Win32 app deployment is how you push .exe and .msi installers to managed Windows devices via Intune. It requires wrapping your installer in a .intunewin file, but once set up it gives you full control over installation, detection, and dependency management.
Prerequisites
Before you start, make sure you have:
- The installer file for the app (.exe or .msi)
- The Win32 Content Prep Tool downloaded from Microsoft - search "Microsoft Win32 Content Prep Tool GitHub" and download IntuneWinAppUtil.exe
- An Intune Administrator or Global Administrator account
- Target devices enrolled in Intune and running the Intune Management Extension (IME)
Wrap the installer with the Win32 Content Prep Tool
Intune cannot deploy .exe or .msi files directly. You first need to wrap the installer in a .intunewin package using Microsoft's free Content Prep Tool.
- Create a source folder (e.g. C:\AppSource\7zip) and put your installer inside it
- Create an output folder (e.g. C:\IntunePackages)
- Open a command prompt and run:
IntuneWinAppUtil.exe -c "C:\AppSource\7zip" -s "7z2301-x64.msi" -o "C:\IntunePackages"
- -c is the source folder containing the installer
- -s is the installer file name
- -o is the output folder for the .intunewin file
The tool generates a .intunewin file in your output folder. This is what you upload to Intune.
Add the app in Intune
- Go to Apps → Windows → + Add
- Under App type, select Windows app (Win32) and click Select
- Click Select app package file and upload your .intunewin file
- Fill in the app information:
- Name - the name shown in the Company Portal
- Description - what the app does
- Publisher - the software vendor
- Click Next
Program settings
This is where you define the install and uninstall commands. Intune runs these commands as SYSTEM by default.
Requirements
Requirements define the minimum conditions a device must meet before Intune attempts to install the app. This prevents installation attempts on incompatible devices.
Detection rules
Detection rules tell Intune how to confirm the app is actually installed. If the detection rule does not match after installation, Intune reports the app as failed even if the installer ran successfully.
For MSI installers, use the MSI product code detection method - Intune handles this automatically. For EXE installers, use one of:
- File detection - check for a specific file or folder that exists after installation (e.g. C:\Program Files\AppName\app.exe)
- Registry detection - check for a registry key written during installation
- PowerShell script - run a script that exits 0 if installed, 1 if not
Assign and monitor
On the Assignments tab, add your target group under Required (mandatory install) or Available for enrolled devices (user-initiated from Company Portal).
After deployment, monitor progress under Apps → Windows → [App name] → Device install status. Check the IME log on a device for detail:
Get-Content "C:\ProgramData\Microsoft\IntuneManagementExtension\Logs\IntuneManagementExtension.log" -Tail 100
Troubleshooting
App shows as Failed in Intune
Check the IME log on the device. The log shows the exact exit code from the installer. Exit code 0 = success, anything else is an error. Common causes: the installer requires a reboot mid-install, a prerequisite is missing, or the detection rule does not match.
App stuck in Pending install
The device has not checked in recently. Force an Intune sync and check that the IME service is running: Get-Service -Name IntuneManagementExtension.
Detection rule not met after successful install
The app installed but Intune cannot confirm it. Check the file path or registry key in your detection rule against what is actually on the device. File paths are case-sensitive in the detection rule.
I set up Intune for UK small businesses at a fixed price - compliance policies, app deployment, Conditional Access, and full documentation handed over at the end.