Zehadi Alam
Introduction
Microsoft Intune offers powerful features for deploying and managing applications across Windows devices. To deploy non-Microsoft-Store Windows applications, an Intune app package must first be created. This is accomplished by using the Microsoft Win32 Content Prep Tool, which is a command-line utility available on Microsoft's GitHub repository at https://github.com/Microsoft/Microsoft-Win32-Content-Prep-Tool. The tool is used to wrap application installation files into the .intunewin file format. After the application has been processed with this tool, administrators can upload and deploy the application from Intune.
Tip: Administrators who seek a more thorough understanding of the backend procedures involved in Intune Win32 app deployment are encouraged to refer to the following Microsoft documentation: https://learn.microsoft.com/en-us/troubleshoot/mem/intune/app-management/develop-deliver-working-win32-app-via-intune
Tip: Ensure that you consistently utilize the most up-to-date version of the Win32 Content Prep Tool. It is advisable to regularly monitor Microsoft's GitHub repository for updates to the tool.
Packaging the app for uploading to Intune
We will demonstrate the process of deploying the application CrystalDiskInfo through Intune.
1. Obtain the latest installer for CrystalDiskInfo
2. Place the installer into a folder. This step is required for the Content Prep Tool to work. The folder name can be anything, but avoid using special characters.
3. Download the Microsoft Win32 Content Prep Tool from GitHub, extract the contents, and navigate to the folder containing the IntuneWinAppUtil.exe file. Right-click on the file and select Copy as path.
4. Open a command prompt windows (either standard or administrative), Ctrl+V the clipboard contents, and press Enter.
5. Specify the source folder, setup file, and output folder when prompted. Use the Copy as path context menu for each component to retrieve the paths without any potential errors. Specify N for the question Do you want to specify catalog folder (Y/N)?
If all steps have been executed accurately, the following status will be indicated within the command prompt window and the .intunewin file will be generated in the designated output directory.
Uploading the app to Intune
6. Navigate to Apps Windows
7. Select Add
8. Select Windows app (Win32) for the App type
Tip: It is recommended to always select the Win32 app type option, even for MSI-based installers that can be deployed as line-of-business (LOB) apps. According to Microsoft, "Win32 apps offer more control within Intune than a Windows LOB app.": https://learn.microsoft.com/en-us/microsoft-365/solutions/apps-type-lob?view=o365-worldwide. Additionally, using a combination of Win32 and LOB apps can lead to complications in Autopilot deployments. As Microsoft says, "Both LOB (MSI) and Win32 installers use TrustedInstaller, which doesn't allow simultaneous installations.": https://learn.microsoft.com/en-us/mem/intune/enrollment/windows-enrollment-status
9. Click the Select app package file option and upload the .intunewin file
App information
10. Fill in app details. Although the Name text field can be edited directly, editing the description requires selecting the Edit Description link. An entry for the publisher is also required. The remaining fields are optional, but can be useful to fill in, especially if the app will be made available in the Company Portal.
App Installation details
11. Fill in installation options
Install command: The executable name is the first part of the install command followed by additional command line switches to achieve the desired result (e.g. silent installation)
To achieve automated and silent installs, additional flags must be provided. This must be independently determined based on the specific software. The following are some strategies for determining this information:
Example: The install command for CrystalDiskInfo is
CrystalDiskInfo9_2_1.exe /VERYSILENT /NORESTART /MERGETASKS=!desktopicon64
Note: /MERGETASKS=!desktopicon64 prevents the creation of a desktop icon.
Tip: To determine if this option is applicable to an executable installer, carry out a manual install of the program. If the installation wizard presents the option to include or exclude a desktop icon, then the command-line switch may be accepted.
Uninstall command: Most software programs are equipped with uninstallers that can be found in the Program Files or Program Files (x86) directory. The uninstaller can be called directly in the uninstall command (specify the full path), followed by command line switches for a silent uninstall.
Example: The uninstall command for CrystalDiskInfo is
C:\Program Files\CrystalDiskInfo\unins000.exe /VERYSILENT /NORESTART
Install behavior: The installation can be performed in either system or user context. When the system account is utilized for software installation, the program will be installed regardless of whether an administrator is logged in or not. This option is generally best for most programs. However, in certain instances, it may be necessary to specify a user-based installation (e.g., if the nature of an application is such that it installs to a user's AppData folder.). Performing a manual installation of the program and making note of the process is usually the best way to determine these details.
Device restart behavior: The setting for device restart behavior determines what will occur after the program has successfully installed. To ensure a smooth experience for end-users, it is advisable to set this option to No specific option.
