Mass Deployment via Microsoft Intune

Push the Zeuslock browser extension and desktop agent to your entire Windows fleet through Microsoft Intune. ADMX templates for the extension, a Win32 LOB package for the agent, wave rollout, and the failure modes you will actually hit.

What you are deploying

Two artifacts land on every managed endpoint: the Zeuslock browser extension (force-installed in Edge and Chrome through ADMX) and the Zeuslock desktop agent (a Win32 LOB app that catches native AI clients the browser cannot see). Both are silent installs. Both report into the same Operator Console at app.zeuslock.ai.

This guide walks an endpoint engineer through a clean Intune rollout in roughly an hour of admin time, then ring-based deployment over one to two weeks.

Prerequisites

  • Microsoft 365 E3, E5, or Intune standalone licensing for every device you intend to enroll.
  • An account with the Intune Administrator or Endpoint Security Manager role in Entra ID (formerly Azure AD).
  • Devices already MDM-enrolled — Autopilot, hybrid AAD-joined, or co-managed with Configuration Manager all work.
  • Edge and/or Chrome already present on the target devices (Edge ships with Windows 10/11; Chrome is typically pushed separately).
  • A pre-provisioned enrollment token from Zeuslock. Generate it before you start: Operator Console → Settings → Devices → Fleet enrollment → Generate token. Set an optional max-device cap and an expiry that survives your rollout window (90 days is a reasonable default).

The enrollment token is a bearer secret. Treat it like an API key — store it in your secret manager, never commit it to a script in source control, and rotate it after the rollout completes.

Part 1: Force-install the browser extension via ADMX

Step 1 — Import the Zeuslock ADMX templates

Download the latest ADMX bundle and extract it into Intune's central store layout:

Invoke-WebRequest -Uri "https://download.zeuslock.ai/admx/latest" -OutFile "$env:TEMP\zeuslock-admx.zip"
Expand-Archive -Path "$env:TEMP\zeuslock-admx.zip" -DestinationPath "$env:TEMP\zeuslock-admx" -Force
Copy-Item "$env:TEMP\zeuslock-admx\*.admx" "\\$env:USERDNSDOMAIN\SYSVOL\$env:USERDNSDOMAIN\Policies\PolicyDefinitions\"
Copy-Item "$env:TEMP\zeuslock-admx\en-US\*.adml" "\\$env:USERDNSDOMAIN\SYSVOL\$env:USERDNSDOMAIN\Policies\PolicyDefinitions\en-US\"

In pure-Intune environments without an AD central store, the Edge and Chrome ADMX templates are already ingested by Intune. You only need the Zeuslock ADMX if you plan to use the custom Zeuslock policy nodes (telemetry endpoint override, debug logging). For force-install alone, skip to Step 2.

Step 2 — Create the configuration profile

  1. Open the Microsoft Intune admin center: Devices → Configuration profiles → Create profile.
  2. Platform: Windows 10 and later. Profile type: Templates → Administrative templates.
  3. Name it Zeuslock - Browser Extension Force Install.
  4. In the settings picker, navigate to Computer Configuration → Microsoft Edge → Extensions and open Control which extensions are installed silently (the ExtensionInstallForcelist policy).
  5. Enable it and add the entry: iicgcadhcgbckmpapjihechjpgcdamhd;https://clients2.google.com/service/update2/crx.
  6. Repeat for Chrome under Computer Configuration → Google → Google Chrome → Extensions → Configure the list of force-installed apps and extensions.

The extension ID above is a placeholder — copy the production ID from Settings → Devices → Browser extension in the Operator Console. The string before the semicolon is the extension ID; the URL after is the update manifest.

Step 3 — Assign

Assign the profile to All Users or, better, to a pilot Entra security group containing your IT team only. Click Review + create. First sync hits devices within 8 hours; you can force it from the device with dsregcmd /refreshprt followed by a Settings → Accounts → Access work or school → Sync.

