Prerequisites
- Microsoft Intune admin access
- Organization API key from Runlayer with MCP Watch Scan role
- Devices running Windows 10 1607+ or Windows 11, Microsoft Entra joined
Creating an Organization API Key
Creating an Organization API Key
Organization API keys authenticate MDM-deployed scripts without per-device enrollment.
Configure the Key
- Name (required): Enter a descriptive name (e.g., “MDM MCP Watch”)
- Role: Select MCP Watch Scan
Windows Home and S mode are not supported.
Deployment Steps
Generate the Script
Fill in your settings below to generate a deployment script.
DEVICE_NAME: Use an Intune variable or leave empty to use the device’s computer name (%COMPUTERNAME%).
Add Script in Intune
- Open the Intune admin center
- Go to Devices > Scripts and remediations > Platform scripts
- Click Add > Windows 10 and later
- Upload the generated script
- Set Run this script using the logged on credentials to Yes
- Set Run script in 64-bit PowerShell host to Yes
Verification
Monitor script status in Devices > Scripts and remediations > Platform scripts. On a target device, open a client (e.g., Cursor) and confirm the synced MCP servers appear. If something went wrong, check%ProgramData%\RunlayerSync\runlayer-sync.log.
Troubleshooting
Script not running
Script not running
- Ensure the device is Microsoft Entra joined (not just registered)
- Check that the Intune Management Extension service is installed
- Verify the device can reach
https://pypi.org
Script reports success but no config changes
Script reports success but no config changes
- Check
%ProgramData%\RunlayerSync\runlayer-sync.logfor errors - Verify the organization API key is correct and not revoked
- Confirm servers have auto-sync enabled in the Runlayer dashboard
Authentication fails with 401
Authentication fails with 401
- Verify the organization API key is correct
- Check if the key has been revoked in Settings > API Keys