Home/Insights/Networking

Troubleshooting Zscaler ZCC VDI Intune Win32 App Command-Line Limit Failures

Use this when Zscaler Client Connector VDI deployments fail as Intune Win32 apps and the install command may be too long, malformed, or unstable under IME system context.

Quick Read

  • Symptom: Use this when Zscaler Client Connector VDI deployments fail as Intune Win32 apps and the install command may be too long, malformed, or unstable under IME system context.
  • Check first: Compare the exact Intune install command, uninstall command, and detection rule against the vendor packaging notes.
  • Risk: Review before running

Symptoms

Zscaler Client Connector packages for persistent or non-persistent VDI often carry long MSI properties, tenant cloud names, transform paths, enrollment switches, and detection logic. In Intune Win32 deployments, long or heavily quoted install commands can be truncated, parsed incorrectly, or wrapped poorly, which makes deployment status look like a generic install failure instead of a packaging problem.

Environment

Microsoft Intune, Intune Management Extension, Windows VDI images, and Zscaler Client Connector Win32 app packaging.

Most Likely Causes

The failure is usually caused by command-line length, nested quoting, installer property order, detection-rule mismatch, or a packaging wrapper that works interactively but is not stable when the Intune Management Extension runs it as system.

What to Check First

  1. Compare the exact Intune install command, uninstall command, and detection rule against the vendor packaging notes.
  2. Measure the command string length and look for nested quotes, escaped paths, transforms, and copied portal text.
  3. Review IME logs around the app id and install attempt before changing the package.
  4. Confirm whether the app is assigned to physical endpoints, persistent VDI, non-persistent VDI, or all three.

Fix Steps

  1. Measure the configured install command before editing the Intune app.

    Copy the install command from Intune into a local variable, preserve every quote, and record its length for the change ticket.

    Example pattern only. Adjust for your environment before running.

    $InstallCommand = 'msiexec /i Zscaler-windows.msi /qn CLOUDNAME=example MODE=VDI'
$InstallCommand.Length
$InstallCommand
  2. Collect the Intune Management Extension evidence for the failed app install.

    Search the IME logs for the app name, app id, command line, installer exit code, and detection-rule result.

    Example pattern only. Adjust for your environment before running.

    $LogPath = 'C:\ProgramData\Microsoft\IntuneManagementExtension\Logs\IntuneManagementExtension.log'
Select-String -Path $LogPath -Pattern 'Zscaler','ZCC','exit code','Detection','command line' -Context 2,3
  3. Split packaging problems from installer problems.

    If the logged command differs from the intended command, treat the issue as Intune packaging. If the command is intact and the installer returns a documented code, troubleshoot the Zscaler installer and VDI mode next.

  4. Rebuild the package around a short wrapper script when the command is too long.

    Move long MSI properties into a signed wrapper script or configuration file, keep the Intune install command short, and test on a pilot VDI assignment before broad deployment.

  5. Validate detection separately from installation.

    Confirm the detection rule proves the installed ZCC version and VDI mode you expect; do not use a broad file-exists rule that hides failed upgrades.

    Safe to run: read-only

    Get-ItemProperty 'HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\*' | Where-Object { $_.DisplayName -like '*Zscaler*' } | Select-Object DisplayName, DisplayVersion, Publisher

Validation

  • A pilot VDI device installs the app from Intune without command truncation or quoting errors in the IME log.
  • The detection rule reports installed only after the expected Zscaler Client Connector version is present.
  • The package behaves the same under system context as it does during a manual administrator test.
  • The original failing assignment is not broadened until the pilot group succeeds.

Logs to Check

  • C:\ProgramData\Microsoft\IntuneManagementExtension\Logs\IntuneManagementExtension.log
  • C:\ProgramData\Microsoft\IntuneManagementExtension\Logs\AgentExecutor.log
  • Zscaler Client Connector installer logs if the wrapper writes an MSI log with /L*v

Rollback and Escalation

  • Keep the previous Intune Win32 app package and assignment available until the pilot succeeds.
  • If the wrapper package fails, stop the rollout by removing the pilot assignment or reverting to the previous app revision.
  • Record the old install command, detection rule, and assignment groups before editing them.

Escalate When

  • Escalate to the Intune owner if the command line in IME logs does not match the configured app command.
  • Escalate to the Zscaler owner or vendor if the intact installer command returns undocumented exit codes.
  • Escalate before production rollout if the fix requires changing VDI mode, tunnel behavior, or tenant enrollment properties.

Edge Cases

  • Non-persistent VDI images may need a different assignment and detection strategy than persistent VDI.
  • Copying commands from portals can introduce smart quotes or hidden whitespace that only fail under IME.
  • A successful manual install does not prove the Intune system-context command is valid.

Notes from the Field

  • Treat this as a packaging evidence problem first. The useful artifact is the exact command as IME ran it, not only the portal text.
  • Keep the Intune install command boring and short; put complexity in a version-controlled wrapper that can be reviewed.
  • Do not replace a command-line failure with a broad detection rule just to make the deployment look green.