In today’s post, let’s discuss Intune Application Deployment using MSI EXE IntuneWin Formats. One year back, I worked for a customer to deploy Windows 10 with modern management tools like Intune.
We faced a major limitation of Intune Win32 App Deployment (Intune Management Extension). Intune supported only a single Msi file. Because of this limitation, we could not deploy applications with EXE, multiple MSIs, MST, batch files, etc.
[Related Post– Intune Win32 app Troubleshooting]
***Updated on 17th April 2019 NOTE! – These application deployment limitations are no longer valid. Intune currently supports deploying applications with EXE, multiple MSIs, MST, batch files, etc.
What is Intune Win32 App Deployment or Intune Application Deployment
Win32 application deployment is for 32-bit and 64-bit application deployments. Using Intune Win32 App deployment, you can deploy x86 and x64 bit applications.
Windows 10 MDM channel has limitations in deploying complex Windows applications.
To overcome Windows 10 MDM channel limitation, Intune and the Windows team came up with an agent-based (Intune Management Extension) solution to deploy complex Windows applications (EXE, multiple MSIs, MST, batch files, etc.).
So now, Windows 10 (client-side) is ready to deploy complex Windows apps via the Win32 app deployment agent. Intune (Server-side) has implemented a solution called “Intune Win32 App Deployment” to deploy complex Windows applications via Intune portal.
Pre-requisites of Intune Win32 App deployment / Intune Management Extension
Let’s look into the pre-requisites of Intune Win32 App deployment or Intune Management Extension.
- Windows 10 Ent/Edu (1607 version and above)
- Joined to Azure Active Directory (AAD) or Hybrid Azure Active Directory
- Enrolled into Intune MDM
Limitations of Win32 App Deployment / Intune Management Extension
Now check the limits of Win32 App Deployment or Intune Management Extension.
- User context app installation is not available.
- No dependency and supersedence support.
- The application size limit is 8 GB.
Download the Win32 App Packaging Tool?
Download the Win32 to app “packaging” tool from GitHub. Is that a packaging tool? Do we need packaging skills to convert complex Windows apps? IntuneWin format?
The .intunewin file is created by Microsoft Win32 Content Prep Tool that converts application installation files into the .intunewin format.
IntuneWin Extension Packaging Tool (Intune Management Extension) – https://www.anoopcnair.com/intune-application-model-intunewin-packages/
Download the IntuneWinAppUtil.exe.
I don’t think you need any packaging skills to repackage existing Windows apps like MSI, EXE, or IntuneWin Extention. This Intune win32 app packaging is similar to zipping a folder using Winzip or 7 zip.
[Intune Win32 App Deployment Troubleshooting post – Intune Win32 app Troubleshooting]
How to Prepare Win32 App Installation Source for Intune
Intune allows single package files wrapped using intune prep tool for win32 app (Intune Management Extension) deployment.
We will see a step-by-step configuration to use the tool. Intune Win32 App Deployment; more details are available in the following section.
- Download the Intune prep tool (intuneWinAppUtil.exe).
- As shown below, make sure you copy all the installation files inside the source folder (example here: Adobe)
- And Keep the tool(intuneWinAppUtil.exe) outside of the installation source folder.
It is recommended to use cmd or batch files to trigger the installation. This approach will provide better control and sequence. I would suggest creating a “cmd” file for installation and uninstall.
- Execute the Intune prep tool (intuneWinAppUtil.exe). As shown below, specify the source folder and output folder as the same path. This tool will create the wrapped file. you can see the file with the extension “Intunewin” created
- Provide the setup file name. This filename is just for reference. In this example, you will be using the cmd file to trigger the installation.
- The Intunewin file is compressed and encrypted with a SHA256 hash
(Intune Win32 App Deployment more details are available in the following section)
You can use tools like 7-zip to extract the Intunewin file and see what’s inside. You can see Detection.xml and the install source files. The Detection.xml file is created based on the setup file metadata. Detection.xml file includes encryption key details.
