Updates to Windows App Management in Intune with Winget

Steps for how to import and publish apps into Intune, without hunting down the packages — including EXEs and MSIs, how to self-install apps from the Company Portal, and best practices to smooth your transition if you’re using the Windows Store for Business.

As part of our series on Windows Management, Jason Githens, from the Intune engineering team, joins Jeremy Chapman to give a deep dive on the updates for easily adding apps into Intune, powered by winget, the new Windows Package Manager.

Intune can now instruct managed PCs to install apps from ISV locations using winget. See how Windows Package Manager works with Intune and get started.

Check out Microsoft Intune updates.

See how to make the transition.

00:00 — Introduction

02:13 — Windows Package Manager

03:59 — Company Portal

06:27 — Windows Store for Business

07:36 — Wrap up

Optimize your transition from the Store for Business to Intune at https://aka.ms/StoreTransition

As Microsoft’s official video series for IT, you can watch and share valuable content and demos of current and upcoming tech from the people who build it at Microsoft.

Jeremy Chapman (00:02):
Coming up as part of our series on Windows Management, we’ll dive deep on the updates for easily adding apps into Intune, powered by WinGet, the new Windows Package Manager, which is the foundation of our new store. Now we’ll show you the experience for how admins can import and publish apps, including EXEs and MSIs, how this also applies to self-service app installs from the Company Portal. And if you’re using the Microsoft Store for Business now, we’ll show you best practices to smooth your transition. And joining us today to go deeper on the new experience is Jason Githens from the Intune team. Welcome back.

Jason Githens (00:35):
Thanks. It’s great to be back.

Jeremy Chapman (00:36):
And thanks for joining us today. And this is actually management part four for our Windows Management series. So far we’ve covered cloud-based management, including update management and most recently new device provisioning by enrolling them into Intune using Windows Autopilot, Azure AD, and the Company Portal. But today, we’re actually focused on app curation and provisioning, because device enrollment does a great job in terms of getting policies and apps on devices, but the challenge is actually before that getting apps into the Intune portal itself.

Jason Githens (01:04):
You know, that’s right. And with this update, we really want to make the experience a lot easier. As an admin, you can easily find the latest versions of the apps you need to make sure that they are easy to install in your Windows managed devices. We’re tapping into the Windows Package Manager, or WinGet, and at the same time expanding the package types you can use to add support for EXEs and MSI packages right from WinGet. This is in addition to APPX and MSIX packages, which you can also use. If you’re not familiar with WinGet, it’s a command line tool to find and configure apps. I happen to be running this in Windows Terminal, but it also works in PowerShell and the command prompt, so it’s fully automatable. I’ll run a help command, and you’ll see all of the different app operations it can perform like installing, searching, upgrading, and more. I’ll run a simple command to search for Adobe using “-s msstore” to filter on only the ones in the store. And you can see it finds several packages, a few of the XP prefix indicating that these are Win-32 packages. And to look at the details, I’ll run a show command using its ID to view information for Adobe Acrobat Reader DC. And here under installer you’ll see the app as an EXE file type. So it’s really easy to find app packages and perform standard app operations against them.

Jeremy Chapman (02:11):
Right, and the good news here is that this Windows Package Manager already has a lot of great ISV support and you’re going to find a lot of useful apps in there. So how does it work together with Intune?

Jason Githens (02:21):
So to get to apps, we’ve connected Windows Package Manager framework backend to the Intune apps service and created a workflow to make these experiences work seamlessly together. Apps and their packages are maintained centrally by the ISV publisher of the app package. And as an Intune admin, you have complete control to curate the experiences and what your users can install. Let me show you the experience in the Intune admin center. Starting from the All apps blade, I’ll add an app. For app type, we’ve added a new type for the Microsoft Store, and this is different compared to the previous options for the store because it enables you to find apps using built in search, which I’ll show in a second. Now I’ll hit select, then I’ll search for the app I want, Citrix. In my case, I want to use the Citrix workspace with its new Windows 365 integration.

So I’ll choose that. You’ll see the name, description, publisher, package ID, and privacy URL are automatically pre-populated so you don’t need to cut and paste anything. I’ll select a category that will be used later when this is made available in the Company Portal. And then choose productivity. I’ll keep the rest of the defaults blank here to save time. Next, here I can assign this app to users. I can require it for some or all users and devices, but in my case I’ll make this available to enroll devices for all users and confirm create. Importantly, this app package remains where it is and isn’t getting imported into your Intune storage. When this app is later installed on a device, Intune is instructing that device to install directly from its defined Microsoft Store location. So it’s not moving into your Intune storage allocation.

