Since Microsoft released support for Win32 application deployment using Intune back in March 2019, Intune has been able to deploy any application. Although there is the option of using line-of-business (LOB) applications, the Win32 deployment method offers more granular control over application deployment.
Let’s delve into what you can do with the Win32 deployment method.
What is a Win32 App?
It’s much easier to define what a Win32 app isn’t. Win32 apps form the majority of applications you use on Windows. They are all apps that are not Metro apps/UWP apps.
The Win32 deployment method on Intune supports wrapping an EXE or any other file into an INTUNEWIN file.
Win32 Applications contain:
1. A folder containing any installation binaries/scripts.
2. A install command set in the MEM portal which triggers a script or directly triggers an installation binary.
Note how you can trigger scripts and include any files you want in an INTUNEWIN file. This means that you can use the Win32 application deployment method to run almost anything! You can run standalone PowerShell scripts, run complex installation methods that uninstall an application before installing another app, install missing dependencies before installing… the possibilities are endless and only limited by your PowerShell abilities.
Creating a Win32 App
If you’re new to installing applications via CLI, the process below might look daunting. But don’t be scared away – go through the process step by step and you’ll be comfortable in no time.
Prepare the Installation Command
This guide assumes that you have basic knowledge of how installers function via CLI.
A bit of trial and error is required – there’s no other way, especially if the file is an EXE and it is undocumented.
You need to find a silent install command which installs the program unattended. Examples of install commands are:
msiexec.exe /i ".RingCentral-installer.msi" ALLUSERS=1 /quiet /q
.HFLS.exe /VERYSILENT /SP- /NORESTART
Start by launching the installer file with a /? or /help flag.
Almost all MSI files have /qn for unattended install.
Some EXE files are MSI files inside and act like MSI files, for these you can use /qn.
For popular applications, check the “Files” section on the application’s Chocolatey page. Someone else has done the hard work to find the correct flags so you don’t have to reinvent the wheel.
Convert Install files to INTUNEWIN format
Once you have the install command, you need to “wrap” the install files into an INTUNEWIN file.
Create a folder called <Application Name> e.g. RingCentral and put the install file within it.
Download the Win32-Content-Prep-Tool and Unzip.
Open a terminal by pressing Shift + Right click in the Prep tool folder above. (Does not require admin rights!! Bad practice to always use admin elevation when not required )
3. Run IntuneWinAppUtil.exe
4. Specify <Application Name> folder as the “Source Folder”
5. Specify the name fo the Setup File within the Source Folder.
6. Specify the output folder. This will create an INTUNEWIN app in that folder with the name of the Setup File. It cannot be the source folder.
7. Answer no to catalog folder
8. You shoudl see a .INTUNEWIN file in the output folder.
Uploading the Application to Intune
On the Endpoint Manager Portal go to Apps > Windows
Add > Windows App (Win32) > Select
Upload the Intunewin file you created
Enter a Publisher at the bare minimum. You can fill out other details as required.
MSI files auto-fill the Install and Uninstall commands. Otherwise, you need to use the install and uninstall commands you discovered before.
Default settings for other parts should be mostly fine.
In the Requirements tab select 64 bit and 1809 as the minimum system architecture.
This is what Intune checks to see if an application is installed. The best detection rules check for registry keys and MSI product codes.
An decent alternative is to detect a file or folder created by the install. In this case, with an MSI this is pre-filled.
Skip past dependencies for now.
There are 3 groups here:
Required: Application is automatically installed on devices.
Available for Enrolled devices: Application is available for download, but not necessarily automatically installed.
Uninstall: Application is uninstalled from the assigned groups.
Note: You need to understand the difference between user and device object targeting.
Once you’ve assigned which users/devices the app should be deployed to, complete the upload.