Deploying Shortcuts with Intune: Your Options

Deploying shortcuts with Intune sounds trivial. In reality, it is one of those topics where many small details decide whether it works reliably or not.

Ideally, we would still have a simple file copy function like we had with Group Policy Preferences. Unfortunately, that is not an option with Intune. So we have to work with the tools we have.

In this post, I walk through the realistic options to deploy shortcuts with Intune, based on what I use in customer environments. I focus on file shortcuts, Start Menu links, and the trade-offs between platform scripts, remediations, and Win32 apps.

What do we actually mean by shortcuts
Option 1: Platform scripts
Option 2: Proactive Remediation
Option 3: Win32 app
My recommendation
Final thoughts

What do we actually mean by shortcuts

Before talking about deployment methods, it is important to be precise.

There are two common shortcut types in Intune scenarios.

File shortcuts

These are classic .lnk files.

Typical use cases are:

Desktop shortcuts to applications or file shares
Start Menu entries pointing to executables
Shortcuts to UNC paths like file servers

Start Menu Pin’s

When I talk about Start Menu links in Intune, I actually mean Start Menu pins.

A Start Menu pin is not a shortcut by itself. It always references an existing application or file shortcut.

You can pin:

Applications
Executables
File/Folder Shortcuts

Important limitation from the field.

If you want to pin a UNC path or a file system location, you must first create a .lnk file that points to this path. The Start Menu pin will then reference that shortcut.

This means the file shortcut is always the first step. The pin is only a visual layer on top of it.

The real challenge is not pinning. The challenge is deploying the underlying shortcut reliably with Intune.

Option 1: Platform scripts

Platform scripts are often the first choice. They are quick and flexible.

How it works

I use a PowerShell script that:

Creates the shortcut
Sets target path, arguments, and icon
Places it on Desktop or Start Menu

This is usually executed in SYSTEM context. You can deploy Shortcuts in user context as well, but like that the user could delete the shortcut.

Next i give you some smaple scripts to start with:

Script 1: Simple shortcut

This is the baseline. It is perfect for local targets.

$ShortcutPath = "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\My Application.lnk"
$TargetPath   = "C:\Program\My Application.exe"

$WshShell = New-Object -ComObject WScript.Shell
$Shortcut = $WshShell.CreateShortcut($ShortcutPath)
$Shortcut.TargetPath  = $TargetPath
$Shortcut.Save()

$ShortcutPath = "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\My Application.lnk"
$TargetPath   = "C:\Program\My Application.exe"

$WshShell = New-Object -ComObject WScript.Shell
$Shortcut = $WshShell.CreateShortcut($ShortcutPath)
$Shortcut.TargetPath  = $TargetPath
$Shortcut.Save()

Script 2: Shortcut with a custom icon (Base64)

I use this when I do not want to store an icon file on a share or package it as a separate asset.

I embed the icon as Base64 and write it to disk during execution.

# Variables
$ShortcutPath = "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\My Application.lnk"
$TargetPath   = "C:\Program\My Application.exe"
$Base64Icon   = "iVBORw0KGgoAAAANSUhEUgAAADIAAAAyCAMAAAAp4XiDAAAAqFBMVEUAAAD////////////6+vr+/v78/Pz+/v739/f////9/f36+vr8/Pz+/v7+/v75+fn+/v7+/v79/f39/f36+vr9/f38/Pz6+vr+/v7+/v7+/v7+/v79/f39/f39/f39/f39/f38/Pz7+/v6+vr+/v79/f39/f38/Pz7+/v7+/v////9/f39/f39/f39/f38/Pz+/v79/f38/Pz7+/v6+vr9/f37+/v///+jDSucAAAAN3RSTlMA/e3qMN4c+gZoliB44dgM9PeGWxB9SRjTzb+7tatzbmBCKxXmmWlPNSbwn5KOZTnFslY7JHk/jkR60wAAAhtJREFUSMe1ltmWojAQQKtADI0jKIgbKu772vZM/v/PpgfKbMI5mYe+b6mcGyqhUgCC1vw07CA3wZzmYyzHH0Ac4pAhr8A7QMFgyDXFv3rIK8ELlFyZpvTOXV6Duy+NaMxVJdpgnYFTv1T6HU1JGa+js6PMp6gqC5fXMo5KZe9yRYkeWGuwK5RcUCqUJQ2dtqfSzgZ0wlm74DsWJgCByHKYN1pNjRWU+M3WP4rZCFajl3FfghVyY84CLNl1SXn4loYshBhs2b6U/P+VmbWSvJSNtbI48pJh01b58kjB2PbI/Imo2rhl6eSy4rzpJiA2O5p+BsE5TRqRllnIJUjwTl9clG+YO56pKfxG/s6Elr05r8XCWU8oq/G7wxKaPKOMTWTd3rw3ZURlf2irWQ9vwumbLQlnZtLkKM8xcvO+6DaOjKUecj+D1MOKfjdn5h63IDnMsjXDEtHvMgoomxxodXDob38VJD6dZV4M01MoJPYJdrREB8YTWOJvUB6/Jcs2KeuG9WOmpFDx2RBTZt3Pn1QCFJ8PS3r3V1N92ipJl5TQ9rYvQnH3fOg1NKgzaeF9/7JG5VrMXUdlTkp6lLGj8kewXgJ80FDPtEmJmGAAQjHa/xarFW8pFKOAeuOab/ocDAVP+nfKpJv6pnJcqD8GJujmPgjF6HdPp8JgGS2oKiyR9aSD6GQJNZfivbglzn1AJzyiEMXdcJL+kX38L5HQzx19r4jUAAAAAElFTkSuQmCC" # https://codebeautify.org/png-to-base64-converter