How to Create and deploy Win32 App in Intune
Sign in to the Microsoft Endpoint Manager admin center https://endpoint.microsoft.com/.
Select Apps > All apps > Add, or you can navigate to Apps > Windows > Windows Apps.
On the Select app type pane, under the Other app types, select Windows app (Win32) and click Select.
On the Add app pane, click Select app package file. Select the browse button. Then, Select the previously created intunewin file using intune prep tool. The app details appear.
When you’re finished, select OK on the App package file pane.
Update the app information such as Name, Description, Publisher, Category, Logo, etc.
(Intune Win32 App Deployment more details are available in the following section)
On the Program page, configure the app installation and removal commands for the app.
- Install command: Add the complete installation command line to install the windows update. For Example, Install.cmd (Contains the installation command for adobe)
- Uninstall command: Add the complete command line to uninstall the windows update KBs. For Example, Uninstall.cmd (Contains the uninstallation command for adobe file)
- Install behavior: Set the install behavior to System.
You can also specify the Device restart behavior and Post-installation behavior. Click Next to continue.
You can configure the application pre-requirements. On the Requirements page, specify the mandatory requirements that devices must meet before installing the update and click Next.
- Operating system architecture: Choose the architectures needed to install the windows update.
- Minimum operating system: Select the minimum operating system needed to install the windows update.
There are some built-in and custom requirements rules you can choose from when creating your Win32 application. Explore Intune Win32 App Requirement Rules.
Configure the app detection rule and select “manually configure detection rule.”
You can select any one of the below detection rule types:
- MSI
- File
- Registry
(Intune Win32 App Deployment more details are available in the following section)
I will use the MSI product code as a detection rule in this example.
Based on your requirement, update the return code and post-installation behavior.
After completion, the app is uploaded to Intune.
You can see the upload status by selecting the notification tab.
I will deploy this application as “available “for all users for testing.
(Intune Win32 App Deployment more details are available in the following section)
In the next post, 2, we will Deep dive into intune Client-side events during Intune Win32 app deployment.
[Intune Win32 App Deployment Troubleshooting post – Intune Win32 app Troubleshooting]
Resources:
Intune Troubleshooting – https://www.anoopcnair.com/configuration-profile-settings-view/
Author
Vimal has more than ten years of experience in SCCM device management solutions. His main focus is on Device Management technologies like Microsoft Intune, ConfigMgr (SCCM), OS Deployment, and Patch Management. He writes about the technologies like SCCM, Windows 10, Microsoft Intune, and MDT.
what is the MSI product key and where can i find it?
I dint got your question completely..
Are you referring MSI product key configured in Intune console for detection logic ? Intune console will automatically detect MSI key if you select the MSI file for detection logic.
If MSI is installed successfully in the system then you can verify registry – HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall
Hi Anoop,
I need to deploy a application as win32 app to Windows Autopilot devices, the app has a has a prerequisite of .net 3.5, do you know how how I could use a batch file to install .net 3.5 first and then install the app?
Thanks
Steve
Currently intune cannot natively handle application dependency.Many users voted for this feature as mentioned in the below URL.
https://microsoftintune.uservoice.com/forums/291681-ideas/suggestions/8307447-priority-based-application-deployment
In batch file , we may have to handle it manually. Like Calling .net 3.5 installation first , add some pause and then call remaining apps.
Steve – It’s under development. You will soon see Win32 app deployment (sidecar) with dependency feature https://docs.microsoft.com/en-us/intune/in-development#enable-win32-app-dependencies-
Hello Anoop,
I am trying to deploy win 32 application as ‘available’, but I am not able to see the application in company portal, but when I deploy the windows store applications as available, I can see those windows store applications in Company portal. Also, I can deploy the application as required and it is installing perfectly fine, the problem is only with the win 32 apps deployed as “Available”
Hello Harsha,
Did you tried deploying application as “Available” for User Azure AD group or Device group ?
I tried from my side and its showing up for me.
