Understand application deployment options in Microsoft Intune
Microsoft Intune provides multiple ways to deploy applications to your managed devices. The specific options available depend on the application type, how you want to assign it and what level of control you need over the installation and update process. Understanding these deployment options helps you select the right approach for each application and audience.
What are application deployment options?
Application deployment options in Intune refer to the different methods and configurations available when distributing apps to devices. These options encompass the types of applications you can manage, how you assign them to users and devices and how Intune handles installation, updates and removal.
When you deploy an app in Intune, you're making several decisions: which app type to use (Win32, Windows Package Manager, Microsoft Store, Microsoft 365, or line-of-business), how to assign it (required, Available for enrolled devices, or uninstall), who receives it (users or devices), and how to target that audience (Entra ID groups or dynamic filters). Each choice affects how the app installs, when updates occur, and how users interact with the deployment.
Why deployment options matter
The deployment options you choose directly impact user experience and your IT team's management burden. With required assignments, Intune automatically installs the app and keeps it installed, ensuring all devices have critical software. With available assignments, users can choose to install apps from the Company Portal, giving them flexibility while you maintain control over approved software. This flexibility reduces support calls and allows users to install apps they need for their work.
Different app types offer different capabilities. Win32 applications give you granular control over installation with detection rules and return codes, making them ideal for complex enterprise software. Windows Package Manager apps use the WinGet client to install common apps from the Windows Package Manager catalog without requiring a custom .intunewin package. Microsoft Store apps integrate directly with the Store, handling updates automatically. Microsoft 365 apps are optimized for Office deployments with built-in update controls. Understanding these differences helps you eliminate manual installations and ensure compliance with your security and update policies.
Application types and deployment capabilities
Intune supports several application types, each with distinct deployment characteristics:
| Application Type | Deployment Method | Update Behavior | Installation Control |
|---|---|---|---|
| Win32 apps | .intunewin packaging | Controlled by admin | High (detection rules, return codes) |
| Microsoft Store apps | Direct Store integration | Automatic or scheduled | Medium (Store-based controls) |
| Microsoft 365 apps | Click-to-Run or dedicated deployment | Managed by Office update service | Medium (channel-based) |
| Windows Package Manager (WinGet) | Direct download and install via Winget | Automatic | Medium (like Store-based) |
| Line-of-business apps | MSI or Platform-specific packaging | Limited, often manual | Low to medium |
| Web link | Browser-based URL | N/A (links to web app) | Low (no installation) |
Use Windows Package Manager apps when the software already exists in the WinGet catalog. This option works well for common apps such as browsers, runtimes, and developer tools because you can search the catalog in the Intune admin center and assign the app without creating a .intunewin package. Use traditional Win32 packaging when the app is custom, proprietary, unavailable in the catalog, or requires precise detection rules, dependencies, return code handling, or installation logic. Microsoft Store apps and WinGet apps both use WinGet infrastructure, but they use different sources: Store apps source from the Microsoft Store catalog, while WinGet apps source from the broader Windows Package Manager community repository. Unit 4 covers Microsoft Store app deployment in detail; WinGet apps follow a similar add-and-assign workflow in the Intune admin center.
Win32 apps are packaged using Intune's packaging tool (.intunewin format) and give you the most control. You define detection rules to verify whether an app is installed, set return codes to determine success and configure dependencies on other software. This level of control makes Win32 the preferred option for complex enterprise applications.
Windows Package Manager, Microsoft Store, and Microsoft 365 apps integrate with Microsoft-managed app services. WinGet apps install through the WinGet client from the Windows Package Manager catalog. Store apps pull from the Microsoft Store catalog and handle updates automatically. Microsoft 365 apps use Click-to-Run technology and respect administrator-configured update channels, allowing you to stage deployments and test updates before rolling them to all devices.
Assignment types and installation behavior
How you assign an app determines what happens on the device when the assignment is processed. Intune provides three assignment types, each with different installation behavior:
Required assignments make apps mandatory. When a device receives a required assignment, Intune automatically installs the application and keeps it installed. Users cannot uninstall required apps without administrator intervention. This ensures critical applications like antimalware or security patches are always present. The system attempts installation on first check-in and if installation fails, Intune continues to retry regularly.
Available for enrolled devices assignments make apps optional. Apps with available assignments appear in the Company Portal and users can choose to install them. This option is ideal for productivity tools, optional utilities, or department-specific software. Users control whether to install and when, reducing friction while maintaining your approved app catalog. Intune doesn't force installation with available uninstallation.
Uninstall assignments remove apps from devices. When you assign an app with the intent to uninstall, Intune removes that application during the next device sync. This is useful for retiring old software or removing apps from temporary group assignments.
Targeting your deployments
After you choose an assignment type, you specify who receives the application. Intune offers flexible targeting using Entra ID groups and dynamic filters:
Entra ID group assignments are the primary targeting method. You assign apps to security groups or dynamic groups. When you add a user or device to a group, they automatically receive any apps assigned to that group. For example, you might assign Microsoft 365 apps to an "All Employees" group and a specialized engineering tool to an "Engineering Team" group.
Dynamic filters refine targeting beyond group membership. Filters evaluate device properties like operating system version, device manufacturer, or compliance status. You can use filters to target devices running Windows 11 or exclude devices not meeting your standards. This approach reduces the number of groups you must create and maintain.
Installation context further controls how apps behave. Apps can install in the user context, making them available only to that specific user or in the system context, making them available to all users on the device. System context installation is common for enterprise applications, while user context is typical for Microsoft Store apps and user-specific tools.
Win32 app deployment specifics
Win32 applications require additional configuration that other app types don't need. When you deploy a Win32 app, you package it using Intune's Win32 Content Prep Tool, which creates a .intunewin file containing your installer and all needed files.
Detection rules are critical for Win32 deployments. They tell Intune whether an app is installed so Intune can determine if installation was successful. You can create detection rules based on file existence or version, registry keys, or custom scripts. For example, you might detect whether your enterprise accounting software is installed by checking for a specific version of a DLL file in the Program Files directory.
Dependencies and supersedence control how Win32 apps relate to each other. If App B requires App A, you configure App A as a dependency. Intune installs dependencies first. Supersedence models are useful when deploying newer versions of software. You configure the new version to supersede the old one and Intune removes the old version and installs the new one.
Application updates and monitoring
Update behavior varies by app type and deployment method. Microsoft Store apps update automatically, Windows Package Manager apps update through WinGet, and Microsoft 365 apps update based on the update channel you configure. Win32 app updates require new deployments. You upload a new package with a higher version number and Intune replaces the older version on devices by using the supersedence settings.
After you deploy an app, monitoring shows installation status across your device population. In the Intune admin center, you can see how many devices received the app, how many installed it successfully, and which devices encountered errors. This monitoring gives you visibility into deployment success and helps you identify devices that need attention or users who need support.
Putting it together: A deployment scenario
Imagine Contoso needs to deploy their internal expense reporting application to their sales team. The application runs on Windows 10 and later, requires a specific .NET framework and must be installed in the system context so all users can access it.
The IT team packages the expense app as a Win32 application, creates a detection rule checking for the app's registry key and adds the .NET framework as a dependency. They create a dynamic Entra ID group called "Sales Team," which automatically includes users in the sales department whose devices run Windows 10 or later.
They assign the expense app as required to this group, set the installation context to system. Users receive the app within hours. The system automatically installs the .NET dependency first, then the expense app, and Intune ensures all devices in the group keep the app installed. The IT team monitors deployment status in Intune and can quickly see if any devices in the sales group failed installation.