As technology progresses, the idea is that our time as administrators is freed up so we can focus on other aspects of IT, such as cyber security.

I’ve mentioned in my other posts how the days of imaging machines is pretty much over, so now that our endpoint setup is handled over the internet, how do we keep the builds as lean as possible?

We utilise self-service tools like Company Portal.

What is Company Portal?

Company Portal is a desktop app that you can push to your endpoints via Intune. The focus in this post is to demonstrate the application deployment features so you can be better informed before configuring for your organisation.

Company Portal is very similar to Software Center which you may have deployed using SCCM.

The big idea

User machines should broadly have a baseline set of applications that everyone needs. Your current new machine deployment process might be totally manual, totally zero-touch, or somewhere in between.

When utilising the Microsoft 365 Business Premium license, we are able to take once Enterprise considered features into the SMB and Windows Pro market with Company Portal.

The applications that everyone might need include:

  • Microsoft Office 365 suite
  • 7-Zip
  • Adobe Reader (although arguably Edge does an adequate “read only” job now)
  • etc.

Deploying Company Portal

As of some fairly recent Intune changes, this bit is really easy.

Deploy a Microsoft Store app (new) … app

Search for Company Portal and make it a ‘required’ app for all devices.

How do you deliver the additional apps people need to do their jobs?

The short answer is by wrapping and making everything available via Intune as a .intunewin application.

Let’s walk through how we get to that point.

In this example, we’ll use KeePass XC.

I have downloaded the 64bit .MSI installer for KeePass XC and saved it in a unique folder

While you could upload this directly to Intune and deploy, it is not recommended to mix app types, so as a general rule, I wrap everything as a .intunewin file using the Microsoft Content Prep Tool .

I specify the folder I just created along with the full name of the MSI file. I also want the output to appear in the same folder. My options are shown below.

What is the .intunewin extension?

Think of it as a packaged container with all the bits you need to install your software; you can call upon items inside that container using the Install Command field in the deployment options section on the Intune portal, and if your .intunewin contains PowerShell, you can run that too.

I then upload the resulting .intunewin file to Intune

For a more detailed guide on this process, check out Dean’s video

I am also quite fussy about having high-quality logos for the Store image

I go back to the KeePass XC website and grab the SVG which I later convert into a PNG

Because the source file was MSI, all of the details are pre-populated

You can set the minimum OS details as shown

And again, the MSI detection rules auto-populate if you select MSI

The crucial step for Company Portal freedom is to make the app ‘available’ instead of ‘required’ to your users or groups

When you complete the wizard and create the app, it shall begin to upload. Within 30 minutes or so it will be available for your users to install for themselves.


What if my app doesn’t install with an MSI file?

You will still end up with a .intunewin file, but you have to do some work before you get there.

If you only have an exe file, you’ll need to search for or figure out the silent installation commands/switches. I do this using PowerShell on a VM.

For example, Notepad++ comes as a .exe, but I managed to get it to install (and uninstall) using the following commands:

Using the content prep tool, I wrap only the .exe file and upload it as a .intunewin app.

How about multi-part installers that have dependencies?

The short rule is, if you can figure it out with PowerShell, it can be deployed as an .intunewin package.

When you’re done experimenting and have success locally, wrap it up in a single folder and call your PowerShell in the install command box like this:

powershell.exe -executionpolicy bypass -file InstallMyApp.ps1

Of course, you’ll also need to figure out a detection rule too. You can rely on the registry locations if you know where it’ll install, or for more complex installers, write a PowerShell detection script.

Beyond applications

Intune is my tool of choice over RMM products. If I have a problem I’m trying to solve, I think about how it can be achieved using what I have at my disposal. There are some fantastic community articles out there that are solving repetitive tasks using .intunewin packages.

For our smaller customers, I’ve started pushing out printers by following this guide on MSEndpointMgr.

You can also use them to uninstall bloatware, I’m looking at you McAfee Antivirus…

Think of this as a more intelligent scripting method to use instead of the PowerShell blade in Intune.

To summarise

  • Deploy Company Portal
  • Wrap your Apps
  • Make your apps available
  • Train your users
  • Have more time back