Is that apps showing in Company portal web URL ? .. https://portal.manage.microsoft.com/
Hello Vimal,
Sorry for the late reply, I have deployed it to user Azure AD group itself. It doesnt show in the company portal app or the portal web url. we are using intune standalone and all the devices are win 10 1709. Also, wanted to let you know, Intune management extension is not getting installed, I figured that will get installed if the win32 app is deployed without any hiccup, if im not wrong.
Yes Harsha, if win32 app is deployed then only Intune management extension gets installed
So, can you please help me out with this.. is there anything that I need to do ?
Harsha – Can you please explain what are the steps you followed to troubleshoot Intune Win32 App agent installation issues? or Sidecar agent installation issues? I would recommend to start with Windows 10 MDM troubleshooting from event logs. The other step which I advice is to unenroll and enroll back to Intune. Once that is done, please deploy the Intune Win32 packaged application. This should initiate the Win32 app client installation….
Hello Anoop,
I have removed the enrollment and added it back and tried, still the same, but now I am getting the “ADALUseWindowsAuthenticationTenant failed,” and “Automatic registration failed at join phase” (event IDs : 305, 304), when I checked the event log and dsregcmd /status shows Azureadjoined = no
Is this only with one Windows 10 device? What is the version of Windows 10? I would try with another machine if you have not already tried this option. Also, what is the error showing in Intune troubleshooting tab? Pending for Install?
You reference using an install and uninstall script, how exactly did you write that? My familiarity with batch scripts is limited but would it just be msiexec /i software.exe /s or /quiet /QUIET /S /Silent (what is required)?
Normally i test the application install/uninstall commandline manually. If its sucess , Then i copy the same commandline to batch file and deploy using Intune. Commandline is based on the file type you are using.Please Test commandline manually before trying with Intune.
Another point is Intune automtically detect the Installation commandline if you specify the MSI file while Preparing Intunewin file format.You can open the Detection.xml and verify.
Hello!
What is the content of the install.cmd and unistall.cmd scripts?
What is the difference between creating the cmd file or adding the commands manually to the Intune portal in “specify the commands …”?
Technically there is no difference ..you can directly mention command line and it will work
But in real production scenario , Packaging team always follow a standard process like using install and uninstall script
Hi – is anyone else having trouble selecting the ‘user’ context for Install Behavior on the ‘Program’ pane? For me it’s greyed out, which means my app won’t be installed with admin privileges…
Hey Joe,
Could you figure this out? I too am facing the same problem with one of my deployments. I do see this option as enabled for other packages, but I have no clue why it is greyed out for just one specific package that I am trying to deploy.
Thanks,
Kris.
https://superuser.com/questions/1484434/microsoft-intune-install-behavior-disabled
Hello Anoop,
Is there a way to deploy the app in 64-bit mode? regkey imports are added in the WOW6432Node registry. I can’t find a way to add them in the native hive.
Please check below link for more details on 32-bit or 64-bit process behavior in Intunewin32 apps
you need lauch the cmd in 64 bit context
https://www.anoopcnair.com/intune-win32-app-deploy-system32-vs-syswow64/
Hello,
Thank you for your reponse. I have solved my problem.
Best regards
Wietse
Please check below link for more details on 32-bit or 64-bit process behavior in Intunewin32 apps deployment
https://www.anoopcnair.com/intune-win32-app-deploy-system32-vs-syswow64/
Hi – Can this tool be used to package applications with out silent switches.
intuneWinAppUtil.exe is just a prep tool to wrap the apps so that intune can deploy. This tool is not for app packaging.
Yeah you can so that with Microsoft Intune Application model using IntuneWin https://howtomanagedevices.com/intune/1092/intune-application-model-guide/
@Wietse – How did you solve your problem of:
“Is there a way to deploy the app in 64-bit mode? regkey imports are added in the WOW6432Node registry. I can’t find a way to add them in the native hive.”
We are experiencing the exact same issue.
Well, in my case what i did:
Created a Windows app (win32) App type:
I had a reg file that needed to be imported. I used “reg import ….” and changed the command to:
reg IMPORT run.reg /reg:64
Now the keys are added to the native hive, simple but it worked.
