Deploy Win32 apps using Microsoft Intune
Win32 applications are traditional enterprise software designed for Windows computers. These apps like Microsoft Office or custom line-of-business applications require a different deployment approach in Microsoft Intune compared to Store apps or web-based applications. Understanding how to package, configure and deploy Win32 apps ensures your organization can manage legacy and modern software alongside newer application types.
Understand Win32 application packaging
Win32 apps use executable installers (.exe or .msi files) that require specific installation sequences and system compatibility checks. Unlike Store-based applications that install predictably, Win32 apps can have complex dependencies, custom installation parameters and various system requirements.
Intune doesn't directly process standard .exe or .msi files. Instead, you use the Intune Win32 Content Prep Tool to package your Win32 application into an .intunewin package. This packaging process compresses your installer and creates a deployment-ready file that Intune can manage.
The Win32 Content Prep Tool converts your installer files into a format that Intune can deliver reliably. You specify the installer filename, setup script and other configuration details. The tool validates your package to ensure it meets Intune requirements before you deploy it.
Package Win32 applications
To prepare a Win32 application for Intune deployment, you'll use the Win32 Content Prep Tool to create your .intunewin package. This tool is available as a standalone utility that you download directly from GitHub.
Note
Start by gathering your installer files and documentation. You need the main installer executable or .msi file and any supporting files your installer requires. Organize these files in a dedicated folder on your computer.
Run the Win32 Content Prep Tool and specify the source folder containing your installer. The tool asks for the installer filename. For example, setup.exe or application.msi. Enter any command-line parameters that your installer requires, such as silent install switches or configuration options.
Once processing completes, the tool creates an .intunewin file in your specified output folder. This file you will need in the process of create the App in Intune.
Configure installation and detection settings
When you add your packaged Win32 app to Intune, you configure how the app installs and how Intune detects whether installation succeeded.
For installation context, specify whether the app requires system context or user context installation. System context apps install in the context of the system with all the rights. User context apps install in the user's context within the rights of the user but enforced by the system.
Enter your install and uninstall command lines. Most installers support /S or /quiet switches for silent installation without user prompts. For uninstall, use the command line that removes the app cleanly without requiring user interaction. Test these command lines in your environment before deploying to production.
Configure detection rules so Intune can verify whether installation succeeded on each device. Detection rules check for evidence that your app is installed without relying solely on the return code from the installer.
Use requirement rules to control which devices are eligible to install the app. Architecture is one supported requirement condition, so you can target Win32 apps to x64, x86 or ARM64 devices. For organizations with ARM64 devices, such as Copilot+ PCs or ARM-based Surface models, package the app for the correct architecture when a native installer is available. If you use an x64 package on ARM64 devices, test the app through x64 emulation before broad deployment. Devices that don't meet the selected architecture requirement show the app as not applicable instead of attempting an incompatible installation.
You can create detection rules based on file presence/version, registry entries or MSI product codes. A file detection rule checks for a specific file in a known location, like C:\Program Files\YourApp\Application.exe. A registry detection rule checks for a registry key or value that your app creates during installation. For MSI-based installs, an MSI product code detection rule checks for the specific MSI product code, which is the most reliable method for MSI-packaged applications.
Define return codes and handle restart scenarios
Return codes tell Intune whether an installation attempt succeeded, partially succeeded or failed. By default, Intune interprets a return code of 0 as success and any other code as failure. However, many applications return specific codes with meaning.
Configure custom return codes to match your installer's behavior. You can designate codes as successful installs, soft failures (installation completed but requires restart) or hard failures (installation failed completely). If your installer returns 3010 to indicate successful installation with a required restart, configure that code as a soft failure so Intune attempts no further action on that device.
When your app requires a device restart to complete installation, configure Intune to handle the restart appropriately. For soft failures, Intune marks the installation as successful and the device schedules a restart. This approach prevents repeated installation attempts and respects the device user's work schedule.
Set up dependencies and supersedence
Many Win32 apps depend on other software being present first. You can configure app dependencies to ensure prerequisites install before your target application.
For example, if your Win32 app requires the .NET Framework, add the .NET installer as a dependency. Intune then installs the dependency on all devices before attempting to install your app. This prevents installation failures due to missing prerequisites.
Supersedence lets you manage app version updates. When you deploy a newer version of an app, configure the older version as "superseded." Intune automatically uninstalls the old version before installing the new version. This ensures devices have only one version installed and simplifies version management across your organization.
You can chain dependencies and supersedence together. For example, AppVersion1 can be superseded by AppVersion2, which depends on .NET Framework. Intune orchestrates the entire sequence automatically.
Note
There is a limit for the chain of dependencies and supersedence. You can chain max 10 nodes in a supersedence relationship. This includes the app itself. For dependencies there is a maximum of 100 dependencies, which include the dependencies of any included dependencies, as well as the app itself.
Assign Win32 apps to devices and users
Assign your packaged Win32 app to users or devices using Intune assignment rules. Select Required assignment to install the app automatically on all targeted devices. Select Available to make the app available in the Company Portal but let users choose whether to install it.
Use Intune filters to refine your assignment based on device properties, device ownership, operating system version or other criteria. For example, create a filter for "Finance Department Devices" and assign your accounting app exclusively to those devices.
Assignments respect device compliance policies. If you have configured conditional access policies, Intune evaluates those during assignment. A device that does not meet compliance requirements might not receive the app installation.
Monitor and troubleshoot Win32 app deployments
After deploying Win32 apps, monitor installation status from the Microsoft Intune admin center. Select your app and review the deployment status for each assigned device. Status indicators show pending, installed, failed or restart required.
For devices showing installation failures, check the IntuneManagementExtension log on the affected device. This log file details why installation failed, whether due to detection rule failures, return code issues or command line problems.
Common troubleshooting steps include verifying your command-line syntax matches your installer's requirements, confirming detection rules accurately identify successful installation and testing your installer in your target device environment. If devices require restart but remain in "restart pending" status, manual restart or restart deadline policies can help complete the installation.
Use Intune reports to identify patterns in deployment failures across multiple devices. These insights help you refine command lines, detection rules or assignment targeting before deploying to additional users or devices.