Deploy customized Win32 apps via Microsoft Intune

Last week Microsoft announced the ability to deploy Win32 apps via Microsoft Intune during Microsoft Ignite. That takes away one of the biggest challenges when looking at modern management and Microsoft Intune. I know that I’m not the first to blog about this subject, but I do think that this subject demands a spot on my blog. Besides that, I’ll show in this post that the configuration looks a lot like deploying apps via ConfigMgr. Not just from the perspective of the configuration options, but also from the perspective of the configuration challenges when the installation contains multiple files. In this post I’ll show the configuration steps, followed by the end-user experience, when deploying a customized Adobe Reader DC app (including the latest patch).

Pre-process Win32 app

The first step in deploying Win32 apps via Microsoft Intune is using the Microsoft Intune Win32 App Packaging Tool to pre-process Win32 apps. Wrap the Win32 app. The packaging tool wraps the application installation files into the .intunewin format. Also, the packaging tool detects the parameters required by Intune to determine the application installation state.  After using this tool on apps, it will be possible to upload and assign the apps in the Microsoft Intune console. The following six steps walk through wrapping the Adobe Reader DC app, including some customizations and the latest patch.

1 Download the Microsoft Intune Win32 App Packaging Tool. In my example C:\Temp;
2 Create a folder that contains the Adobe Reader DC installation files (including the latest MSP and the MST that contains the customizations). In my example C:\Temp\AdobeReader;
3 Create an installation file that contains the complete installation command and place that file in the directory with the installation files. In my example I created an Install.cmd in C:\Temp\AdobeReader that contains msiexec /i “%~dp0AcroRead.msi” TRANSFORMS=”%~dp0AcroRead.mst” /Update “%~dp0AcroRdrDCUpd1801120063.msp” /qn /L*v c:\InstallReader.log ;
MSI-Win32-Explorer
Note: This method is similar to an easy method in the ConfigMgr world to make sure that the installation process would look at the right location for the additional files.
4 Open a Command Prompt as Administrator and navigate to the location of IntuneWinAppUtil.exe. In my example that means cd \Temp;
5 Run IntuneWinAppUtil.exe and provide the following information, when requested

  • Please specify the source folder: C:\Temp\AdobeReader;
  • Please specify the setup file: AcroRead.msi;
  • Please specify the output folder: C:\Temp
MSI-IWAU-start
Note: Even though I will use a command file to trigger the installation, it’s important to specify the MSI as setup file. That will make sure that, during the configuration in Microsoft Intune, the information will be preconfigured based on the information of the MSI.
6 Once the wrapping is done. The message Done!!! will be shown. In my example a file named AcroRead.intunewin will be created in C:\Temp.
MSI-IWAU-end

Note: It’s possible to use something like 7-Zip to open the created AcroRead.intunewin file. Besides content, that file contains a Detection.xml file that shows the detected information of the installation file.

Configure Win32 app

Now let’s continue by looking at the actual configuration steps, within Microsoft Intune, to configure the Win32 app. The following 17 steps walk through all the steps to configure the Win32 app, by using the .intunewin file. After configuring the app, make sure to assign the app to a user group.

1 Open the Azure portal and navigate to Intune > Client apps > Apps to open the Client apps – Apps blade;
2 On the Client apps – Apps blade, click Add to open the Add app blade;
3 On the Add app blade, select Windows app (Win32) – preview to show the configuration options and select App package file to open the App package file blade.
4 MSI-Win32-AppPackageFileOn the App package file blade, select the created AcroRead.intunewin as App package file and click OK to return to the Add app blade;
5 Back on the Add app blade, select App information to open the App information blade;
6

MSI-Win32-AppInformationOn the App information blade, provide at least the following information and click OK to return to the Add app blade;

  • Name: Adobe Acrobat Reader DC is pre-provisioned as name of the app;
  • Description: Provide a description of the app;
  • Publisher: Provide the publisher of the app;

Note: The remaining information regarding the Information URL, the Privacy URL, the Developer, the Owner, the Notes and the Logo is optional.

7 Back on the Add app blade, select Program to open the Program blade;
8 MSI-Win32-ProgramOn the Program blade, change the Install command to “Install.cmd”, verify the Uninstall command and click OK to return to the Add app blade;
9 Back on the Add app blade, select Requirements to open the Requirements blade;
10

MSI-Win32-RequirementsOn the Requirements blade, provide at least the following information and click OK to return to the Add app blade;

  • Operating system architecture: Select the applicable platforms;
  • Minimum operating system: Select a minimum operating system version;
11 Back on the Add app blade, select Detection rules to open the Detection rules blade;
12 On the Detection rules blade, select Manually configure detection rules and click Add to open the Detection rule blade.
13 MSI-Win32-DetectionRuleOn the Detection rule blade, select MSI as Rule type, verify the pre-provisioned MSI product code and click OK to return to the Detection rules blade;
14 Back on the Detection rules blade, click OK to return to the Add app blade;
15 Back on the Add app blade, select Return codes to open the Return codes blade;
16 MSI-Win32-ReturnCodesOn the Return codes blade, verify the preconfigured return codes and click OK to return to the Add app blade;
17 Back on the Add app blade, click Add to actually add app.

Note: The Intune Management Extension will be used for installing the Win32 app. That also means that the process regarding detection, download and installation, of the Win32 app, can be followed in the IntuneManagementExtension.log file.