Jeremy Chapman (03:50):
And for Windows apps, this is probably the easiest way to get those packages into the Intune portal and I love to see that we’ve got this package flexibility in place. So does this then work with the Company Portal? Say, for example, if a user wants to self-install some apps that weren’t set up as required on their device?

Jason Githens (04:06):
Yeah, it works great with Company Portal. In fact, I want to start with the admin experience and along the way I’ll highlight a few notable improvements. From the Intune all apps view, I can see my apps and many of them are only available in the Company Portal intended for self-install. So they aren’t required. All of these where the type column indicates Microsoft Store were added using the process I just showed. I’ll click into this app, Blender, which is an open-source 3D creation suite. Then I’ll look at its properties and you’ll see that it has a logo image added. And below that, again, it’s not a required app. Instead, it’s set to available for enrolled devices for all users. So Jeremy, now that we’ve seen the available apps from the store and have targeted your account with a few available apps, why don’t you show us the end user experience to self-install an application?

Jeremy Chapman (04:49):
Okay, sounds good. So you can see here I’ve got the Company Portal open and it looks like many of my apps are available to me that we just saw from your Intune portal. Notice that in addition to the line-of-business apps, there are also third party apps here with Blender as we saw before and a few others from Adobe and Citrix. Now what’s different here again, is that with the exception of these line-of-business apps, all of these third-party apps are coming directly from the ISV and approved for use by my organization.

Jason Githens (05:18):
And as you saw, to make this experience possible as an Intune admin, I didn’t need to download these apps or repackage and up re-upload them into my Intune environment to provide this experience to you as an end user. The global sourcing means users can get the latest versions of the app too.

Jeremy Chapman (05:32):
And it’s important. It also means that they’re going to have the latest security and quality fixes applied to them. But now let me go back into my Company Portal here and if I go ahead and install the Blender app, as you would expect, the app starts the process of using Intune’s app installation service on my device directly installing from Blender. Now this is going to download the app in the background. It’s almost a 300 megabyte package, so we’ll speed things up just a little bit to save time. Now if I go back into Windows 11, open my start menu, there’s Blender marked as a recently added app. So I’ll go ahead and launch that. And there it is. It’s installed, and it’s ready to go.

Jason Githens (06:06):
And of course this works for standard user accounts as well, even if the app requires admin-level permissions to install.

Jeremy Chapman (06:12):
And this experience is pretty similar to what you might do when you authorize apps for mobile stores all within the Intune admin center. But in this case it’s for Windows.

Jason Githens (06:20):
Exactly. And this new direction has several advantages, especially in the area of app curation flow, as we mentioned, there’s already a ton of ISV support. That said, as we announced in July 2021, we’ll be retiring the Microsoft Store for Business and Store for Education next year. So the integration work we built between Intune and the Microsoft Store is designed to lay the path to help you as you transition. If you’re using the Store for Business now, this means that you’ll be able to bring your apps into the Intune admin center like I showed, either as required apps assigned to users or devices or available apps for self-install experiences. And you’ll use the Company Portal to enable that. And as you saw in our example, when I was enumerating using WinGet search and also in Intune, when I added the new app to my app portfolio, each of these were coming from the Microsoft Store.

That means for the most part, the apps you’re using with the Store for Business today will be available via that process. Plus, it is also expanding to Win-32 based applications, such as in the MSI and EXE packages. And for your apps that are not in the store, you can easily import your LOB app packages into Intune. Of course, with the built-in user and group assignment in Intune, you can leverage role-based access controls to scope exactly which user or device will get those apps. And you can find even more guidance for optimizing your transition from the Store for Business to Intune at aka.ms/StoreTransition.

Jeremy Chapman (07:35):
And this WinGet integration along with the Store really simplifies the process for adding apps to Intune. So do we need to configure anything in order to get all of this integration to light up within the Intune admin center?

Jason Githens (07:45):
Well actually, we do the integration out of the box and we’re rolling this out now. Once you see the new Microsoft Store app type appear in your tenant, you can follow the steps I demonstrated to start adding your apps to Intune.

Jeremy Chapman (07:57):
Great stuff. Thanks so much, Jason for joining us today and also sharing the new experience for getting Windows apps into the Intune admin portal. Of course, keep checking back to Microsoft Mechanics for all latest updates. Subscribe to our channel if you haven’t already. And as always, thank you for watching.



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store