Skip to main content
AI Watch deploys to Windows as a signed app (aiwatch.exe) installed once per device. Tenant config — host, a single organization API key, and the Enforcement / Sessions capability properties — is written to the registry by the MSI.

Prerequisites

  • Microsoft Intune admin with app upload rights. Enforce additionally needs Devices → Scripts and remediations → Remediations access (P2 or add-on).
  • Devices running Windows 10 1809+ / 11, 64-bit, Microsoft Entra joined.
  • A single organization API key with the Detect Scan role minted in Settings → Organization API keys (rl_org_...). The same key covers scanning, enforcement, and sessions.
Windows Home and S mode are not supported.

What you receive

The deployment package (aiwatch-<version>-intune-package.zip) contains:
FilePurpose
aiwatch-<version>-win-x64.intunewinApp package for Intune upload (installs aiwatch.exe + tenant registry)
scan-on-detect/detect.ps1Detect, Option A — runs aiwatch.exe scan directly in the detection phase
scheduled/detect.ps1 + scheduled/remediate.ps1Detect, Option B — checks staleness, then scans when stale
assert/detect.ps1 + assert/remediate.ps1Hooks — runs aiwatch.exe setup hooks check/install --mdm to assert hook configs when Enforce or Sessions is enabled (SYSTEM)
Contact your Runlayer account team if you don’t have the .zip yet.

Capability properties

The MSI install command carries tenant config and capability flags. Detect is always available after the app is installed; Enforce and Sessions are controlled by the optional properties below. All values write to HKLM\Software\Runlayer\AIWatch\ (Host / OrgApiKey as REG_SZ, Enforcement / Sessions as REG_DWORD):
PropertyRequiredDefaultEffect
AIWATCH_HOSTYesNoneTenant host URL
AIWATCH_ORG_API_KEYYesNoneThe rl_org_... secret used for Detect scans, Enforce hooks, and Sessions telemetry
AIWATCH_ENFORCEMENTNo0Set 1 to install blocking hooks for unmanaged MCP sources and local tool policy checks
AIWATCH_SESSIONSNo1Set 0 to skip full event/session hooks; when both this and AIWATCH_ENFORCEMENT are 0, hook configs are removed while Detect scans continue
The MDM Configuration setup wizard renders the full install command from your capability toggles. Copy it before closing the dialog.

Phase 1 — Create the app

1

Open the Intune admin center

Go to intune.microsoft.comAppsWindowsAddWindows app (Win32).
2

Upload the package

Select the aiwatch-<version>-win-x64.intunewin file from the deployment package.
3

App information

FieldValue
NameRunlayer AI Watch
DescriptionRunlayer AI Watch agent for Shadow MCP detection and enforcement.
PublisherRunlayer Inc.
App VersionThe version from the deployment package (e.g. 1.0.0)
NotesstableAppId=com.runlayer.aiwatch
Click Next.
4

Program

FieldValue
Install commandmsiexec /i aiwatch-<version>-win-x64.msi /qn AIWATCH_HOST=https://<your-host>.runlayer.com AIWATCH_ORG_API_KEY=rl_org_... AIWATCH_ENFORCEMENT=1 AIWATCH_SESSIONS=1
Uninstall commandmsiexec /x aiwatch-<version>-win-x64.msi /qn
Install behaviorSystem
Device restart behaviorNo action
Use the install command rendered by the setup guide (SettingsMDM ConfigurationAdd new). For Detect-only, set AIWATCH_ENFORCEMENT=0 AIWATCH_SESSIONS=0. For a monitoring-only rollout, set AIWATCH_ENFORCEMENT=0.For full package, remediation, and hook cleanup, see Remove AI Watch.Click Next.
5

Requirements

  • Operating system architecture: 64-bit
  • Minimum operating system: Windows 10 1809
Click Next.
6

Detection rules

Select Manually configure detection rulesAdd:
FieldValue
Rule typeFile
PathC:\Program Files\Runlayer\AIWatch
File or folderaiwatch.exe
Detection methodFile version
OperatorGreater than or equal to
ValueThe version you are deploying (e.g. 1.0.0)
Using file version (not file-exists) ensures Supersedence upgrades detect the old version as outdated and install the new one.Click OKNext.
7

Dependencies and Supersedence

  • Dependencies: skip (none required).
  • Supersedence: skip on first deploy. For upgrades, see Upgrade path below.
Click Next.
8

Return codes

Keep the defaults. They match the values expected by the MSI installer:
CodeResult
0Success
1707Success
3010Soft reboot
1641Hard reboot
1618Retry
Click Next.
9

Assignments

Select target device groups under Required or Available for enrolled devicesReview + create.

Phase 2 — Schedule scans (Detect)

The app installs aiwatch.exe and writes tenant config to the registry, but it does not schedule scans by itself. Create an Intune Remediation to run scans on a recurring schedule. The deployment package ships two strategies — pick one.

