Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.runlayer.com/llms.txt

Use this file to discover all available pages before exploring further.

Enforce builds on the same .intunewin as Detect. Complete the Intune Deployment Package for Detect first; this page adds three things on top: the AIWATCH_ENROLLMENT_KEY MSI property, the assert/ Intune Remediations pair (SYSTEM-context — enterprise hook install), and scripts/bootstrap.ps1 at user logon (user-context — per-user enroll).

Prerequisites

  • Intune admin with Win32 LOB app upload rights and Devices → Scripts and remediations → Remediations access (P2 or add-on).
  • Devices running Windows 10 1809+ / 11, 64-bit, Microsoft Entra joined.
  • A path for per-user logon scripts — Intune user-context Platform Script, GPO logon script, or SCCM Task Sequence step.
  • An Enrollment Key minted in the Runlayer dashboard.
  1. SettingsEnrollment Keys tab → + Create Enrollment Key.
  2. Name it (e.g. “Production Intune — Enforce”).
  3. Copy the rl_enroll_... value — it is shown only once.

What enforce adds to the Intune deployment

The aiwatch-<version>-intune-package.zip already ships everything you need:
Path inside the .zipRolePrivilege contextSchedule
aiwatch-<version>-win-x64.intunewinWin32 LOB app — installs aiwatch.exe + aiwatch-hook.exe + tenant registrySYSTEM (per-machine)once per device
scan-on-detect/ or scheduled/ (pick one)Detect remediation — runs aiwatch.exe scanlogged-on userhourly (Intune min)
assert/detect.ps1 + assert/remediate.ps1Enforce step 2 — runs aiwatch.exe setup hooks check/install --mdm to write enterprise hook configs under C:\ProgramData\Cursor\ + C:\Program Files\ClaudeCode\SYSTEMhourly (Intune min)
scripts/bootstrap.ps1Enforce step 1 — runs aiwatch.exe bootstrap --user (enroll + per-user hook configs)logged-on useronce at first logon
Both halves are idempotent — repeat runs short-circuit on already-current state. assert/*.ps1 short-circuits silently when AIWATCH_ENROLLMENT_KEY is unset (scan-only fleets pay zero hourly noise).

Deployment

1

Update the Win32 app install command

Use the same Win32 app entry you created for Detect. Edit the install command to add AIWATCH_ENROLLMENT_KEY (and optionally AIWATCH_USERNAME / AIWATCH_DEVICE_NAME):
msiexec /i aiwatch-<version>-win-x64.msi /qn ^
  AIWATCH_HOST=https://<your-host>.runlayer.com ^
  AIWATCH_ORG_API_KEY=rl_org_xxxxxxxxxxxxxxxxxxxxxxxxxxxx ^
  AIWATCH_ENROLLMENT_KEY=rl_enroll_xxxxxxxxxxxxxxxxxxxxxxxxxxxx
For a monitoring-only rollout add AIWATCH_ENFORCEMENT=0 (defaults to enforce when absent). All properties write to HKLM\Software\Runlayer\AIWatch\ as Host / OrgApiKey / EnrollmentKey / Username / DeviceName (REG_SZ) and Enforcement (REG_DWORD).Re-upload the Win32 app or push a Supersedence so the new install command propagates.
2

Create the `assert/` Intune Remediation (SYSTEM)

Devices → Scripts and remediations → Remediations → Create script package.
  1. Name: e.g. “AI Watch Enforce — Assert Hooks”.
  2. Detection script: upload assert/detect.ps1.
  3. Remediation script: upload assert/remediate.ps1.
  4. Run this script using the logged-on credentials: No. Required — the scripts write SYSTEM-scoped paths under Program Files / ProgramData and refuse user context with exit 2.
  5. Run script in 64-bit PowerShell host: Yes.
  6. Enforce script signature check: Yes for CI-built releases, No for local unsigned builds.
  7. Schedule: every 1 hour (Intune minimum). Both scripts are idempotent.
  8. Assign to the same device group as the Win32 app.
3

Wire `scripts/bootstrap.ps1` into a per-user logon trigger

The assert/ pair will loop with exit 1 (no console-user credential) until the console user has run aiwatch.exe bootstrap --user at least once. Pick a user-context trigger so first-login users self-enroll automatically:
Stage scripts/bootstrap.ps1 somewhere reachable (e.g. copied during MSI install). Then in Intune:
  • Devices → Scripts and remediations → Platform scripts → Add → Windows 10 and later.
  • Upload scripts/bootstrap.ps1.
  • Run this script using the logged on credentials: Yes.
  • Run script in 64-bit PowerShell host: Yes.
  • Assign to a user group covering everyone in the fleet.
bootstrap.ps1 refuses SYSTEM context with exit 2 — keep it off the Remediations pair, which must stay SYSTEM-only.

Verification

On a test device after Intune sync, then a user logon: 
# 1. MSI landed; registry has Host + OrgApiKey + EnrollmentKey (and optional Enforcement)?
Get-ItemProperty "HKLM:\Software\Runlayer\AIWatch"

# 2. Per-user enroll fired (bootstrap.ps1) — credential exists?
& "C:\Program Files\Runlayer\AIWatch\aiwatch.exe" bootstrap --check --user
# Expect exit 0.

# 3. SYSTEM-side enterprise hook configs current?
#    Run elevated (psexec -s, or via a temporary SYSTEM scheduled task):
& "C:\Program Files\Runlayer\AIWatch\aiwatch.exe" setup hooks check --mdm
# Expect exit 0.

# 4. Hook configs on disk?
Get-Content "C:\ProgramData\Cursor\hooks.json"
Get-Content "C:\Program Files\ClaudeCode\managed-settings.json"
In the Intune admin center, Devices → Remediations → AI Watch Enforce — Assert Hooks → Device status should report 100% compliant once every device has had at least one user logon (so bootstrap.ps1 has fired).

Rotating the Enrollment Key

Push a new Win32 app install command with the updated AIWATCH_ENROLLMENT_KEY (or a small Remediation that overwrites the registry value). The next bootstrap.ps1 run + next assert/ tick on each device picks up the new key. No .msi reinstall required if you only rewrite the registry.

Troubleshooting

No user has run aiwatch.exe bootstrap --user (or scripts/bootstrap.ps1) yet. Confirm the per-user logon trigger is in place — Intune user-context script, GPO logon, or SCCM. Once one user enrolls, the assert pair flips compliant on the next tick.
Run this script using the logged-on credentials is set to Yes. The assert pair writes SYSTEM-scoped Program Files / ProgramData paths and must stay SYSTEM-only. Flip the toggle to No on the assert remediation (the scan + per-user logon scripts use Yes — opposite setting).
The logon script ran in SYSTEM/device context. Move it to a user-context trigger (Intune user-context Platform Script, GPO User Configuration logon script, or SCCM user collection). The SYSTEM half is the assert/ pair, which handles enterprise hook configs.
The install command is missing one of the required properties. AIWATCH_HOST and AIWATCH_ORG_API_KEY are mandatory — the MSI’s Launch conditions refuse a half-configured registry write. Re-run with both set.
aiwatch-hook fell back to self-enrolling because the user credential was missing when an AI client fired the hook. Self-healing — the device is fully provisioned after the first hook fire — but a non-zero rate means bootstrap.ps1 isn’t running reliably. Check the user-context logon trigger for that user / device.