A script to simplify Intune Win32 package creation

Hello, my name is Greg Nottage and I am a Senior Consultant in the Secure Infrastructure team, based in the UK. This is the first in a series of posts on this topic. I will update this page with links to the other posts, just as soon as I get them published, thanks.

I regularly work with Intune and Windows Autopilot these days, and a natural part of this work involves frequently creating Win32 (.IntuneWin) packages and uploading them to Intune. If you’ve ever done this, you know there are quite a few steps involved. I wanted to produce something that made this process easier and more repeatable – hence this post about a script I’ve posted to my GitHub page.

The Upload-IntuneWin.ps1 PowerShell script has been coded to simplify the creation and upload of Intune Win32 Client packages.  It supports MSI, EXE or PS1 packages and has been designed to take input from an XML answer (config) file, making it repeatable and extensible.

This post serves to highlight how to use the script and accompanying files.

The script requires the AzureADPreview PowerShell module to be installed from the PowerShell Gallery (using the Install-Module -Name AzureADPreview command).  Failure to install this module may result in failed operation of the script.

You also need to obtain a copy of the IntuneWinAppUtil.exe which is now also hosted on GitHub.

For devices that are running in a restricted mode, using AppLocker – the AppLocker policy must include an EXE publisher rule for the IntuneWinAppUtil.exe utility.  I normally specify a local path of C:\Scripts (and put the IntuneWinAppUtil.exe in there). You also need to ensure script are allowed to run from this location.

The graphic details the process flow for using the script:

Quick-Start

For those who are familiar with application packaging and also with preparing Intune Win32 (.IntuneWin) packages, the following can be used as a quick-start guide.  More in-depth walkthroughs are available in some accompanying posts, for those who are less familiar with this process (or just want a step-by-step guide).

  • Download the Upload-IntuneWin.ps1 script and copy it to a local folder. For the purposes of this guide – I will use the C:\Scripts path as the working folder (you can use a different path – just make a note of where this is on your computer).
  • Download the IntuneWinAppUtil.exe file and copy it to the same folder as you put the Upload-IntuneWin.ps1 script in (so the C:\Scripts working folder path in our example).
  • Download the CopyMeAsStartingPointForNewPackages folder (making sure it contains the Config.xml file and a Source subfolder that are available in my GitHub repo) and copy it to your working folder (I copied it to C:\Scripts).
  • Rename it to an appropriate name for the content you intend to upload to Intune (I will be using the Install-OoBUpdates as the name for this content subfolder).

An example of the file and folder structure is shown below –

Example

Root Folder

  • C:\Scripts

SubFolders

  • C:\Scripts\Install-OoBUpdates
  • C:\Scripts\Install-OoBUpdates\Source
NameLocation
IntuneWinAppUtil.exeC:\Scripts
Upload-IntuneWin.ps1C:\Scripts
Config.xmlC:\Scripts\ Install-OoBUpdates
MSLogo.pngC:\Scripts\ Install-OoBUpdates
Install-OoBUpdates.ps1C:\Scripts\ Install-OoBUpdates\Source
OutOfBandOSUpdatesRebootTaskTrigger.xmlC:\Scripts\ Install-OoBUpdates\Source
Update-OS.ps1C:\Scripts\ Install-OoBUpdates\Source
  • Next edit the Config.xml file in the content subfolder C:\Scripts\Install-OoBUpdates and notice the entries that should be modified – the items to pay particular attention to are:
    • Username – this must be edited to suit your environment (or removed if you want the script to prompt for this at run-time) – ensure you use an account that has enough rights to create Win32 Client App packages in Intune (such as the Intune Service Administrator role, with active PIM if you use PIM in your environment)
    • AppType – can be MSI, EXE or PS1 – but in the Install-OoBUpdates example is PS1
    • installCmdLine – only used for MSI or EXE installs. For MSI only add custom switches as MSIEXEC /q is already added by the script.  For EXE add the executable name and any install commands
    • uninstallCmdLine – as per installCmdLine – only required for MSI or EXE
    • InstallExperience – User or System, depending on how the package should be installed on the client device – the Install-OoBUpdates example uses System
    • PackageName – this must match the name of the object in the source folder, without any file extension – so the name of the MSI/EXE/PS1 file but without the extension
    • displayName – this is the name that will appear in the Intune console and Company Portal
    • Description – this is the description that will appear in the Intune console and Company Portal
    • Category – this is not currently implemented in the script, so you can ignore this for now (but you must leave the element populated in the Config.xml file or the script will fail)
    • Publisher – this is the publisher that will appear in the Intune console and Company Portal
    • LogoFile (ensure you put the logo.png format file in the same folder as the Config.xml file)
    • AADGroupName – the script uses the name specified here and automatically creates 3 AAD groups – with Required, Available and Uninstall.  It then configures the associated targeting for the object in Intune.  If an object is added (or nested) to the Uninstall group, it is automatically excluded from the Required and Available groups.
  • Open a PowerShell console and change to the C:\Scripts folder
  • Run the script with .\Upload-IntuneWin.ps1 and it will prompt for
    • packagepath (which should be supplied as the full path to the package to be uploaded – like C:\Scripts\Install-OoBUpdates)
    • intuneWinAppUtilPath (which is the full path to the IntuneWinAppUtil.exe file – like C:\Scripts\IntuneWinAppUtil.exe)
  • Hit return and the process will run the upload.

If you need to re-upload anything – make sure to manually delete the AAD groups and the Intune Win32 object that also gets created, as this is not yet handled by the script.

I will post some additional follow-ups that cover the in-depth steps for each package type that is supported by the Upload-IntuneWin.ps1 script (so EXE, MSI and PS1) – but here’s a little example of what the Config.xml should look like for the Install-OoBUpdates example I described above. Hopefully this helps illustrate what your Config.xml should look like:

I hope you find this useful. Thanks for reading.

Authors