This article will break down the two critical options regarding application types for Windows endpoints managed via Intune and why you may want to consider one type of application over another to limit potential issues you may run into in the future. Enter the arena, Line-of-business app (LOB) vs. Windows app (Win32).
So, you want to create an application in Microsoft Intune. You think: “I’ve been doing this for years with good old Microsoft Configuration Manager (SCCM/MECM/MCM); how hard can it be?” You quickly log into your Intune portal and enter the ‘All apps’ area. Next, you notice the seemingly harmless ‘+add’ button towards the top of the page and dive in.
Stunned, you mutter, “What is this stuff?” Moving to the “Windows” platform section, your choices become clearer. This article helps you determine the best selection and simplifies creating applications in Intune.
What is a Line-of-Business App (LOB)?
Before the application types square off, it is essential to understand every kind of application and its strengths and weaknesses. In one corner are the Line-of-Business apps, which are commonly referred to as LOB apps. LOB apps are a staple of Intune and date back to its earliest days. LOB apps only require the creator to provide an installation file for the created application. The supported installation file types include MSI, MSIX, MSIXBUNDLE, APPX, and APPXBUNDLE. It sounds simple enough; every application has an MSI-based installer, right? When new to creating applications in Microsoft Intune, administrators tend to lean towards LOB apps for one primary reason: convenience. After you have selected and uploaded your installation file, much of what remains is minimal, including entering any custom installation parameters that the provided file might support.
Creating a LOB App
From the Windows Apps Section, select the option to add an app, and select ‘Line-of-Business App’ from the app type menu:
The list of supported file types for a Windows LOB app is displayed:
Select the file for your app package (selection of an MSI for 7-Zip shown below):
Some required fields may be populated if an MSI file type has been selected, but others will still need to be manually populated. Populate all required fields, additional parameters, and other desired application information, such as an icon file for the application:
Assignments to Azure Active Directory (AAD) groups can be added during the initial creation process. LOB apps assigned as available will be displayed in the Company Portal for end-users. A required assignment is shown below:
The last section will show a summation of what has been configured before the selection of the ‘Create’ button to publish the application:
After the application is created, you can review and change the properties shown below:
LOB App Pros:
Native MDM App Model
Does not Rely on the Intune Management Extension (IME)
Ease of Creation
Quick to Update(?)
Easy to Maintain(?)
Support for a Wider Range of Operating Systems (not just Windows)
No Scripting/Packaging Required
LOB App Cons:
Limited Installation File Type Support
Only Supports a Single Installation File
File Size Limitations
No Support for Complex Installers
Cannot Support Applications That Require More than One Installation File
Not as Versatile
Limited Customization
What is a Windows app (Win32)?
In the other corner are Windows apps, or what they are commonly referred to as: Win32 apps. A Win32 app is just that, designed for Windows that supports 32-bit and 64-bit operating systems. This is one of the largest misconceptions around Win32 apps as, at a glance, the name suggests that they are not compatible with a 64-bit Windows operating system; however, they very much are as the “32” in Win32 is a reference to the Windows API used for programming which supports 32-bit and 64-bit operating systems.
All of the programming talk aside, a Win32 app is another application type choice within Intune that most closely resembles the “application model” from Microsoft Configuration Manager, with which many admins are familiar. Win32 apps allow for greater control and flexibility when creating a managed application. With more flexibility, Win32 apps give the creator more options regarding the actual deployment of their content. The support for multiple files, detection methods, supersedence chains, and install/uninstall commands are just a few examples of how a Win32 app can give more control to the creator to have the application perform as designed.
As a result, Win32 apps must be packaged, a word that sometimes scares away many admins. Due to their nature, flexibility, and support for multiple files (and the .EXE file type), Win32 apps must be compiled within the IntuneWin wrapper with the Microsoft Win32 Content Prep Tool. If you find yourself saying, “This is all getting a little blurry; give me something that can automate that process for me,” fear not! There will be more on that later.
Creating a Win32 App
Before creating a Win32 app, the application content must be packaged with the Win32 Content Prep Tool. The tool will bundle and wrap all the application content within a .intunewin file. The created .intunewin file will be used when creating the application within Intune.
Download and unpack the Win32 Content Prep Tool from the following GitHub repository:
When utilizing the Win32 Content Prep Tool, always using the latest version is essential. A warning stating that the app content was packaged with an older version will be displayed if you are not using the latest version. The extracted contents of the tool are shown below, with the critical file being the ‘IntuneWinAppUtil’ executable:
Prepare the content for the application that is being created. The installation file and all associated files (remember Winn32 apps can support multiple files) should be stored in the same directory (7-Zip MSI shown below):
Launch the Win32 App Content Prep tool by executing the ‘IntuneWinAppUtil’ executable.
When the utility loads, you will need to specify the following information:
Source Folder – the directory where you are storing the app content
Setup File – the main install file for the application install (7-Zip shown below)
Output Folder – where you want the compiled .intunewin file saved
When the utility finishes you should see the compiled file saved in the directory specified when running the content prep tool. You can think of the created .intunewin file as a ZIP file. It will be the file that is downloaded and subsequently automatically unpacked on Windows endpoints when they are processing and installing the content. It is also the required file needed when creating Win32 apps within Intune manually:
Adding the Win32App to Intune
Time to create the application. From the Windows Apps Section select the option to add an app, and then select the ‘Windows app (Win32)’ from the app type menu:
Dialog is displayed, indicating that a .intunewin file is required (hey, we just made that!):
Select the option to choose an app package file, then browse to and select the created .intunewin file created from the Win32 Content Prep Tool:
After selecting the file, additional parameters and information can be added to the application. Some fields will be pre-populated depending on the installation file type. Other required fields will be marked as such and must be completed before advancing. This is a good time to upload an icon image file to be displayed in the Company Portal if you are planning to make the application available for installation for end-users:
The ‘Program’ tab is where you will start to see the benefits and flexibility allowed with Win32 apps. As before, some fields are required and will be auto-populated for you. However, you also have the flexibility to customize the install and uninstall commands (default populated commands for 7-Zip ver. 23.01 shown below).
Device restart Behavior
Device restart behavior options can be beneficial, allowing you to control post-install behavior for the operating system. Suppose the option to determine the behavior based on return codes is chosen (shown below). In that case, you have even more granular control over what will occur when specific return codes are received following an application running the configured install command line.
You can even add and remove return codes and alter what a particular return code type is for the application:
Configuring the Requirements
The ‘Requirements’ tab is where you can specify conditions that the endpoints must meet to process the application assignment. This is another example of the granular control options that accompany Win32 apps. Being able to specify a minimum level of the endpoint operating system is a simple way to allow particular applications on particular versions of Windows:
Configuring the Detection Rules
In the ‘Detection Rules’ tab, you must specify the settings to determine whether the application is installed. Detection rules are required for Win32 apps, much like applications created within Microsoft Configuration Manager. Detection methods are another way to curate and verify that the application is installed to your specifications.
When defining the rules for detection for a Win32 app, there are two main options: manually configuring the detection rule (shown below) and the ability to use a custom PowerShell script.
For this example we will utilize the option to manually configure the detection rule and select a rule type of ‘MSI’ where the MSI product code will be automatically populated:
Configuring the Dependencies
In the ‘Dependencies’ tab you can specify additional Win32 apps that must be installed before installing the current application. This is another powerful option when there is a need for specific applications to have other specific, required applications installed to be installed successfully:
Configuring Supersedence
In the ‘Supersedence’ tab, you can control whether or not you want the Win32 app being created to be installed in the place of another already-assigned version. This feature can make it easy to automatically offer the latest version of an application to end-users within the Company Portal:
Configuring the assignments
Assignments to Entra groups can also be added during the initial creation process. Win32 apps assigned as “available” will be displayed in the Company Portal for end-users. A required assignment is shown below:
A summation page is displayed for review before selecting the option to create the application:
After the application is created the properties and assignments can be modified as shown below:
Win 32 App Pros:
Natively Supports the Intune Management Extension (IME)
Support for a Wider Range of File Types (EXEs)
Support for Multiple Files Within an Installer (Complex Installs)
Support for Larger Install Files
More Robust and Flexible Option Set
Support for Detection Methods
Dependencies
Supersedence
Win32 App Cons:
Relies on the Intune Management Extension (IME)
Requires Packaging with Content Prep Tool (must be .intunewin format)
Manual Creation Can be Time-Consuming
Conflicts
According to the gospel of Microsoft themselves, conflicts can occur, primarily during Autopilot device provisioning, if a mixture of LOB apps and Win32 apps are targeted to an endpoint.
Troubleshoot Win32 apps in Microsoft Intune | Microsoft Learn
The short version and critical takeaway is that if you elect to use any Win32 applications in your environment, use them exclusively to make your life easier. The primary reason behind this is that LOB apps and Win32 apps both use the trusted installer service within Windows; however, only Win32 apps utilize the Intune Management Extension (IME) as well. The IME is the entity that keeps Win32 apps in line. Whereas Win32 applications will line up in a single file line and wait their turn for processing through the IME, LOB apps do not use the IME. This can lead to anarchy issues where LOB apps and Win32 apps being processed at the same time will fight over the trusted installer service and can lock one another out of it, subsequently causing application install failure chaos. Please keep it simple; don’t cross the streams.
The Showdown: LOB vs. Win32
That is all a lot to unpack. Hopefully, the winner of this showdown will be readily apparent through the details of how to create each type of application alone. While they can be more complex to develop, the robustness and flexibility accompanying all of the options of Win32 apps make them the clear choice in the eyes of most administrators.
Typically, administrators needing to manage applications in their environment need many options to make their lives easier in the long run, as well as drive up the compliance and install success rate of the applications in their environment. If you need options and more control over the customization and installation logic of the managed applications in your environment, look for nothing other than Win32 applications. Before you go, I know what you’re thinking: “I want to use Win32 applications, but they take too long to manage.” Enter the arena, Patch My PC.
Patch My PC
So, where does Patch My PC fit into all of this? Patch My PC can completely automate the creation of Win32 application content packaging for you. Gone is the need to manually download and gather installation files, package and bundle everything using the Win32 Content Prep Tool, and determine your install and uninstall commands and detection logic. With the Patch My PC Publisher, you select the applications you need to create from our ever-growing list of supported products, set your basic customizations through our intuitive customizations menu, and boom! Win32 applications will automatically be created and maintained for you going forward without running through any of the creation steps detailed in this blog. You can even manage the assignment of the created Win32 applications within the user interface and have those assignments carry forward to subsequent versions created for you on a schedule you define.
Automatically Create and Deploy Applications in Microsoft Intune (patchmypc.com)
If you’d like to see more, schedule a Patch My PC live demo with an engineer.
Additional Resources
Overview of app types available for managed environments | Microsoft Learn
Understand line-of-business apps for your managed environment | Microsoft Learn
Win32 app management in Microsoft Intune | Microsoft Learn
Troubleshoot Win32 apps in Microsoft Intune | Microsoft Learn