Return codes: Unless there is a specific reason to modify the return codes, it is advisable to leave them as they are presented.
App requirements
12. Fill in app requirements
The app requirements section provides a granular level of control for specifying the prerequisites that must be met for the installation of an app on a target device. These must be independently determined based on program requirements. In most situations, configuring only the operating system architecture and the minimum operating system version is adequate. If the native options do not meet your needs, you can also choose to specify a custom script to enforce additional requirements. The way to accomplish this is covered in the following article: Advanced Windows Software Deployment Strategies
Detection rules
13. Configure detection rules
Detection rules serve as conditions that indicate whether an app is installed. If Intune reports an app installation failure, but you confirm that the app is installed, it is likely that the detection rule is misconfigured. Intune offers the option of manually configuring detection rules or using a custom detection script. The former will be covered here and the latter is covered in a dedicated article.
For our CrystalDiskInfo example, we will select Manually configure detection rules and click on the +Add option. This will provide the following rule types for app detection:
MSI - This rule type can be used if the installer is a .msi file. It will use the MSI product code as the detection rule. This will be populated automatically.
File - The rule type checks various properties of a file that is specified (e.g., the existence of the file, its size, version number, etc.).
Registry - This rule type checks various properties of a registry value that is specified (e.g., the existence of the value or the content of the value).
Tip: It is advisable to prefer the file or registry rule types even for MSI-based installers. In certain cases, the MSI product code may differ for newer versions of the software. This will cause Intune to mistakenly identify the software as "not installed", prompting the installation of the older version on Intune and downgrading the software.
For our example, we will select File and specify the following:
Path: C:\Program Files\CrystalDiskInfo
File or folder: DiskInfo64.exe
Detection method: File or folder exists
Associated with a 32-bit app on 64-bit clients: No
Tip: It is advisable to specify a file instead of a folder when identifying a program. This is because uninstallers do not completely remove all traces of a program, sometimes resulting in the program's folder being left in Program Files. In such cases, if the detection rule relies on the existence of this folder, Intune may inaccurately report the program's installation status. A file that corresponds to the program itself will almost certainly be removed during program's uninstallation.
In certain cases, alternative detection methods may be more suitable for a program. For instance, utilizing the String (version) option enables you to determine the presence of a program based on its version number. This can be advantageous in scenarios where it is not just the presence of the app that needs to be enforced, but specifically if it meets a certain version requirement.
After creating a detection rule, you have the option to create additional rules by selecting the +Add option. This will ensure that all of the rules must be met in order to consider an app as installed.
Dependencies
(Optional) Add dependencies
Intune provides the ability to add software dependencies for programs that require them during the installation process. In the majority of cases, no additional dependencies will be needed. However, in cases where they are necessary, the dependencies you include will be installed prior to the program. The dependency must be uploaded as a separate app using the procedures outlined in this article.
As an example, the program ArcGIS Pro requires the installation of .NET Desktop Runtime, so it is included as a dependency for that program.
Supersedence
(Optional) Configure supersedence
The Supersedence section of the deployment wizard allows you to add an application that will either update or replace another application. To do so, the application must already be uploaded to Intune. For instance, if you wish to deploy a newer version of Dell Command Update, you can include the older version in the supersedence section. It is generally recommended to choose Yes for the Uninstall previous version option, as overwriting an existing installation with a newer version may not always be reliable.
An instance where you may consider replacing a program is when transitioning to an alternative antivirus program or backup solution. In such cases, you have the option to add your previous antivirus or backup program, enabling the new application to automatically uninstall them and take their place.
Tip: Utilizing supersedence as a method of updating applications may not be ideal, as it will result in multiple versions of the program being uploaded to Intune, which could create a cluttered appearance.
Scope Tags
Add any scope tags as needed. One of the scope tags you have permission to use will already be included.
Assignments
Assign the application to device or user groups. If assigned to user groups, the application will be installed on all devices where the user is listed as the primary user of the device. The listing of the primary user may not always be accurate, so it can be more reliable to target device groups.
The application can be deployed as a required or available application. If deployed as the former, the app will be installed automatically on all targeted devices. If deployed as the latter, the app will be shown in the Company Portal app, allowing users to decide whether or not to install it.
The assignments section also provides the ability to specify groups for which the application should be uninstalled. When utilizing this feature, verify the accuracy of the uninstall command provided earlier in the deployment wizard, as it will be used to execute the uninstallation process.
Additional assignment options can be specified as follows. For a smooth end-user experience, it is recommended to hide toast notifications for required apps. The remaining settings must be determined on a case-by-case basis.
Review and create
Carefully review the app deployment details before finalizing its creation.