Create and publish Windows apps to your Intune endpoints
See Github to download, for a list of pre-packaged apps, and for details: https://github.com/ITAutomator/IntuneApp
Overview
Use this to easily publish an application to Intune.
Features
Apps are packaged in portable folders designed for
- One-time installs (e.g. via \Downloads folder)
- Bulk installs (by copying many App folders and launching a single installer)
- Intune installs (using the native Intune system and endpoint agent service)
Apps are added to the Company Portal so people can self-install without admin rights.
Apps can be made mandatory or optional but always controlled by Group membership.
Apps can be created easily using
- Both Winget or Chocolatey catalogs
- MSI installers
- Custom .ps1 scripts
Quick Start
Download IntuneApps
Go here and click Code (the green button) > Download Zip
Extract Zip into C:\IntuneAppMain (or anywhere)
Test a pre-packaged installer
This will test a package on your machine.
Open C:\IntuneAppMain \7zip
Double click intune_command.cmd
Choose (D)etect – Look for the last line of info – it should say whether you already have 7zip.
Choose (I)nstall – This will install 7zip
Note: (D)etect, (R)equirements, (I)nstall, (U)ninstall are the four core Intune actions for Windows packages. Here, you are able to run them manually to see what Intune does behind the scenes.
Test installing a few apps at once
Open C:\IntuneAppMain and run AppsMenu_Launcher.cmd
Choose (I)nstall apps
On the list of apps that pops up, ctrl – click (select) one or more apps.
Choose (I)nstall
The installers should run for all the apps
Publish Prep
This will prep your org for publishing
Choose (P) to begin publishing
Choose (O) Prep a new Org for publishing apps
Enter your org’s primary domain name.
Modules: There are modules that need to be on the publishing machine: Microsoft.Graph and IntuneWin32App
These will be checked during the process, but you may need to install these before proceeding.
Follow the prompts to install the publishing app in Entra.
Publish Apps
This will publish / update apps to your org
Choose (P) to begin publishing
Choose your org from the list of prepped orgs (see above)
On the list of apps that pops up, ctrl – click (select) one or more apps.
After publishing the apps, look in Intune for the Apps themselves.
Look in Entra for assignment groups starting with IntuneApp
Push (Assign) Apps to Users
This will push apps to endpoint machines
Published apps are assigned by Entra Groups.
IntuneApp Windows Users
This group is where mandatory apps get published. Put all your Windows users in this group. It can be dynamic.
IntuneApp Windows Users Excluded
This group excludes people from any publishing
IntuneApp [Appname]
Each app will have a group where you can add people that are supposed to get the app.
Manually install an App for a User
This is how you can manually install an app (as a user).
Published apps are available to users in the Company Portal app and can be installed from there (no admin rights are required).
Check the C:\IntuneApps folder on the endpoint for logging etc.
Admins looking to manually install can copy the individual app folders to the endpoint and run intune_command.cmd (see above).
Main Menu
Run [Apps]\Packaged\AppsMenu_Launcher.cmd to load the main menu.
Do not run as admin.
List / Create Apps (L)
CreateApp.ps1
Shows the current packaged apps.
Creates an app package (if it exists in winget)
App creation is beyond the scope of this document.
However, WinGet apps are fairly easy to create if you follow the prompts.
Each app’s settings are controlled by a .CSV file within the app folder.
Install / Uninstall apps (I)
AppsInstall.ps1
install app on the current machine.
Do not run as local administrator, it will be take care of during the installation.
The AppGroup entries are based on a .CSV which bundles apps together for convenience.
Copy apps (to a USB key) (C)
AppsCopy.ps1
Copies apps to a portable folder for later install.
Publish / Unpublish apps (P)
AppsPublish.ps1
To publish your apps to an org. Do not run as local administrator.
Check local apps prior to publication (C)
This makes sure the hash values for the current apps (in the local folder) are up to date. The hashes are important because they are checked against the online hash to see if any package changes have been made.
- The check process is run automatically prior to publishing
- Unmatched hashes will signal that an update is required.
Publish apps (P)
Use this to select an org and publish apps.
- Publishing means uploading packaged apps to Intune.
- Depending on Group memberships, this might also mean the immediate push of the apps to client devices.
- Prior to publishing
- Make sure you use the Prep option (O) menu below
- Powershell Modules. To publish from a particular machine, you must install the required modules. Use the Install module (M) menu first.
- Admin Credentials
- When publishing, you will need enter admin credentials to Endpoint Manager.
- If your org specifies a target group to publish, you will need to enter AZad admin credentials also.