# Write icon to disk next to the shortcut
$IconPath = [System.IO.Path]::ChangeExtension($ShortcutPath, ".ico")
[System.IO.File]::WriteAllBytes($IconPath, [Convert]::FromBase64String($Base64Icon))

# Create shortcut
$WshShell = New-Object -ComObject WScript.Shell
$Shortcut = $WshShell.CreateShortcut($ShortcutPath)
$Shortcut.TargetPath   = $TargetPath
$Shortcut.IconLocation = "$IconPath,0"
$Shortcut.Save()

# Variables
$ShortcutPath = "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\My Application.lnk"
$TargetPath   = "C:\Program\My Application.exe"
$Base64Icon   = "iVBORw0KGgoAAAANSUhEUgAAADIAAAAyCAMAAAAp4XiDAAAAqFBMVEUAAAD////////////6+vr+/v78/Pz+/v739/f////9/f36+vr8/Pz+/v7+/v75+fn+/v7+/v79/f39/f36+vr9/f38/Pz6+vr+/v7+/v7+/v7+/v79/f39/f39/f39/f39/f38/Pz7+/v6+vr+/v79/f39/f38/Pz7+/v7+/v////9/f39/f39/f39/f38/Pz+/v79/f38/Pz7+/v6+vr9/f37+/v///+jDSucAAAAN3RSTlMA/e3qMN4c+gZoliB44dgM9PeGWxB9SRjTzb+7tatzbmBCKxXmmWlPNSbwn5KOZTnFslY7JHk/jkR60wAAAhtJREFUSMe1ltmWojAQQKtADI0jKIgbKu772vZM/v/PpgfKbMI5mYe+b6mcGyqhUgCC1vw07CA3wZzmYyzHH0Ac4pAhr8A7QMFgyDXFv3rIK8ELlFyZpvTOXV6Duy+NaMxVJdpgnYFTv1T6HU1JGa+js6PMp6gqC5fXMo5KZe9yRYkeWGuwK5RcUCqUJQ2dtqfSzgZ0wlm74DsWJgCByHKYN1pNjRWU+M3WP4rZCFajl3FfghVyY84CLNl1SXn4loYshBhs2b6U/P+VmbWSvJSNtbI48pJh01b58kjB2PbI/Imo2rhl6eSy4rzpJiA2O5p+BsE5TRqRllnIJUjwTl9clG+YO56pKfxG/s6Elr05r8XCWU8oq/G7wxKaPKOMTWTd3rw3ZURlf2irWQ9vwumbLQlnZtLkKM8xcvO+6DaOjKUecj+D1MOKfjdn5h63IDnMsjXDEtHvMgoomxxodXDob38VJD6dZV4M01MoJPYJdrREB8YTWOJvUB6/Jcs2KeuG9WOmpFDx2RBTZt3Pn1QCFJ8PS3r3V1N92ipJl5TQ9rYvQnH3fOg1NKgzaeF9/7JG5VrMXUdlTkp6lLGj8kewXgJ80FDPtEmJmGAAQjHa/xarFW8pFKOAeuOab/ocDAVP+nfKpJv6pnJcqD8GJujmPgjF6HdPp8JgGS2oKiyR9aSD6GQJNZfivbglzn1AJzyiEMXdcJL+kX38L5HQzx19r4jUAAAAAElFTkSuQmCC" # https://codebeautify.org/png-to-base64-converter

