Skip to main content

Prerequisites

  • Microsoft Intune admin access
  • Enrollment key from Runlayer
  • Devices running Windows 10 1607+ or Windows 11, Microsoft Entra joined
Enrollment keys allow devices to automatically register with Runlayer and obtain API credentials.Enrollment Keys List
1

Navigate to Enrollment Keys

Go to Settings in the Runlayer dashboard and select the Enrollment Keys tab
2

Create a New Key

Click + Create Enrollment KeyCreate Enrollment Key
3

Configure the Key

  • Name (required): Enter a descriptive name (e.g., “Production MDM”)
  • Description (optional): Add context about the key’s purpose
4

Copy the Key

Copy the generated key (starts with rl_enroll_) and store it securelyEnrollment Key Created
Enrollment keys are shown only once. Store them securely and treat them like passwords.
Windows Home and S mode are not supported.

Deployment Steps

1

Generate the Script

Fill in your settings below to generate a deployment script.
  • ENROLLMENT_USERNAME: Leave empty to use %USERNAME%.
  • ENROLLMENT_DEVICE_NAME: Leave empty to use %COMPUTERNAME%.
2

Add Script in Intune

  • Open the Intune admin center
  • Go to Devices > Scripts and remediations > Platform scripts
  • Click Add > Windows 10 and later
  • Upload the generated script
  • Set Run this script using the logged on credentials to Yes
  • Set Run script in 64-bit PowerShell host to Yes
3

Assign to Groups

Select the device groups that should receive configuration sync, then click Add

How It Works

The Intune platform script runs once per device and acts as a bootstrapper:
  1. Enrolls the device and installs the Runlayer CLI
  2. Runs the sync/scan command immediately
  3. Creates a Windows Scheduled Task for recurring execution
The scheduled task (RunlayerConfigSync or RunlayerAIWatch) runs on the configured interval (default: 60 minutes) and automatically updates the Runlayer CLI when new versions are available.
The scheduled task runs as the logged-on user. Scans and syncs only occur while a user is signed in.

Verification

Monitor script status in Devices > Scripts and remediations > Platform scripts. On a target device, open a client (e.g., Cursor) and confirm the synced MCP servers appear. To verify the scheduled task is running, open Task Scheduler on the device and look for RunlayerConfigSync or RunlayerAIWatch. Logs are at %ProgramData%\RunlayerSync\runlayer-sync.log or %ProgramData%\AIWatch\ai-watch.log.

Troubleshooting

  • Ensure the device is Microsoft Entra joined (not just registered)
  • Check that the Intune Management Extension service is installed
  • Verify the device can reach https://pypi.org
  • Check %ProgramData%\RunlayerSync\runlayer-sync.log for errors
  • Verify the enrollment API key is correct and not revoked
  • Confirm servers have auto-sync enabled in the Runlayer dashboard
  • Verify the enrollment API key is correct
  • Check if the key has been revoked in Settings > Enrollment Keys
  • Open Task Scheduler and check RunlayerConfigSync / RunlayerAIWatch status
  • Verify the recurring script exists at C:\ProgramData\Runlayer\Scripts\
  • Check logs at %ProgramData%\RunlayerSync\ or %ProgramData%\AIWatch\
  • The task only runs while the user is logged in