This blog explains how to download the original IntuneWin Win32 app package from Intune when you no longer have the original source files. If you find yourself in a situation where you need the actual Intune Win package for a Win32 app.
Maybe because you took over an Intune environment or need to troubleshoot an existing App deployment, this guide covers the details. I’ll break down how the IME process works behind the scenes and show you the steps to download the package directly.
Introduction
Taking over an Intune environment can be a lot of fun, especially if you are missing documentation or the previous admin is no longer available. It is common to encounter a situation where you need to troubleshoot or update an existing Win32 app, but nobody knows where the original installer, scripts, or detection rules are stored. All you see in the Intune portal is a published app, and that’s it!
At first look, it feels like the original IntuneWinApp content is gone for good. Fortunately, with the right approach, there are ways to get back the original App Content from Intune itself.
Understanding Intune App Packaging
Microsoft Intune supports different types of application deployments. For simple MSI installations, you can upload a line of business app directly. However, many organizations use Win32 app packaging for more advanced scenarios. This method allows you to wrap executable installers, include custom scripts, and configure detection logic, making it much more flexible than a standard MSI deployment.
To prepare a Win32 app, you must use the IntuneWinAppUtil tool. This utility combines your installer files, PowerShell scripts into a single encrypted .intunewin package, which is then uploaded to Intune. Once uploaded, getting back the files from Intune is going to be difficult. Why? Because Microsoft doesn’t have an official solution to do so. This could lead to headaches if you ever need them later.
The Real Problem: Losing Access to the Original Package
Even with our great automation, we provide, there will be times when you need to get back the original Win32App content. Perhaps you join a new company, inherit an environment, or take over IT responsibilities from someone else. You can spot the Win32App in Intune, but the original installer and scripts are gone. The Intune portal shows the app and its assignments, but does not allow you to download the IntuneWin App package you once uploaded.
Community Solutions to download the IntuneWin File.
Several community tools exist today to help recover application content under certain circumstances. One well-known approach uses verbose IME logging to extract details (Encryption Info) about installed Win32 apps. If you recently installed the app on a test device and still have the IME logs, you can use tools like those by Oliver Kieselbach to recover the original .intunewin file.
The catch is that this only works if the app was triggered for download and you have access to the AppWorkload logs, which must be in Verbose Mode.
There’s also a more unconventional method: instead of relying on logs, you could temporarily alter the install command of the app to copy the source files somewhere else, for example:
xcopy .\ C:\Backup\ /E /H /K /O /X
With the install command changed, you can click Install in the Company Portal and have the app’s content extracted to the folder you specified. The actual installation will fail, but that’s fine, because the goal here is to capture the files before the Intune Management Extension cleans them up. Still, this is far from an ideal solution at scale, as you’d need to modify and redeploy each app individually just to extract its content.
And that brings us to the next part: what actually happens in the background when you click Install in the Company Portal? Understanding that process is the key to knowing where (and how) the .intunewin file is retrieved in the first place.
What happens when you click on Install in the Company Portal
To understand how to get back the IntuneWin file from Intune, it helps to know what the Intune Management Extension does in the background. When a user clicks install for a Win32 app in the Company Portal, the extension does several things.
Before diving in, let me show you an overview of this process first.
When you click on install, the IME will start locating the Intune device certificate in the local machine certificate store. From there on, it extracts the device identity by searching for a specific OID.
Next, it authenticates with the Intune Discovery service to find the SideCar Gateway URI for your tenant. The IME extension builds a secure authentication token using the certificate and requests a bearer token.
With that bearer token, it queries the SideCar Gateway Service to determine which Win32 apps are assigned to the device or user (GetAssignedApps), then downloads the relevant .intunewin file from Azure Blob storage, using the contentinfo/metadata and keys provided by the service gateway.
From there on it deciphers the EncryptionKey Info from the metadata and uses it to decrypt the encrypted application content and unzips it to the IMECache folder.