If you only need to deploy some keys, maybe you can also use Powershell scripting, this one has the option “Run script in 64 bit PowerShell Host”.
Greetings
Thank you! Will give this a try
Hii All,
I get some error during creation of .Intunewin File “Entries more than 4Gb are not supported in update mode”
Please help me on the same.
Regrads
Kamal
May be this is a known issue or a feature. Did you raise a ticket to fix this or check with please
Please check if you are using the latest version of Intune Win32-Content-Prep-Tool.
Also noticed similar issue reported –
https://github.com/Microsoft/Intune-Win32-App-Packaging-Tool/issues/6
I think you have an error in how the Packaging tool. You point to acrordr.exe instead of the full path for the installer application c:\software\adobe\acrordr.exe. According to the documentation and testing you need to put the full path to the installer. Also in the latest version of the pacakge intunewin file, when you go to extract it, you cannot access the installer files directly (I.E. cannot see what is packaged).
Hi Anoop/Vimal,
I have created a package using PowerShell Deployment Tool with some steps for Pre-Installation and Post-Installation. The Application is getting installed successfully, but the pre and post installations are not working. Can you please hep me on this?
Hi Anoop,
I am struggling with Visual Studio 2019 installation via Intune. I have tried to prepare offline installation files but when downloaded, they take cca 40 GB. I know there is a cap of 8 GB per package in Intune. If I run the vs_enterprise.exe –quiet, in Company portal it hangs in “Installing” status for a while, and then fails.
Thank you
Hello,
I am installing adobe reader using the prep tool. The endpoint downloads the bin file in incoming folder but fails after that. Its not moving to Staging folder, please advise
Thanks,
Have you checked the log file? as mentioned in the https://www.anoopcnair.com/intune-win32-app-troubleshooting/
Hello Anoop,
Can you provide the text content of your Install and Uninstall bat files?
Hello Andre – This is install/uninstall the basic commands.
Hi Anoop
Is it possible to package a BIOS update app to be deployed using InTune? It would be likely using a BIN file with Setup Information file.
I think you can deploy all the apps that you can deploy from SCCM using the Win32 app model or the InutneWin model.
I have WinEXE application in C#, .NET Framework 4.6
Whenever a user is trying to it deploy through Intune, a command prompt is shown.
The same exe works fine with other bulk deployment tools like SCCM.
How do I suppress all prompts or make complete silent installation through Intune?
I think you are mentioning a command prompt popup and it goes away quickly? What is the command line that you mentioned while creating Win32 app?
IntuneWinAppUtil.exe does not work on Windows 11! Typical Microsoft….
Well, I have tested this with Windows 11 build and it worked fine https://www.anoopcnair.com/intunewinapputil-exe-windows-11-compatibility/. Am I missing something here, sir?
Hi Anoop,
I am a beginner in intune, we have all windows 10 devices on prem AD joined managed by sccm. there is a requirement to manage some of these devices through intune as they are mostly off the network and require company resources and applications/email access. what is the best method to enroll and manage them through intune? is it mandatory to configure co-management to enroll the domain joined windows pc. can I just HAADJ and manually or auto enroll the devices? (irrespective of sccm client on them)
Hi Anoop,
We have ConnectWise Manage Client 64-bit imported as a Windows MSI line-of-business app and not Win32.
Now I have to automate removing and installing the new version of ConnectWise Manage Client Windows MSI line-of-business app.
Do you know if this is possible with .msi I can’t find any docs for it .
Regards
Tim
Hello,
I have been struggling with deploying applications within User context through Intune. I noticed you had mentioned this in your post above.
Limitations of Win32 App Deployment / Intune Management Extension
Now check the limits of Win32 App Deployment or Intune Management Extension.
User context app installation is not available.
Is User context app install limited? There is an option even in the screenshots you provided that show the option for Install behavior to be set to either System or User. Does this not control the context by which the application is installed? If I package the .msi as .intunewin, upload to Intune and deploy, even with an ALLUSERS=”” set, the application installs under C:\Program Files.