Intune Windows Runbook

Use this runbook to deploy thoth governance to employee Windows endpoints managed by Intune.

1. Prepare onboarding values

Use onboarding values provided by thoth:

• tenant_id
• apex_domain

2. Deploy config file to endpoints

Deploy:

C:\ProgramData\Thoth\thoth-config.json

Deployment options:

• Intune Win32 app that writes the file
• or custom OMA-URI profile that delivers equivalent content

3. Deploy Windows setup script

Upload and assign your PowerShell setup script (for example: deploy/intune/windows/setup-claude-mcp.ps1) to your Windows device groups.

Recommended Intune script settings:

• Run this script using the logged on credentials: No
• Enforce script signature check: Your organization standard
• Run script in 64-bit PowerShell host: Yes

Expected behavior:

• detect logged-in employee
• wrap Claude config at $env:APPDATA\Claude\claude_desktop_config.json
• restart Claude Desktop process cleanly

4. Assignment order

Use this sequence:

1. Baseline dependencies assignment (thoth, node, npx)
2. Config assignment (C:\ProgramData\Thoth\thoth-config.json)
3. Setup script assignment

Scope to test, then pilot, then full production groups.

5. Execution policy note

If your environment blocks script execution:

• configure Intune script policies to allow signed enterprise scripts
• or deploy script via Win32 packaging flow where execution context is controlled centrally

Do not ask employees to override local execution policy manually.

6. Validate on pilot endpoint

thoth health --json
thoth status

Verify file placement:

Test-Path "C:\ProgramData\Thoth\thoth-config.json"
Test-Path "$env:APPDATA\Claude\claude_desktop_config.json"

Review local setup logging:

Get-Content "C:\ProgramData\Thoth\setup.log" -Tail 100

Troubleshooting