Deploy with Intune
Use Microsoft Intune to deploy the Willow Scan Agent registry policy and installer script to managed Windows devices.
Prerequisites
- Microsoft Intune admin access with permission to add and assign apps.
- A pilot device group.
- The Windows
.zippackage and.regregistry policy from the Willow AI Discovery setup flow. - Windows devices enrolled in Intune.
Minimum requirements
| Component | Minimum requirement |
|---|---|
| Intune deployment | Microsoft Intune Win32 app deployment. Microsoft documents Win32 app packaging and assignment in Add, assign, and monitor a Win32 app in Microsoft Intune. |
| Target OS | Windows x64 devices managed by Intune. |
| Willow files | The Windows .zip package and .reg registry policy from Willow. |
| Execution privileges | The install command must run with administrative privileges so it can import policy under HKLM and create or start the scheduled task. |
Willow does not publish a separate minimum Intune version. Use a currently supported Intune tenant and Windows device management setup that supports Win32 app deployment.
Expected outcome
Target Windows devices import the Willow registry policy, install the Scan Agent, start the scheduled task, and appear in AI Discovery after the next scan interval.
For browser-based AI visibility, deploy Willow Guard through Chrome policy separately from the Scan Agent package. See Deploy Willow Guard Browser Extension.
Prepare the package
- Extract the Willow Windows
.zippackage to a working folder. - Place the Willow
.regregistry policy file in the same working folder. - Confirm
install.ps1is present. - Package the folder as a Win32 app using your standard Intune packaging workflow.
Configure the Win32 app
In Intune, create a Win32 app for the packaged Willow folder.
Use an install command that imports the registry policy before running the installer:
powershell -ExecutionPolicy Bypass -Command "reg import .\willow-scan-agent-policy.reg; powershell -ExecutionPolicy Bypass -File .\install.ps1"
If your downloaded registry file has a different name, use that filename in the command.
Configure the app to install in the system context.
Detection rule
Intune requires at least one detection rule before it will finish creating the Win32 app, and it uses that rule to decide whether the agent is installed. Without a detection rule, the app cannot be created, and Intune would re-offer it on every evaluation. Add a rule that matches the installed agent, for example:
- File detection: path
C:\Program Files\MCP-S-Scan, filemcp-s-scan-agent.exe, detection method File or folder exists. - Or Registry detection: key path
HKLM\SOFTWARE\Policies\MCP-S-Scan, detection method Key exists.
Then assign the app to your pilot device group.
Verify deployment
On a scoped test device:
Get-ScheduledTask -TaskName "MCP-S-Scan Agent" | Select-Object State
Get-Content C:\ProgramData\mcp-s-scan\logs\agent.log -Tail 50
Then open AI Discovery in Willow and confirm the device appears with a recent last scan time.
Expand rollout
After the pilot group reports successfully:
- Expand the Win32 app assignment.
- Monitor Intune app installation status.
- Monitor Willow AI Discovery device counts.
Roll back
To remove the agent from a Windows device, run the Willow uninstall script through Intune:
powershell -ExecutionPolicy Bypass -File "C:\Program Files\MCP-S-Scan\uninstall.ps1"
Remove or replace the registry policy assignment if the device should stop reporting to Willow.