Well, with the overview clear, let’s zoom into each step in that process.
Mimicking the Intune Management Extension: Download the IntuneWin App Package Yourself
Knowing the flow above and having spent some time in the IME code with the DotPeek tool we were under the impression that we could do the same.
For everyone that missed that episode.. please watch it!
With the knowledge and access to the Intune Management Extension’s code, we used PowerShell to replicate the same steps to retrieve the .intunewin package.
Please Note: This approach works as long as the app is still assigned to your device or user.
Here is how you can do it yourself
Step 1: Find the Intune MDM Device Certificate and Device ID
Open the local machine certificate store and search for the Intune certificate. You will find the device GUID in the certificate subject, which is required for later steps.
Step 2: Identify the AppId
Each Win32 app has a unique AppId in Intune. You can find this value in the Intune portal or by using the Web Version of the Company Portal. If the App does NOT show up here, the script will not work!.
If the App doesn’t show up check if you selected the proper device in the Web Version of the company portal and if the app has been assigned properly (Configured as available is preferred)
Step 3: Request a Bearer Token to download the IntuneWin file.
Build a JSON Web Token signed with your device certificate and use it to request an Azure Active Directory access token for Intune APIs.
Step 4: Discover the SideCar Gateway URI
Using the device certificate, connect to the Intune Discovery endpoint to get the SideCar Gateway address for your tenant. (Each Azure Scale Unit has its own unique SideCar URL)
Step 5: Query the SideCar Gateway for Assigned Apps
Make a request to the SideCar Gateway using your bearer token and device details. This will return a list of assigned apps along with metadata and download links.
Step 6: Download the ContentInfo
From there on, the IME will send a PUT command to that URL to get the contentinfo (which contains the encryption key info and IV)
Step 7: Download the Intunewin File
Use the download URL from the app metadata to retrieve the encrypted .intunewin package.
Step 8: Decrypt the IntuneWin Package
The downloaded contentinfo contains the encryption key info and IV. You can use that to decrypt the intunewin file and extract its contents to a specified folder
The PowerShell script to download the IntuneWin File.
Well… this is the script that does just that!
Download the full script here: (Rename the TXT extension to ps1).
Please ensure you are executing this script from a managed device as admin (as trust relies on the Intune Device certificate and the bearer token). From there on, change the APP ID to one that corresponds with the App you want to download.
Once you execute the script with the adjusted AppID, the IntuneWin file will be downloaded to c:\temp. After it finishes downloading, it will decrypt the file and extract the zip file.
Please watch the YouTube video below. It will show you some additional details:
Patch Me If you can
Download IntuneWin File: Important Limitations
No Valid SideCarGatewayService URL could be discovered
If you encounter the error below, please check how your device is enrolled.
This script only works on devices on which the Entra enrollment is anchored with the Intune Enrollment, AKA Enrolled with Autopilot. If the device was enrolled into Intune after being joined to Entra, you may encounter the error mentioned above. How to check this? Read this blog to determine the enrollmenttype. If the enrollmenttype is zero, the Intune and Entra enrollments are not anchored properly.
Assignments
This method only works if the app is still assigned to your device or user. If the app has been deleted from Intune or your device is not targeted, you will not be able to download anything. The package you retrieve is still encrypted, so you may need to use additional tools or keys to extract the installer files.
The Remote Server Returned an Error 403
If you are running into the 403 forbidden error, as shown below
First, check the web version of the company portal to see if the app is visible. If no apps are visible, ensure you have selected the correct device in the company portal’s web version.
Conclusion
Getting back your original IntuneWin App and its content from Intune is possible if you understand how the backend works. By mimicking the steps the Intune Management Extension performs, you can access the same .intunewin package that is delivered during app installation. For admins who inherit environments or need to troubleshoot missing content, this approach is invaluable. Using Patch My PC can make your life even easier, as all packaging and updates are handled automatically, but it is good to know that even without the original files, you are not completely out of options.