End-user experience

Let’s end this post by looking at the end-user experience. The user will receive a notification that changes are required, followed by a notification that a download is in progress, followed by a notification about a successful installation. All three stages are shown below. After the last message, the Start Screen shows the newly installed Adobe Reader DC app. Also, in this case, the Desktop doesn’t show the default desktop icon, which I removed using the customization file (MST).

MSI-AAR-Desktop

More information

For more information about the Microsoft Intune Win32 App Packaging Tool, please refer to the GitHub location here.

39 thoughts on “Deploy customized Win32 apps via Microsoft Intune”

  1. I was very happy when this was announced last week.
    When do you expect it is available in all tenant.

  2. Do you have any information about how to enable this preview feature on an Intune tenant?
    I for the love of me can’t find the option to turn on preview features or opt-in.

  3. Hi Peter i miss the limitations of the current win32 app deploy. Maybe worth to add them?
    No user context app installation
    No system context installation without user logged on
    No dependency support
    No supersedence

  4. Hi RKast,
    The idea of the post is really only about showing the possibilities and not really about pros and cons. Having said that, You’ve now posted some of the current limitations 🙂
    Regards, Peter

  5. Hej Peter, Very nice post indeed. I have tryed packaging JRE 8 ver. 181.exe with the tool and deployed it with intune. Works as a charm! Thanks for a very good post. : -)

  6. Yes good post and as with any first release (in preview as well) it will be limited. Looking forward to new revisions as this is an excellent start.

  7. Thank you Peter. What are those revisions?
    Other question, is there any documentation or best practice how to update an already deployed win32 app

  8. Hi Peter,

    In step #3 you reference MST and MSP files for your Install.cmd. Is the Intune Win32App Packaging tool actually wrapping those file into the .intunewin file? If so, is there a way to tell if they are being included? If not, are you including/referencing the MST and MSP files during the install?

  9. Thank you, that is what I took away from your article and the GitHub post. However, I do not think my install.cmd is working when wrapped in this manner. Running the script directly from the CMD either in or outside of the install.cmd file works fine. So I am not sure if I am missing a step. Here is the content of my install.cmd.

    msiexec.exe /i TeamViewer_Full.msi /qn importregfile=1 & TIMEOUT 30 & “C:\Program Files (x86)\TeamViewer\TeamViewer.exe” assign –api-token “APITOKEN” –group “TEST” –grant-easy-access –alias %COMPUTERNAME%

    Again, running this as is or complied inside the install.cmd from the command prompt work fine, just not when I try to deploy it from Intune via Win32. I do get the Intune Management Extension alerts but the app never installs.

    Please advise,
    Niles

  10. Hi Peter,

    Thank for getting back to me. I have since resolved this issue but was away over the weekend so I was not able to confirm. Are good friend Whitespace was to blame. 🙂

  11. Hi Peter,

    Win32 Apps do not appear to run elevated. I have a script that needs to import a reg file during installation and it fails to import. The behavior is the same (as expected) when I run in manually, “Access denied”, as the local user. However, the application does install successfully.

    Thoughts?

  12. Hi Peter,

    That option is greyed out? In your screenshot for this section, I noticed quotes around “install.cmd”. Is that required? If so, the option for System vs User is still greyed out.

    Please advise.

  13. Hi Peter, great article, thanks for taking the time.

    My MSI pulls info from a config file during installation. The config file doesn’t need to specified as part of the installation command, the MSI just requires that the config file is located in the same directory as the MSI at the time of installation.

    So for step 8 I will simply have “msiexec /i /qn” which works fine when installing via the command line (providing the .conf file is in the same directory as the MSI as mentioned above).

    Will the steps in this article still work for me? Will it include my .conf file in the intunewin file as part of the pre-processing step 5? I hoped to see it mentioned in either the output (pre-processing step 6 above) or in the .xml file output. Unfortunately I can’t see it mentioned in either.

    I would test this myself but I won’t get access to intune for several weeks and would really appreciation knowing sooner.

    Thank you in advance.

  14. Hi Peter,

    My file is also an MSI. The files contained in the folder are as follows,

    install.cmd
    teamviewer.msi
    teamviewer_settings.reg

    This is the command that I am running,

    IntuneWinAppUtil -c “C:\Temp\TeamViewer\Help Desk” -s TeamViewer_Full.msi -o “C:\Temp\TeamViewer\Temp\Help Desk” -q

    I just tried removing the *.reg file but no change on the “Install behavior” slider.

    Thoughts?

  15. Hi Peter,

    Adding the %~dp0 variable, if I did not right, did not make any changes.

    INSIDE INSTALL.CMD:
    msiexec.exe /i “%~dp0\TeamViewer_Full.msi” /qn importregfile=1

    or should it be set here,

    IntuneWinAppUtil:
    IntuneWinAppUtil -c “C:\Temp\TeamViewer\Help Desk” -s “%~dp0\TeamViewer_Full.msi” -o “C:\Temp\TeamViewer\Temp\Help Desk” -q

  16. Hi Peter,
    Some strange thing is happening or i just plain dont understand 🙂
    I create a folder Adobe with all files in it, the setup and the cmd script etc.
    When i run IntuneWinAppUtil and enter the source folder, setup msi file and output the intunewin file get’s created OK.
    When i open the intunewin file with 7zip and look into the Content folder i only see the Adobe MSI file but the CMD file and rest are missing, is this expected behaviour ?

  17. Hi Peter,

    I’ve been able to successfully package and deploy various applications. Although recently I have found that for a particular office the applications have not consistently deployed. I suspect that it might be connectivity to some Intune endpoints.

    What would you recommend to check? I’ve seen the Microsoft Connectivity Analyzer tool, would that help?

    Cheers

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.