There is a new integration available between Microsoft Intune and the Microsoft Store for managing app installations from the cloud. This allows admins to easily browse, deploy and monitor applications. The new feature is powered by WinGet, the new windows package manager. I will explore this new feature in this blog post.
Table of contents
Intune has for a long time been great at getting policies and aps onto devices. The challenge has been to get new applications ready for provision in Intune. Whit this new feature, Independent Software Vendors (ISV) can publish and maintain their packages directly to this solution. This will ease the process and the burden of application management.
With direct access to the apps in Intune, they can easily be made available fast and easily for user’s self-service through the Company Portal. This is perfect for locked-down environments where users have no local admin rights on their computers.
The feature is rolling out in these days, and I have tested the feature on one of the tenants in my demo environment.
As mentioned, this new feature is built on the Winget tool. This means that I can use Winget to query the backend for applications.One example could be the following query for adobe products:
This will return available packages with “adobe” as part of the name. The Microsoft Store supports UWP apps, desktop apps packaged in .msix, and now Win32 apps packaged in .exe or .msi installers. Id’s in the search result starting with “XP” indicates it is a Win32 package.
I can get even more information about the package by running a query for the Id I am interested in. This gives me information about the publisher and the installer for the application:
There are a lot of examples available on how the Winget tool can be used. The new thing now, is that we can do these things directly from within Intune. When adding a new app inside Intune, I now have the option to use “Microsoft Store app (new)”.
In the next page of the wizard, I am allowed to search the Microsoft Store app for applications. A search for Adobe gives me the same result as Winget gave me, and I can easily select Adobe Acrobat Reader DC:
For the curiosity of it, I can also show a search for the rather unusual app “Region to Share” which I mentioned in an earlier blog post on hacking my DQHD superwide monitor. This is also available directly from the ISV inside Microsoft Intune!
When selecting the app, I will get prepopulated information of the app. The rest of the distribution routine will follow standard Intune procedures as we all know them regarding assignments etc.
Please note you have to add the icon manually. This repository is a great source for most application icons needed: icons/icons at main · aaronparker/icons · GitHub
This app will now be made available, and I see it in the Intune portal among the rest of my applications.
There is however one important differentiator – this app will not be uploaded to my Intune storage like other LOB or WIN32 apps will. This kind of application will refer to its location in the store! When devices request this application later on from Company Portal, Intune will direct the client to the original Microsoft Store location to get the latest available version.
Things to avoid
If you are running an environment with Group Policies applied, please pay attention that some of these might affect app deployments from the Microsoft Store. The following table is found at Add Microsoft Store apps to Microsoft Intune | Microsoft Learn and provides details about how app deployment can be affected:
|Store Group Policies||Desired setting|
|StoreDisable all apps from the Microsoft Store||Not configured or Disabled. Set to Disabled if wish to prevent end users from blocking the scenario.|
|StoreTurn off Automatic Download and Install of updates||Not configured or Disabled. Set to Disabled if you need to prevent end users from blocking the scenario.|
|Desktop App InstallerEnable App Installer Microsoft Store Source||Not configured or Enabled. Set to Enabled if wish to prevent end users from blocking the scenario.|
|Desktop App InstallerEnable App Installer||Not configured or Enabled. Set to Enabled if wish to prevent end users from blocking the scenario.|
|StoreTurn off the Store application||Not configured or Disabled. Set to Disabled if you need to prevent end users from blocking the scenario.|
As the Microsoft Learn article clarifies, it is possible to block the Microsoft Store for installing arbitrary applications. By setting Store – Only display the private store within the Microsoft Store to Enabled the system will allow the assigned applications from Intune and Windows Package Manager store integration.
This will add new flexibility and opportunities to application administration. The technology is being rolled out now, and it will be exciting to see how this develops further.
There are still some unsupported functionalities as you can read more about in the official documentation from Microsoft on this topic. Documentation is available here: