Intune App Packaging

Deploy Cisco AnyConnect via Intune | Win32 Guide

Published 17 March 2026 · 8 min read

Cisco AnyConnect (now Cisco Secure Client) is one of the most widely deployed enterprise VPN clients. It installs from a predeploy MSI designed for silent enterprise deployment, and VPN server configuration is handled via a separate XML profile file deployed alongside the installer. This guide covers both the 4.x AnyConnect and 5.x Secure Client deployment approaches.

Contents
  1. AnyConnect vs Cisco Secure Client
  2. Download the predeploy MSI
  3. Wrap with the Content Prep Tool
  4. Add the app in Intune
  5. Install and uninstall commands
  6. Deploying the VPN profile
  7. Detection rule
  8. Known gotchas

AnyConnect vs Cisco Secure Client

Cisco rebranded AnyConnect as Cisco Secure Client in 2023. If you are setting up a new deployment, use Cisco Secure Client 5.x. If you are managing an existing AnyConnect 4.x deployment, the packaging process is identical - the MSI filenames and switches are the same.

💡
Cisco Secure Client replaces AnyConnect
New deployments should use Cisco Secure Client. However, AnyConnect 4.x remains widely deployed and supported. This guide covers both - the only difference is the MSI filename and install path.

Download the predeploy MSI

Download from Cisco Software Downloads (requires a Cisco account with a support contract):

software.cisco.com/download → Security → VPN and Endpoint Security Clients → Cisco AnyConnect Secure Mobility Client

Download the Windows predeploy package - the filename will include predeploy-k9. This is the enterprise installer designed for silent deployment. Do not use the web deploy package as it requires a live ASA connection to install.

Wrap with the Content Prep Tool

IntuneWinAppUtil.exe -c "C:\AppSource\AnyConnect" -s "anyconnect-win-4.10.x-core-vpn-predeploy-k9.msi" -o "C:\IntunePackages"

Add the app in Intune

Intune Admin Centre → Apps → Windows → + Add → Windows app (Win32)
  1. Upload the .intunewin file
  2. Name: Cisco AnyConnect VPN
  3. Publisher: Cisco Systems, Inc.

Install and uninstall commands

⚙️
Program settings
[]
Install command
msiexec /i "anyconnect-win-4.10.x-core-vpn-predeploy-k9.msi" /quiet /norestart
Uninstall command
msiexec /x "anyconnect-win-4.10.x-core-vpn-predeploy-k9.msi" /quiet /norestart
Install behaviour
System
Device restart behaviour
No specific action

Deploying the VPN profile

AnyConnect reads its server configuration from an XML profile file. Deploy this as a separate Intune PowerShell script or include it in your package as a wrapper:

# Deploy AnyConnect profile XML
# Run after AnyConnect installs

$profileDir = "C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Profile"
New-Item -ItemType Directory -Force -Path $profileDir

$profile = @"


  
    
      vpn.yourdomain.com
      vpn.yourdomain.com
    
  

"@

Set-Content -Path "$profileDir\YourOrgVPN.xml" -Value $profile

Detection rule

🔍
File detection rule
[]
Rule type
File
Path32-bit app - always x86 path
C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client
File or folder name
vpnui.exe
Detection method
File or folder exists
💡
Test your detection rule first
Before deploying to users, install the app manually on a test device and verify the detection rule matches. Check the file path or registry key exists before assigning to a group.

Known gotchas

VPN automatically connecting at startup

If your AnyConnect profile includes an AutoConnectOnStart setting, AnyConnect will attempt to connect to the VPN as soon as the user logs in. This is useful for always-on VPN scenarios but may surprise users on first login after deployment.

Frequently Asked Questions

Q: How do I deploy Cisco AnyConnect silently via Intune?

Use: msiexec /i "anyconnect-win--core-vpn-predeploy-k9.msi" /quiet /norestart. Download the MSI from Cisco software downloads. The predeploy MSI is designed for silent enterprise deployment without requiring the web installer.

Q: What is the difference between Cisco AnyConnect and Cisco Secure Client?

Cisco rebranded AnyConnect as Cisco Secure Client in 2023. AnyConnect 4.x is still widely deployed. New deployments should use Cisco Secure Client 5.x which uses the same MSI deployment method. Both support the same silent install switches.

Q: How do I pre-configure the VPN server address for AnyConnect?

Deploy an AnyConnect profile XML file to C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Profile\ alongside the MSI. The profile sets the VPN server address and authentication settings automatically.

Q: How do I detect Cisco AnyConnect in Intune?

Use a file detection rule: check for vpnui.exe in C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client. AnyConnect is a 32-bit app and always installs to the x86 path.

More App Packaging Guides
Deploy Palo Alto GlobalProtect via Intune Deploy Zscaler Client Connector via Intune
Installer typeMSI (predeploy package)
Install pathC:\Program Files (x86) - 32-bit app
Profile configSeparate XML file deployed via script
Silent installYes - /quiet /norestart
Reboot requiredNo
// need intune set up properly?
Fixed-price Intune setup for UK businesses

I set up Intune for UK small businesses at a fixed price - app deployment, compliance policies, Conditional Access, and full documentation handed over at the end.

View Packages
#intune #app-packaging #win32