Skip to content

Deployment with Microsoft Intune

This guide covers the necessary steps to deploy the SenseOn Universal Sensor to Windows devices using Microsoft Intune.

The simplest way to deploy via Intune is to wrap the SenseOn PowerShell install command in a script and deploy it as a Win32 app. This always installs the latest published version of the Universal Sensor and does not require packaging an MSI.

Step 1: Copy your install command

  1. Log in to SenseOn.
  2. Navigate to Settings > Universal Sensor.
  3. Copy the Windows install command. It has the structure:
$env:SENSEON_INSTALLER_KEY="<your-installer-key>"; iwr -useb https://<your-tenant>.senseon.io/install.ps1 | iex

🛡 Optional: Verify the install script checksum

If your security policy requires checksum verification before executing remote scripts, verify the script on your admin workstation before creating the package:

# Step 1: Download the script
Invoke-WebRequest -UseBasicParsing -Uri "https://<your-tenant>.senseon.io/install.ps1" -OutFile install.ps1
# Step 2: Verify the checksum (compare against the value shown in Settings > Universal Sensor)
Get-FileHash install.ps1 -Algorithm SHA256

If the hash matches, the script is genuine. In Step 2 below, replace the Invoke-WebRequest ... | Invoke-Expression line with the contents of the verified install.ps1, keeping the $env:SENSEON_INSTALLER_KEY line in place.

Step 2: Create the install script

Save the following as Install.ps1 in a folder such as C:\Temp\SenseOn, replacing <your-installer-key> and <your-tenant> with the values from your install command:

# SenseOn install script for Intune (Win32 app).
# Wraps the SenseOn install command with a 64-bit relaunch and error handling so
# that Intune reliably reports success or failure.

# Intune runs Win32 install commands in 32-bit PowerShell, but the installer requires
# a 64-bit host. Relaunch this script in 64-bit PowerShell if we are running 32-bit.
if ([Environment]::Is64BitOperatingSystem -and -not [Environment]::Is64BitProcess)
{
    $sysNativePwsh = "$env:WINDIR\SysNative\WindowsPowerShell\v1.0\powershell.exe"

    # If the 64-bit host cannot be found, fail rather than falsely report success.
    if (-not (Test-Path $sysNativePwsh))
    {
        exit 10
    }

    try
    {
        & $sysNativePwsh -NoProfile -NonInteractive -ExecutionPolicy Bypass -WindowStyle Hidden -File "$PSCommandPath"
        $childExit = $LASTEXITCODE
    }
    catch
    {
        exit 11
    }

    # A failed relaunch can leave no exit code; treat that as a failure, not success.
    if ($null -eq $childExit)
    {
        exit 12
    }

    exit $childExit
}

$ErrorActionPreference = "Stop"

$exitCode = 0
try
{
    $env:SENSEON_INSTALLER_KEY = "<your-installer-key>"

    [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12

    Invoke-WebRequest -UseBasicParsing -Uri "https://<your-tenant>.senseon.io/install.ps1" |
        Invoke-Expression

    # Preserve the exit code from the SenseOn install script.
    $exitCode = $LASTEXITCODE
    if ($null -eq $exitCode)
    {
        $exitCode = 0
    }
}
catch
{
    Write-Error $_ -ErrorAction Continue
    if ($exitCode -eq 0)
    {
        $exitCode = 1
    }
}

exit $exitCode

This wrapper is more robust than a bare install command in two ways:

  • 64-bit relaunch. Intune launches Win32 install commands in 32-bit PowerShell, which the installer rejects. The script detects this and relaunches itself in 64-bit PowerShell.
  • Accurate status reporting. The script propagates the installer's exit code to Intune, so a genuine failure is reported as a failure rather than a false success. Exit codes 10, 11 and 12 indicate a problem with the 64-bit relaunch itself.

Step 3: Package the script with the Intune Win32 Content Prep Tool

Use the same Microsoft Win32 Content Prep tool as in the legacy flow:

  • Source folder: C:\Temp\SenseOn
  • Setup file: Install.ps1
  • Output folder: C:\Temp

The output .intunewin package is what you upload to Intune.

Step 4: Configure the Win32 app in Intune

  1. Open the Endpoint Manager portal and go to Apps > Windows > Add.
  2. Select Windows app (Win32) and upload your .intunewin package.
  3. Configure as follows:

    • Install command: powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -File Install.ps1
    • Uninstall command: powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Bypass -Command "Get-Package -Name 'senseon-bootstrapper' | Uninstall-Package -Force"
    • Install behaviour: System
    • Operating system architecture: 64-bit
    • Minimum operating system: Windows 10 1903 (or later, as required)

    ℹ The uninstall command targets the bootstrapper, not the sensor. Uninstalling the bootstrapper automatically schedules removal of the Universal Sensor as well. Uninstalling only the sensor would leave the bootstrapper in place, which would simply reinstall it. 4. Set the Detection rule to a Registry rule: - Key path: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\senseon-bootstrapper - Value name: (leave blank) - Detection method: Key exists

    This detects the SenseOn bootstrapper service, which is what this package installs. The bootstrapper then downloads and installs the Universal Sensor itself. Detecting the bootstrapper (rather than the sensor binary) keeps Intune's responsibility scoped to what it deploys: if the bootstrapper installs but the sensor does not appear, the cause is usually a local antivirus, DNS, or TLS interception issue that reinstalling cannot resolve. Those cases are surfaced by the device failing to check in to SenseOn (see Step 5), not by Intune retrying the install. 5. Assign the app to the appropriate Azure AD group of target devices.

Step 5: Verify deployment

Once Intune reports the app as installed on a device:

  1. Log in to SenseOn and navigate to Digital Estate > Devices.
  2. Confirm the device appears with a recent Last Seen timestamp.

If the device does not appear, see Troubleshooting.