- successive runs will not ask for creds.
- When ready, choose the apps to publish from the list. The list will show which apps already exist in the org and whether an update is needed.
- Groups
- Each published app will auto-create an Entra group which is tied to the app.
- Each published app may also be a member of the general Entra group for Windows users (depending on the PublishToOrgGroup setting within the app CSV).
- The Entra group memberships controls who gets the app
Prep a new Org for publishing apps (O)
Creates an entry in AppsPublish_Orgs.csv
- Creates the 2 groups mentioned in the Org Setup steps (above)
- Creates the IntuneApp Publisher Entra App
Install / upgrade modules (M)
AppModules.ps1
This will make sure your machine has up to date module versions installed.
- If in doubt, it is best to use the Check feature to make sure each module is up to date.
- While modules can be installed as the user (non admin), it’s better to install them as admin so they all users of the machine will see the correct version.
- The basic steps are
- Check (as user) – it will let you know if there’s a user-level or an admin-level module installed.
- If update is required: Press R – Relaunch as Admin then U – Uninstall then I – Install
- Do this for each module. But Intune publishing only needs IntuneWin32App and Microsoft.Graph modules.
Other Intune Apps (Non IntuneApp Apps)
This section covers apps that would not be installed with the IntuneApp system.
These apps are easily (and better) installed natively by Intune.
They are mentioned here because they are commonly needed.
Microsoft Store App: Company Portal
Overview
Company Portal is a Windows app that
- Shows users all available apps and what has been installed
- Allows users to install apps at a time convenient to them
- Allows the installation to happen in system context or user context (as packaged) without the user needing admin rights.
Here’s how to add the company portal app to everyone.
Steps
Go to the Windows App List link
Add > Microsoft Store app (new) > Select
Search for Company Portal (UWP)
Leave all defaults
Upload icon (logo) from here: CompanyPortalIcon.png link or from the store link
Assign to: Required > Add All users
Microsoft 365 Apps (MS Office)
Overview
Outlook, Excel, Word, PowerPoint, Teams, etc do not require packaging. There is a built-in Endpoint Manager App for Microsoft 365 Apps
Steps
Intune Admin > Apps > Windows (link)
> Add > Microsoft 365 Apps > Windows 10 and later
Choose all defaults except:
Company Portal featured app: Yes > Next
Default file format: Office Open XML Format (.docx/.xlsx/.pptx)
Update Channel: Monthly Enterprise
Shared Computer Activation: No
(Yes means it won’t count against your 5, but it will require more frequent check-ins via password)
Install background service for Microsoft Search in Bing: No
(Yes means it installs a background service that helps determine whether a Microsoft Search in Bing extension for Google Chrome is installed on the device)
Languages: EN-US
> Next
Install as Required: for all Users (Note: this is safe to do) (or same user groups as above)
Technical Details
Log Files
Look in C:\IntuneApp for debug files
Look in \Utils for tools
Internal dependencies
This script publishes a Win32 App (intunewin) link
Uses Microsoft Graph modules (and others) that are auto loaded at runtime
This script auto-loads this github module (IntuneWin32App link) by NickolajA
Which auto-loads this Microsoft module (Microsoft Win32 Content Prep Tool link)
Intune Tracing
CMTrace.exe
Use the Configuration Manager Trace Log Tool to view log files.
C:\ProgramData\Microsoft\IntuneManagementExtension\Logs
AgentExecutor.log
IntuneManagementExtension.log
IntuneApp files
| Package File | Description | Notes |
| intune_settings.csv | App Name and version | Later versions will automatically supersede (uninstall) prior versions |
| intune_install.ps1 | Silent installation script | 0,1707=Success 3010=Soft Reboot 1641=Hard Reboot 1618=Retry |
| intune_uninstall.ps1 | Silent uninstall script | |
| intune_requirements.ps1 | Reports if your app applies to this user/system. Apps that fail the requirement rule will display as Device Status: Not Applicable in Endpoint Manager (and will not be installed) | Script must output string “OK” for requirements to pass. Run this script using the logged on credentials: Yes, No Look for this integer eq 0 See link. No access to other package files. Must be a standalone script. |
| intune_detection.ps1 | Detects if your app is installed. Only Apps that are ‘not detected’ will be installed. Will run as the machine or User depending on the package type. | When the script exit code is 0 and STDOUT contains any data, the app is detected. See link No access to other package files. Must be a standalone script. |
| intune_icon.png | Icon that’s displayed in Endpoint Manager and Company Portal |
[end of post]