Option A — Scan on detect

The detection script runs aiwatch.exe scan directly. Exit 0 if the scan succeeds, exit 1 if it fails. No remediation script is needed.
1

Create the remediation

In the Intune admin centerDevicesScripts and remediationsRemediationsCreate script package. Name it (e.g. “AI Watch Scan”) → Next.
2

Upload scripts

  1. Upload scan-on-detect/detect.ps1 as the Detection script.
  2. Remediation script: leave blank, or paste a one-line exit 0 placeholder.
  3. Run this script using the logged-on credentials: Yes.
  4. Run script in 64-bit PowerShell host: Yes.
3

Assign and schedule

Assign to the same device groups that received the app, set Schedule (e.g. every 1 hour), and Review + create.

Option B — Detect staleness + remediate

A lightweight detection script checks whether aiwatch.exe exists and whether the last scan is fresh (within 30 minutes). If either check fails, Intune triggers the remediation script, which runs the scan and records a timestamp. This follows Intune’s fast-detect / heavy-remediate best practice and gives a 3-state dashboard.
1

Create the remediation

DevicesScripts and remediationsRemediationsCreate script package. Name it (e.g. “AI Watch Detect”) → Next.
2

Upload scripts

  1. Upload scheduled/detect.ps1 as the Detection script and scheduled/remediate.ps1 as the Remediation script.
  2. Run this script using the logged-on credentials: Yes.
  3. Run script in 64-bit PowerShell host: Yes.
3

Assign and schedule

Assign to the same device groups, set Schedule (e.g. every 1 hour), and Review + create.

Phase 3 — Assert hooks (Enforce or Sessions)

When AIWATCH_ENFORCEMENT=1 or AIWATCH_SESSIONS=1, add the assert/ Remediations pair so hook configs stay asserted in SYSTEM context.
1

Create the `assert/` Intune Remediation (SYSTEM)

Devices → Scripts and remediations → Remediations → Create script package.
  1. Name: e.g. “AI Watch — Assert Hooks”.
  2. Detection script: upload assert/detect.ps1. Remediation script: upload assert/remediate.ps1.
  3. Run this script using the logged-on credentials: No. Required — the scripts write SYSTEM-scoped paths under Program Files / ProgramData and refuse user context with exit 2.
  4. Run script in 64-bit PowerShell host: Yes.
  5. Enforce script signature check: Yes for CI-built releases, No for local unsigned builds.
  6. Schedule: every 1 hour (Intune minimum). Both scripts are idempotent.
  7. Assign to the same device group as the app.
The assert pair short-circuits silently when both Enforcement and Sessions are disabled, so Detect-only fleets pay zero hourly noise. To stop enforcing, re-push the app with AIWATCH_ENFORCEMENT=0; if Sessions stays enabled, hooks remain installed for monitoring-only telemetry and aiwatch hook stops blocking on its next fire.

Verification

After devices sync with Intune (and, for Enforce, a user logon): 
# 1. App installed; registry has Host + OrgApiKey (+ Enforcement / Sessions)?
Get-ItemProperty "HKLM:\Software\Runlayer\AIWatch"

# 2. (Enforce or Sessions) hook configs current where supported?
& "C:\Program Files\Runlayer\AIWatch\aiwatch.exe" setup hooks check --mdm
# Expect exit 0.

# 3. (Enforce or Sessions) hook configs on disk?
Get-Content "C:\ProgramData\Cursor\hooks.json"
# Claude Code hooks currently live in the console user's settings.json:
Get-Content "$env:USERPROFILE\.claude\settings.json"
In the Runlayer dashboard, go to SettingsMDM Configuration and confirm Detect data is arriving. When Enforce or Sessions is enabled, Devices → Remediations → AI Watch — Assert Hooks → Device status should report compliant.

Upgrade path

The MSI uses MajorUpgrade with RemoveExistingProducts before InstallFinalize — it uninstalls the old C:\Program Files\Runlayer\AIWatch\ tree then installs the new one. Registry values in HKLM\Software\Runlayer\AIWatch survive because they are owned by a separate component keyed on a registry value, not a file. Remediation scripts and the Intune schedule are unchanged.
1

Download the new package

Download the new aiwatch-<version>-intune-package.zip and extract the .intunewin.
2

Create a new app

Follow Phase 1 again. The install command must still include AIWATCH_HOST and AIWATCH_ORG_API_KEY (plus your capability properties) — re-writing the same registry values is a no-op, but the MSI requires both mandatory properties.
3

Set the detection rule + Supersedence

Set the detection rule to File version >= <new version>. On the new app’s Supersedence page, add the previous version and select Supersede, then assign to the same device groups. Retire the old app once the new one is assigned.

Troubleshooting

  • Ensure the device is Microsoft Entra joined (not just registered)
  • Check that the Intune Management Extension service is running
  • Verify the install command has the correct host and API key
  • Review logs in C:\ProgramData\Microsoft\IntuneManagementExtension\Logs
The install command is missing a mandatory property. Both AIWATCH_HOST and AIWATCH_ORG_API_KEY are required — the MSI’s launch conditions refuse a half-configured registry write. Re-run with both set.
  • Check %ProgramData%\Runlayer\ai_watch_detect.log for errors
  • Verify the organization API key is correct and not revoked (SettingsOrganization API keys)
  • Ensure the device can reach your Runlayer instance over HTTPS
Run this script using the logged-on credentials is set to Yes. The assert pair writes SYSTEM-scoped Program Files / ProgramData paths and must stay SYSTEM-only — set the toggle to No (the scan remediation uses Yes, the opposite).