Skip to main content

Deploy with Intune

Use Microsoft Intune to deploy the Willow Scan Agent registry policy and installer script to managed Windows devices.

Prerequisites

  • Microsoft Intune admin access with permission to add and assign apps.
  • A pilot device group.
  • The Windows .zip package and .reg registry policy from the Willow AI Discovery setup flow.
  • Windows devices enrolled in Intune.

Minimum requirements

ComponentMinimum requirement
Intune deploymentMicrosoft Intune Win32 app deployment. Microsoft documents Win32 app packaging and assignment in Add, assign, and monitor a Win32 app in Microsoft Intune.
Target OSWindows x64 devices managed by Intune.
Willow filesThe Windows .zip package and .reg registry policy from Willow.
Execution privilegesThe install command must run with administrative privileges so it can import policy under HKLM and create or start the scheduled task.

Willow does not publish a separate minimum Intune version. Use a currently supported Intune tenant and Windows device management setup that supports Win32 app deployment.

Expected outcome

Target Windows devices import the Willow registry policy, install the Scan Agent, start the scheduled task, and appear in AI Discovery after the next scan interval.

For browser-based AI visibility, deploy Willow Guard through Chrome policy separately from the Scan Agent package. See Deploy Willow Guard Browser Extension.

Prepare the package

  1. Extract the Willow Windows .zip package to a working folder.
  2. Place the Willow .reg registry policy file in the same working folder.
  3. Confirm install.ps1 is present.
  4. Package the folder as a Win32 app using your standard Intune packaging workflow.

Configure the Win32 app

In Intune, create a Win32 app for the packaged Willow folder.

Use an install command that imports the registry policy before running the installer:

powershell -ExecutionPolicy Bypass -Command "reg import .\willow-scan-agent-policy.reg; powershell -ExecutionPolicy Bypass -File .\install.ps1"

If your downloaded registry file has a different name, use that filename in the command.

Configure the app to install in the system context.

Detection rule

Intune requires at least one detection rule before it will finish creating the Win32 app, and it uses that rule to decide whether the agent is installed. Without a detection rule, the app cannot be created, and Intune would re-offer it on every evaluation. Add a rule that matches the installed agent, for example:

  • File detection: path C:\Program Files\MCP-S-Scan, file mcp-s-scan-agent.exe, detection method File or folder exists.
  • Or Registry detection: key path HKLM\SOFTWARE\Policies\MCP-S-Scan, detection method Key exists.

Then assign the app to your pilot device group.

Verify deployment

On a scoped test device:

Get-ScheduledTask -TaskName "MCP-S-Scan Agent" | Select-Object State
Get-Content C:\ProgramData\mcp-s-scan\logs\agent.log -Tail 50

Then open AI Discovery in Willow and confirm the device appears with a recent last scan time.

Expand rollout

After the pilot group reports successfully:

  1. Expand the Win32 app assignment.
  2. Monitor Intune app installation status.
  3. Monitor Willow AI Discovery device counts.

Roll back

To remove the agent from a Windows device, run the Willow uninstall script through Intune:

powershell -ExecutionPolicy Bypass -File "C:\Program Files\MCP-S-Scan\uninstall.ps1"

Remove or replace the registry policy assignment if the device should stop reporting to Willow.