# Write icon to disk next to the shortcut
$IconPath = [System.IO.Path]::ChangeExtension($ShortcutPath, ".ico")
[System.IO.File]::WriteAllBytes($IconPath, [Convert]::FromBase64String($Base64Icon))

# Create shortcut
$WshShell = New-Object -ComObject WScript.Shell
$Shortcut = $WshShell.CreateShortcut($ShortcutPath)
$Shortcut.TargetPath   = $TargetPath
$Shortcut.IconLocation = "$IconPath,0"
$Shortcut.Save()

Script 3: UNC shortcut that works in SYSTEM context (with logging)

UNC paths are where many shortcuts break. The target is often not reachable during deployment. This is common in SYSTEM context.

In this case, I create a shortcut that launches Explorer and passes the UNC path as an argument. I also add a transcript for troubleshooting.

$ScriptName = "Windows_Script_ShortCut-DEMO"
Start-Transcript -Path "$env:ProgramData\Microsoft\IntuneManagementExtension\Logs\$ScriptName.log" -Force

# Variables
$ShortcutPath = "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\DEMO.lnk"
$TargetUNC    = "\\file.sclouod.es\DEMO"
$Base64Icon   = "iVBORw0KGgoAAAANSUhEUgAAADIAAAAyCAMAAAAp4XiDAAAAqFBMVEUAAAD////////////6+vr+/v78/Pz+/v739/f////9/f36+vr8/Pz+/v7+/v75+fn+/v7+/v79/f39/f36+vr9/f38/Pz6+vr+/v7+/v7+/v7+/v79/f39/f39/f39/f39/f38/Pz7+/v6+vr+/v79/f39/f38/Pz7+/v7+/v////9/f39/f39/f39/f38/Pz+/v79/f38/Pz7+/v6+vr9/f37+/v///+jDSucAAAAN3RSTlMA/e3qMN4c+gZoliB44dgM9PeGWxB9SRjTzb+7tatzbmBCKxXmmWlPNSbwn5KOZTnFslY7JHk/jkR60wAAAhtJREFUSMe1ltmWojAQQKtADI0jKIgbKu772vZM/v/PpgfKbMI5mYe+b6mcGyqhUgCC1vw07CA3wZzmYyzHH0Ac4pAhr8A7QMFgyDXFv3rIK8ELlFyZpvTOXV6Duy+NaMxVJdpgnYFTv1T6HU1JGa+js6PMp6gqC5fXMo5KZe9yRYkeWGuwK5RcUCqUJQ2dtqfSzgZ0wlm74DsWJgCByHKYN1pNjRWU+M3WP4rZCFajl3FfghVyY84CLNl1SXn4loYshBhs2b6U/P+VmbWSvJSNtbI48pJh01b58kjB2PbI/Imo2rhl6eSy4rzpJiA2O5p+BsE5TRqRllnIJUjwTl9clG+YO56pKfxG/s6Elr05r8XCWU8oq/G7wxKaPKOMTWTd3rw3ZURlf2irWQ9vwumbLQlnZtLkKM8xcvO+6DaOjKUecj+D1MOKfjdn5h63IDnMsjXDEtHvMgoomxxodXDob38VJD6dZV4M01MoJPYJdrREB8YTWOJvUB6/Jcs2KeuG9WOmpFDx2RBTZt3Pn1QCFJ8PS3r3V1N92ipJl5TQ9rYvQnH3fOg1NKgzaeF9/7JG5VrMXUdlTkp6lLGj8kewXgJ80FDPtEmJmGAAQjHa/xarFW8pFKOAeuOab/ocDAVP+nfKpJv6pnJcqD8GJujmPgjF6HdPp8JgGS2oKiyR9aSD6GQJNZfivbglzn1AJzyiEMXdcJL+kX38L5HQzx19r4jUAAAAAElFTkSuQmCC" # https://codebeautify.org/png-to-base64-converter

# Ensure Start Menu folder exists
$ShortcutDir = Split-Path -Path $ShortcutPath -Parent
if (-not (Test-Path $ShortcutDir)) {
    New-Item -Path $ShortcutDir -ItemType Directory -Force | Out-Null
}

# Write icon to disk next to the shortcut
$IconPath = [System.IO.Path]::ChangeExtension($ShortcutPath, ".ico")
[System.IO.File]::WriteAllBytes($IconPath, [Convert]::FromBase64String($Base64Icon))

