that matches your security policies. When you rotate the client secret, you will need to update it in your Smallstep settings.
 - Select **Add** to create the secret
 
 Copy the **Client Secret Value**, which you will register with Smallstep later.
 
-Choose a validity period that matches your security policies. When your client secret expires, you will need to update it in your Smallstep settings.
-
 ### 2. Grant API Permissions
 
 Now we’ll connect the App Registration to Intune by adding application permissions.

From 7e02f5e957350017039ac19e4b1bc512141fa7bf Mon Sep 17 00:00:00 2001
From: Carl Tashian <carl@smallstep.com>
Date: Tue, 1 Jul 2025 18:02:02 +0100
Subject: [PATCH 3/4] Update MSI instructions

---
 tutorials/connect-intune-to-smallstep.mdx | 26 ++++++++++++++++++++---
 1 file changed, 23 insertions(+), 3 deletions(-)

diff --git a/tutorials/connect-intune-to-smallstep.mdx b/tutorials/connect-intune-to-smallstep.mdx
index 44e919ad..c3e457f7 100644
--- a/tutorials/connect-intune-to-smallstep.mdx
+++ b/tutorials/connect-intune-to-smallstep.mdx
@@ -1,5 +1,5 @@
 ---
-updated_at: June 25, 2025
+updated_at: July 01, 2025
 title: Connect Intune to Smallstep
 html_title: Connect Intune to Smallstep
 description: Configure Intune to deploy the Smallstep Agent and distribute certificates and configuration to Mac clients.
@@ -97,10 +97,30 @@ In this step, we’ll add the Smallstep Agent to Intune for distribution to devi
 
 1. In Intune,
     1. Start at [Windows Apps](https://intune.microsoft.com/#view/Microsoft_Intune_DeviceSettings/AppsWindowsMenu/~/windowsApps)
-    2. Choose **+ Create,** and then select **Line-of-business app**
-    3. [Download the Smallstep agent `.msi.` package](https://github.com/smallstep/step-agent-plugin/releases/latest) and select it for upload in Intune. Both `amd64` and `arm64` installers are available.
+    2. Choose **+ Create**, and then select **Windows App (Win32)**
+    3. [Download the Smallstep agent `.intunewin` package for `amd64`](https://files.smallstep.com/intune/step-agent-plugin_amd64.intunewin) and select it for upload in Intune. (Contact Smallstep if you need an `arm64` installer).
     - For the App Information tab:
         - Under Publisher, use “Smallstep”
+        - Note the minor version number. You'll need it below.
+        - Choose “Next”
+    - For the Requirements tab:
+        - For **Check Operating System Architecture**, choose "Yes"
+        - Select "Install on x64 systems"
+        - Use minimum operating system: Windows 10 1607
+        - Choose "Next"
+    - For the Detection rules tab:
+        - Rules format: Manually configure detection rules
+        - Choose **+ Add**
+            - Rule Type: Registry
+            - Key Path:
+              ```
+              HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{EDB2FA84-917D-4156-AA1A-4BC5BB10C682}}_is1
+              ```
+            - Value Name: `VersionMinor`
+            - Detection Method: Integer Comparison
+            - Operator: Greater than or equal to
+            - Value: `<smallstep-agent-minor-version>`
+                - Make sure you replace this with the current **minor** version (using SemVer conventions) of the Smallstep Agent being distributed. For example: `51` for version `0.51.0`.
         - Choose “Next”
     - For the Assignments tab:
         - Assign the app to devices as desired.

From 7f92419ff8b7ce95e71223f83dfd6e52537fcd73 Mon Sep 17 00:00:00 2001
From: Carl Tashian <carl@smallstep.com>
Date: Wed, 9 Jul 2025 21:54:52 +0100
Subject: [PATCH 4/4] Update MSI instructions

---
 tutorials/connect-intune-to-smallstep.mdx | 22 +++++++++-------------
 1 file changed, 9 insertions(+), 13 deletions(-)

diff --git a/tutorials/connect-intune-to-smallstep.mdx b/tutorials/connect-intune-to-smallstep.mdx
index c3e457f7..3f56cd7a 100644
--- a/tutorials/connect-intune-to-smallstep.mdx
+++ b/tutorials/connect-intune-to-smallstep.mdx
@@ -1,5 +1,5 @@
 ---
-updated_at: July 01, 2025
+updated_at: July 09, 2025
 title: Connect Intune to Smallstep
 html_title: Connect Intune to Smallstep
 description: Configure Intune to deploy the Smallstep Agent and distribute certificates and configuration to Mac clients.
@@ -100,9 +100,10 @@ In this step, we’ll add the Smallstep Agent to Intune for distribution to devi
     2. Choose **+ Create**, and then select **Windows App (Win32)**
     3. [Download the Smallstep agent `.intunewin` package for `amd64`](https://files.smallstep.com/intune/step-agent-plugin_amd64.intunewin) and select it for upload in Intune. (Contact Smallstep if you need an `arm64` installer).
     - For the App Information tab:
-        - Under Publisher, use “Smallstep”
-        - Note the minor version number. You'll need it below.
+        - For Publisher, use “Smallstep”
+        - Note the version number. You'll need it below.
         - Choose “Next”
+    - Continue to the Requirements tab
     - For the Requirements tab:
         - For **Check Operating System Architecture**, choose "Yes"
         - Select "Install on x64 systems"
@@ -111,17 +112,12 @@ In this step, we’ll add the Smallstep Agent to Intune for distribution to devi
     - For the Detection rules tab:
         - Rules format: Manually configure detection rules
         - Choose **+ Add**
-            - Rule Type: Registry
-            - Key Path:
-              ```
-              HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{EDB2FA84-917D-4156-AA1A-4BC5BB10C682}}_is1
-              ```
-            - Value Name: `VersionMinor`
-            - Detection Method: Integer Comparison
+            - Rule Type: MSI 
+            - MSI product version check: Yes
             - Operator: Greater than or equal to
-            - Value: `<smallstep-agent-minor-version>`
-                - Make sure you replace this with the current **minor** version (using SemVer conventions) of the Smallstep Agent being distributed. For example: `51` for version `0.51.0`.
-        - Choose “Next”
+            - Value: Paste in the version number you noted earlier
+        - Choose “Ok”
+    - Continue to the Assignments tab
     - For the Assignments tab:
         - Assign the app to devices as desired.
     - On “Review and Create” click **Create**