Intune App Packaging

Deploy Wireshark via Intune | Win32 App Packaging

Published 17 March 2026 · 7 min read

Wireshark is the most widely used network packet analyser in IT and security environments. It ships as an NSIS EXE installer that bundles the Npcap capture driver. The key things to handle in an Intune deployment are the silent NSIS switches, suppressing shortcut creation, and the Npcap driver installation that happens as part of the Wireshark install.

Contents
  1. Download the installer
  2. Wrap with the Content Prep Tool
  3. Add the app in Intune
  4. Install and uninstall commands
  5. Detection rule
  6. Npcap and capture permissions
  7. Known gotchas

Download the installer

Download the Wireshark installer from the official site:

https://www.wireshark.org/download.html

Download the Windows x64 Installer. The filename will be Wireshark-x64-4.x.x.exe. Wireshark does not provide an MSI - the EXE is the only official installer.

Wrap with the Content Prep Tool

IntuneWinAppUtil.exe -c "C:\AppSource\Wireshark" -s "Wireshark-x64-4.4.2.exe" -o "C:\IntunePackages"

Add the app in Intune

Intune Admin Centre → Apps → Windows → + Add → Windows app (Win32)
  1. Upload the .intunewin file
  2. Name: Wireshark
  3. Publisher: The Wireshark developer community

Install and uninstall commands

⚙️
Program settings
NSIS silent install with Npcap flags
Install command/S = NSIS silent, /ncap_installation_silent = silent Npcap driver install
Wireshark-x64-4.4.2.exe /S /desktopicon=no /quicklaunchicon=no /ncap_installation_silent
Uninstall commandNSIS uninstaller in the Wireshark install directory
C:\Program Files\Wireshark\uninstall.exe /S
Install behaviourRequired - Npcap driver install needs admin/system context
System
Device restart behaviourNpcap can occasionally need a reboot - set to Determine behaviour based on return codes
No specific action
💡
The /ncap_installation_silent flag
Without this flag, the Npcap installer will show a UI during deployment even with /S on the Wireshark installer. Always include /ncap_installation_silent to ensure the full install is truly silent.

Detection rule

🔍
File detection rule
[]
Rule type
File
Path
C:\Program Files\Wireshark
File or folder name
Wireshark.exe
Detection method
File or folder exists
💡
Test your detection rule first
Before deploying to users, install the app manually on a test device and verify the detection rule matches. Run the detection script or check the file path exists before assigning to a group.

Npcap and capture permissions

Wireshark uses Npcap to capture network packets. By default, only members of the Wireshark Users local group (created during install) and administrators can capture packets without UAC elevation.

To automatically add users to the Wireshark Users group after deployment, deploy a PowerShell script via Intune:

# Add all interactive users to Wireshark Users group
# Run as a device configuration script in Intune

$group = "Wireshark Users"
$localGroup = Get-LocalGroup -Name $group -ErrorAction SilentlyContinue

if ($localGroup) {
    # Add Domain Users or a specific security group
    Add-LocalGroupMember -Group $group -Member "Domain Users" -ErrorAction SilentlyContinue
    Write-Output "Added Domain Users to $group"
} else {
    Write-Output "Wireshark Users group not found - Wireshark may not be installed"
    exit 1
}

Known gotchas

Npcap version conflicts

If a device has an older version of Npcap (or WinPcap) installed from a previous Wireshark install or another tool, the Npcap bundled with Wireshark may conflict with it. Add a pre-script to remove existing Npcap/WinPcap installations before deploying.

Wireshark asking to install Npcap on launch

If users see a prompt to install Npcap when they open Wireshark, it means the Npcap installation during the Intune deployment failed silently. Check your install command includes /ncap_installation_silent and that the deployment ran in System context.

Frequently Asked Questions

Q: How do I deploy Wireshark silently via Intune?

Use: Wireshark-x64-4.x.x.exe /S /desktopicon=no /quicklaunchicon=no. Wireshark uses NSIS so /S is the silent switch. The additional flags suppress shortcut creation.

Q: Does Wireshark install WinPcap or Npcap automatically?

Yes. Wireshark bundles Npcap (the modern replacement for WinPcap) and installs it automatically as part of the Wireshark install. You can suppress the Npcap installer prompt with /ncap_installation_silent during silent deployment.

Q: How do I detect Wireshark in Intune?

Use a file detection rule: check for Wireshark.exe in C:\Program Files\Wireshark. This path is consistent across versions.

Q: Can I deploy Wireshark to standard users or does it require admin rights?

Wireshark requires admin rights to install because it installs the Npcap driver. Deploy it in System context via Intune. Standard users can run Wireshark after installation but may need to be added to the Wireshark Users group to capture without UAC prompts.

More App Packaging Guides
Deploy 7-Zip via Intune Deploy Notepad++ via Intune Deploy VS Code via Intune
Installer typeEXE (NSIS)
Silent installYes - /S /ncap_installation_silent
Npcap driverBundled and installed automatically
Capture permissionsWireshark Users group - add via PS script
Reboot requiredOccasionally (Npcap driver)
// need intune set up properly?
Fixed-price Intune setup for UK businesses

I set up Intune for UK small businesses at a fixed price - app deployment, compliance policies, Conditional Access, and full documentation handed over at the end.

View Packages
#intune #app-packaging #win32