# Create shortcut
$WshShell = New-Object -ComObject WScript.Shell
$Shortcut = $WshShell.CreateShortcut($ShortcutPath)

# Always use Explorer as target, UNC as argument
$Shortcut.TargetPath   = "$env:WINDIR\explorer.exe"
$Shortcut.Arguments    = "`"$TargetUNC`""
$Shortcut.WorkingDirectory = $env:WINDIR
$Shortcut.WindowStyle      = 1
$Shortcut.Description      = "Schulungsunterlagen"
$Shortcut.IconLocation = "$IconPath,0"

$Shortcut.Save()

Stop-Transcript

$ScriptName = "Windows_Script_ShortCut-DEMO"
Start-Transcript -Path "$env:ProgramData\Microsoft\IntuneManagementExtension\Logs\$ScriptName.log" -Force

# Variables
$ShortcutPath = "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\DEMO.lnk"
$TargetUNC    = "\\file.sclouod.es\DEMO"
$Base64Icon   = "iVBORw0KGgoAAAANSUhEUgAAADIAAAAyCAMAAAAp4XiDAAAAqFBMVEUAAAD////////////6+vr+/v78/Pz+/v739/f////9/f36+vr8/Pz+/v7+/v75+fn+/v7+/v79/f39/f36+vr9/f38/Pz6+vr+/v7+/v7+/v7+/v79/f39/f39/f39/f39/f38/Pz7+/v6+vr+/v79/f39/f38/Pz7+/v7+/v////9/f39/f39/f39/f38/Pz+/v79/f38/Pz7+/v6+vr9/f37+/v///+jDSucAAAAN3RSTlMA/e3qMN4c+gZoliB44dgM9PeGWxB9SRjTzb+7tatzbmBCKxXmmWlPNSbwn5KOZTnFslY7JHk/jkR60wAAAhtJREFUSMe1ltmWojAQQKtADI0jKIgbKu772vZM/v/PpgfKbMI5mYe+b6mcGyqhUgCC1vw07CA3wZzmYyzHH0Ac4pAhr8A7QMFgyDXFv3rIK8ELlFyZpvTOXV6Duy+NaMxVJdpgnYFTv1T6HU1JGa+js6PMp6gqC5fXMo5KZe9yRYkeWGuwK5RcUCqUJQ2dtqfSzgZ0wlm74DsWJgCByHKYN1pNjRWU+M3WP4rZCFajl3FfghVyY84CLNl1SXn4loYshBhs2b6U/P+VmbWSvJSNtbI48pJh01b58kjB2PbI/Imo2rhl6eSy4rzpJiA2O5p+BsE5TRqRllnIJUjwTl9clG+YO56pKfxG/s6Elr05r8XCWU8oq/G7wxKaPKOMTWTd3rw3ZURlf2irWQ9vwumbLQlnZtLkKM8xcvO+6DaOjKUecj+D1MOKfjdn5h63IDnMsjXDEtHvMgoomxxodXDob38VJD6dZV4M01MoJPYJdrREB8YTWOJvUB6/Jcs2KeuG9WOmpFDx2RBTZt3Pn1QCFJ8PS3r3V1N92ipJl5TQ9rYvQnH3fOg1NKgzaeF9/7JG5VrMXUdlTkp6lLGj8kewXgJ80FDPtEmJmGAAQjHa/xarFW8pFKOAeuOab/ocDAVP+nfKpJv6pnJcqD8GJujmPgjF6HdPp8JgGS2oKiyR9aSD6GQJNZfivbglzn1AJzyiEMXdcJL+kX38L5HQzx19r4jUAAAAAElFTkSuQmCC" # https://codebeautify.org/png-to-base64-converter

# Ensure Start Menu folder exists
$ShortcutDir = Split-Path -Path $ShortcutPath -Parent
if (-not (Test-Path $ShortcutDir)) {
    New-Item -Path $ShortcutDir -ItemType Directory -Force | Out-Null
}

# Write icon to disk next to the shortcut
$IconPath = [System.IO.Path]::ChangeExtension($ShortcutPath, ".ico")
[System.IO.File]::WriteAllBytes($IconPath, [Convert]::FromBase64String($Base64Icon))

# Create shortcut
$WshShell = New-Object -ComObject WScript.Shell
$Shortcut = $WshShell.CreateShortcut($ShortcutPath)

# Always use Explorer as target, UNC as argument
$Shortcut.TargetPath   = "$env:WINDIR\explorer.exe"
$Shortcut.Arguments    = "`"$TargetUNC`""
$Shortcut.WorkingDirectory = $env:WINDIR
$Shortcut.WindowStyle      = 1
$Shortcut.Description      = "Schulungsunterlagen"
$Shortcut.IconLocation = "$IconPath,0"

$Shortcut.Save()

Stop-Transcript

Pros and cons

Pro	Con
Fast to implement	No native detection
Very flexible	No versioning
No packaging required	Runs once, if deleted it won’t come back.

