Intune - Zero Touch Installation of the Desktop App

How to configure Intune zero touch deployment of the desktop app

  • Updated on May 21, 2024

Zero touch installs for Windows require additional steps. See here for more details.


Microsoft Intune is used to administer corporate laptops, phones, tablets, and other devices in your enterprise. The desktop app can be distributed to your device fleet via Intune in Zero Touch mode, requiring no interaction from end users. Also, zero touch mode does not require the end user to be an administrator on the device.

The desktop app is deployed, installed, and registered in a matter of seconds, making zero touch mode the recommended way to deploy Cloud Secure Edge (CSE) with Intune.


There are two high-level steps required to silently deploy and install the desktop app then register Windows devices with CSE:


  • Deployment Key: Obtained from the Command Center under Settings > Banyan Client tab > Deployment tab > Zero Touch Deployment Using a Device Manager, where a deployment key can be generated.
  • Invite Code: Obtained from Command Center under Settings > Banyan Client > Deployment tab > Invite Code.
  • Ensure that you’re familiar with mdm-config.json parameters to customize the desktop app functionality, paying particular attention to the following flags required to enable zero touch mode:

    • mdm_start_at_boot - Recommended to set as true to ensure the app starts consistently
    • mdm_hide_on_start - Recommended to set as true to ensure the app doesn’t foreground every time the user logs in

Step 1: Prepare the zero touch install script for Windows

1.1 Download the script from the CSE (formerly Banyan) repo: Banyan App Installer.

1.2 Configure the script by entering the following values:

  • The INVITE_CODE value: This value can be found in the Cloud Command Center under Settings > Banyan Client tab > Deployment tab > Invite Code.

  • The DEPLOYMENT_KEY value: This value can also be found under Settings > Banyan Client tab > Deployment tab, under the heading Zero-Touch Deployment Using a Device Manager. Select the Copy icon to the right of the Deployment Key value, and enter the copied value into your script.

  • The APP_VERSION value: You have the option of specifying an app version or leaving this value blank; if left blank, this field will auto-populate with the latest app version.

Note: Once configured, CSE’s script automates the installation and registration process. The script will (i) generate an mdm-config.json file; (ii) download and install the latest version of the app; (iii) stage the app with the device certificate,(iv) and start the app as the logged-in user.

Step 2: Distribute the zero touch install script to Windows devices via Intune

Now that you’ve prepared the script, distribute it to your end users via Intune.

The following steps are based off of the Use PowerShell scripts on Windows 10/11 devices in Intune guide

2.1 Log in to your Microsoft Endpoint Manager admin center.

2.2 Navigate to Devices > Scripts.

2.3 Click + Add and select Windows 10 and later.

2.4 Enter in a Name and Description

2.5 Configure the Script settings and then click Next:

2.6 Add Assignments and select Add.

The desktop app appears on the applicable Windows device(s) and then registers the device(s) with your CSE (formerly Banyan) tenant.

Staged User and zero-touch installation

In the default Zero Touch flow, the device should be registered to a specified user by setting the mdm-deploy-user and mdm-deploy-email parameters in the mdm-config.json file. The issued device certificate will contain a User Principal Name (UPN) username in the Subject Alternative Name field.

As a fallback, if user information is not specified or obtained during zero-touch flow the app will initially be registered to a STAGED USER, indicating it has been silently enrolled via zero touch installation. When a user logs into the device and accesses a service protected by Cloud Secure Edge, their username will automatically be associated with the device.

Upgrading the desktop app via Intune

There may be scenarios requiring you to update the desktop app after deploying it to your organization’s devices via Intune.

If you want to have organizational control of the Desktop App version, the easiest option is to configure the mdm-config.json file to set mdm_disable_auto_update to true. This flag disables prompts to end users to upgrade their Desktop App because the Device Manager will push the new version.

The zero touch install scripts also cover upgrade scenarios where you can specify the app version or upgrade to latest.

Can’t find what you’re looking for?

We’re happy to help. Contact our team.