These are my notes from learning how Microsoft Intune installs software through the Company Portal. I didn’t have access to a lab environment, so I wasn’t able to look into detection rules, but maybe one day I’ll revisit this.
Last updated October 2nd, 2025
Application packaging
Source (Microsoft.com) | Source (Archive.org)
Microsoft Win32 Content Prep Tool is used to create Intune-compatible packages. Packaged files are compressed and encrypted with AES-256 (CBC) and integrity is kept via HMAC-SHA256.
| Parameter | Description | Notes |
|---|---|---|
| -c | Target an entire directory | |
| -s | Target a single file | |
| -o | intunewin output directory | |
| -a | Catalog output directory | Catalog refers to a collection of file hashes |
| -q | Quiet / silent mode | For packaging, unrelated to silent installation |
| Really quiet / silent mode | -q but no warnings or error prompts in console | |
For example, the following command will package all files within the C:\app folder (-c) and specifies the setup.ps1 to be executed after being unpacked (-s). The output intunewin file will be placed in the C:\app\output directory (-o), and nothing will be output to the console unless there is an error or warning (-q). |
IntuneWinAppUtil -c C:\app -s C:\app\setup.ps1 -o C:\app\output -qThe IntuneWinAppUtil can also point to a Batch script. In most cases, however, an MSI file will be used for silent installation. GUI installers will not work with Intune if they do not have silent installation parameters.
A basic installation script is as follows:
powershell -ExecutionPolicy Bypass -File .\setup.ps1or,
msiexec /i setup.msi /quiet /norestartDetection rules are configured within Intune to determine if the application installed successfully. It usually checks if a specific file, directory, or registry key exists.
Application installation
After clicking “install” in the Company Portal, all files will be managed under the C:\Program Files (x86)\Microsoft Intune Management Extension directory.
Source (Microsoft.com) | Source (Archive.org)
If the application has a silent-install capable MSI, the following will occur:
- PowerShell script and several config files populate into
\DetectionScripts - The
intunewinfile is downloaded to\Incomingwith a.binextension - The Company Portal will likely not notify the user that the installation completed
If the application does not have a silent installation process, the following will occur:
- PowerShell script and several config files populate into
\DetectionScripts - The
intunewinfile is downloaded to\Incomingwith a.binextension- The file will be named after the GUID of the
intunewin, which is generated by Intune
- The file will be named after the GUID of the
- A directory will be created in
\Stagingwith the same name as theintunewinfile - The target file will be executed (ex. a PowerShell script or MSI file)
- The Company Portal will send a Windows notification stating the application finished installing
- The
\Incoming,\Staging, and any other temporary directories are cleaned up
Additional Details
-
The service responsible for
intunewininstallations:Microsoft.Management.Services.IntuneWindowsAgent.exe
-
intunewinfiles can be easily unpacked: -
Directories of interest:
- C:\Windows\Microsoft Intune Management Extension
- C:\Windows\IMECache
Sources
Prepare Win32 app content for upload https://learn.microsoft.com/en-us/intune/intune-service/apps/apps-win32-prepare
Support Tip - Understanding the flow behind deployment, delivery, and processing of a Win32 application through Intune https://learn.microsoft.com/en-us/troubleshoot/mem/intune/app-management/develop-deliver-working-win32-app-via-intune
Microsoft Win32 Content Prep Tool https://github.com/Microsoft/Microsoft-Win32-Content-Prep-Tool
IntuneWinAppUtilDecoder by Oliver Kieselbach https://github.com/okieselbach/Intune/tree/master/IntuneWinAppUtilDecoder