Note about Base64 icons

To generate the Base64 value, I convert a small PNG to Base64 using https://codebeautify.org/png-to-base64-converter.

Keep the icon file small. Around 1 KB works well. Otherwise the Base64 string gets huge and the script becomes too big.

Option 2: Proactive Remediation

Proactive Remediations are my preferred option for user-facing shortcuts (in user context).

How it works

I use a detection script that checks whether the shortcut exists. If detection fails, the remediation script creates or fixes the shortcut. The remediation script is the same as the platdform script above.

Detection example

Test-Path "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Company Share.lnk"

Test-Path "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Company Share.lnk"

Pros and cons

Pro	Con
Self-healing	Requires Proactive Remediations licensing
Clean detection logic	Slightly more setup effort
Automatic re-creation

Option 3: Win32 app

Win32 apps give you the most structure and control. They are ideal when lifecycle management matters.

There are two valid patterns here.

Win32 Option A: Script-based Win32 app

This approach uses the same PowerShell logic as platform scripts, but wrapped inside a Win32 app. If you dont have Enterprise licences to use Remeadiations, this can be a good alternaitve.

# past Platform script from above here

# Detection / Versioing Registry Key
$Path = "HKCU:\Software\scloud\Shortcut-Company Share"
$Key = "Version" 
$KeyFormat = "dword"
$Value = "1.0"

if(!(Test-Path $Path)){New-Item -Path $Path -Force}
if(!$Key){Set-Item -Path $Path -Value $Value
}else{Set-ItemProperty -Path $Path -Name $Key -Value $Value -Type $KeyFormat}

# past Platform script from above here

# Detection / Versioing Registry Key
$Path = "HKCU:\Software\scloud\Shortcut-Company Share"
$Key = "Version" 
$KeyFormat = "dword"
$Value = "1.0"

if(!(Test-Path $Path)){New-Item -Path $Path -Force}
if(!$Key){Set-Item -Path $Path -Value $Value
}else{Set-ItemProperty -Path $Path -Name $Key -Value $Value -Type $KeyFormat}

Pros and cons

Pro	Con
Detection and versioning	Packaging overhead
Install and uninstall support	Slightly more complexity
Predictable lifecycle

Win32 Option B: Deploy the actual shortcut files

This option is often underestimated. Sometimes the simplest approach is the best one.

Here, I create the .lnk files in advance, package them, and copy them to the correct location during installation.

Pros and cons

Pro	Con
Extremely simple	Not dynamic
No runtime scripting	Changes require repackaging
Very stable

My recommendation

If I had to simplify it:

One-time shortcut: Platform script
User shortcut: Proactive Remediation
Managed lifecycle or collections: Win32 app

This approach scales well and stays maintainable.

Final thoughts

Deploying shortcuts with Intune is not difficult. It just requires choosing the right function.

It would be nice to have a native file copy mechanism like we had with Group Policy Preferences. Since that is not available, we use the tools Intune gives us and design accordingly.

Most problems I see are not caused by Intune itself. They are caused by small design mistakes:

Using user context when SYSTEM is required
Referencing network paths for icons
Missing detection logic
Mixing Desktop and Start Menu paths

Once you understand these pitfalls and the trade-offs of each option, shortcut deployments become boring again. And boring is good.

Deploying Shortcuts with Intune: Your Options

Table of Contents

What do we actually mean by shortcuts

File shortcuts

Start Menu Pin’s

Option 1: Platform scripts

How it works

Script 1: Simple shortcut

Script 2: Shortcut with a custom icon (Base64)

Script 3: UNC shortcut that works in SYSTEM context (with logging)

Pros and cons

Note about Base64 icons

Option 2: Proactive Remediation

How it works

Detection example

Pros and cons

Option 3: Win32 app

Win32 Option A: Script-based Win32 app

Pros and cons

Win32 Option B: Deploy the actual shortcut files

Pros and cons

My recommendation

Final thoughts

Leave a ReplyCancel Reply