Part 2: Deploy the desktop agent as a Win32 LOB app

Step 1 — Wrap the MSI

Download ZeuslockAgent.msi from https://download.zeuslock.ai/agent/windows/latest and the Microsoft Win32 Content Prep Tool from Microsoft's GitHub. Then wrap:

.\IntuneWinAppUtil.exe -c "C:\Packaging\Zeuslock\source" -s "ZeuslockAgent.msi" -o "C:\Packaging\Zeuslock\output" -q

You will get ZeuslockAgent.intunewin in the output folder.

Step 2 — Create the Win32 app in Intune

  1. Apps → Windows → Add → App type: Windows app (Win32).
  2. Upload the .intunewin package.
  3. App information: Name Zeuslock Desktop Agent, Publisher Zeuslock, Category Security.
  4. Program: set the install and uninstall commands below.
  5. Requirements: Operating system architecture 64-bit, Minimum OS Windows 10 1809, Disk space free 500 MB, Physical memory minimum 4096 MB.
  6. Detection rules: Manually configure detection rules → Rule type: File → Path C:\Program Files\Zeuslock\Agent, File zeuslock-agent.exe, Detection method File or folder exists.
  7. Assignments: Required → All Devices (or your pilot device group).

Install and uninstall commands

msiexec /i "ZeuslockAgent.msi" /qn ZEUS_ENROLL_TOKEN=<your-token>
msiexec /x {a8f4c2e0-9b1d-4d5e-8c3f-7e6b9d2a1c8f} /qn

Replace <your-token> with the enrollment token you generated. The product GUID is fixed across versions — verify it from HKLM:\SOFTWARE\Classes\Installer\Products on a test machine after a manual install.

Verification on a single device

Before scaling, prove it works on one machine. Pick a device in your pilot ring, force a sync, and check the following:

  1. Tray icon: the Zeuslock shield appears next to the clock within five minutes of policy delivery.
  2. Agent status from an elevated PowerShell prompt:
    & "C:\Program Files\Zeuslock\Agent\zeuslock-agent.exe" status
    Expected: Status: Connected | Tenant: <your-tenant> | Policy version: <n>.
  3. Browser extension: open edge://extensions. The Zeuslock entry should show Installed by enterprise policy with no remove button.
  4. Operator Console → Devices: the hostname appears with status Online within two minutes.

Rolling out in waves

Do not assign to All Devices on day one. Stage the rollout:

  • Ring 0 — IT (day 0): your own laptops. Catch packaging issues before users see them.
  • Ring 1 — 10% of users in one department (day 3): pick a friendly team with a known champion.
  • Ring 2 — 50% (day 7): expand to several departments. Watch Operator Console incidents for false positives.
  • Ring 3 — 100% (day 10-14): full fleet. Keep policies in Monitor mode for the first two weeks before flipping to Anonymize or Block.

Common Intune issues

  • Assignment delay. Intune is not instant. Group membership changes can take up to 8 hours to propagate. Force a sync from the device for impatient testing.
  • ADMX not synced. If the extension policy is missing in edge://policy, run gpupdate /force then restart Edge. In pure-MDM, check Event Viewer → Applications and Services → Microsoft → Windows → DeviceManagement-Enterprise-Diagnostics-Provider.
  • MSI exit code 1603. Almost always a missing or malformed ZEUS_ENROLL_TOKEN. Inspect C:\Windows\Temp\zeuslock-install.log — the agent installer always writes it.
  • Conflicting Edge extension policy. If another policy sets ExtensionInstallBlocklist with a wildcard, the Zeuslock extension is blocked even though force-install is set. Allowlist the Zeuslock extension ID explicitly in ExtensionInstallAllowlist.
  • Win32 app stuck on Waiting for install status. Detection rule mismatch — the file path you specified does not exist after install. SSH into a test box and confirm the agent installs to C:\Program Files\Zeuslock\Agent, not Program Files (x86).

Once Ring 3 is green and the incident queue in the Operator Console is stable, your Intune deployment is done. Move on to policy tuning — see the First detection walkthrough doc for the recommended Monitor → Anonymize → Block progression.