Does it sound familiar if I say that you have created a Win32 app in the past but you didn’t save the configuration files, which now means that you can’t modify this particular Win32 app? Don’t worry, at least we both dealt with this scenario. In this blog I will explain how to unpack and decrypt* a published Win32 app (.intunewin-file, we will call this the Intunefile) so you can extract Win32 apps.

* Decrypting is only needed when the .intunewin-file is downloaded directly from the tenant.

How to extract a Win32 app?

To get an overview of the configuration files which where used to package the Win32 app, follow the below instructions to download and extract the Intunefile.

First I would like to give my kudos to Oliver Kieselbach for making this script and executable available. The PowerShell script that we are using will read the most recent Intune Management Log file, which is saved under the location C:\ProgramData\Microsoft\IntuneManagementExtension\Logs\IntuneManagementExtension.log. Within this log file, we have all the necessary information to download and decrypt the Intunefile. This log file contains the URL that gives us the possibility to download the Intunefile as a .bin file. Keep in mind that after downloading this file you still need to follow the below steps to extract Win32 apps. This script doesn’t has to be ran if you already have the Intunefile stored on your client.

ItuneManagementExtension location
ItuneManagementExtension logfile

How to extract your Win32 apps?

If you don’t have the Intunefile available on your client anymore, make sure to have a compliant and enrolled device available where the Win32 app that you are trying to extract is installed. This is a requirement to download the Win32 app directly from your tenant. The steps for downloading the app are explained in step 1 till step 4. If you already have the Intunefile available, proceed to step 5.

Step 1: Download the most recent version of the PowerShell script that gathers all the information for our Intunefile. The script can be downloaded from here.

Step 2: As soon as you have downloaded the script, start PowerShell as an administrator and browse to the location where the PowerShell script is stored. In my case it is stored under “C:\Script\Decoder“.

Step 3: Execute the PowerShell script to get an overview of the installed apps on the client. Make sure that the app is deployed on the client to get the Win32 app available in this overview.

PS C:\Script\Decoder> .\Get-DecryptInfoFromSideCarLogFiles.ps1
Output when running command to gather Win32 Apps URLs
Above screenshot demonstrates the output when running the above command.

Step 4: Copy the yellow marked URL to your browser session and download the .bin extension file.

If you don’t know which of the URLs contains your application, I would suggest you to download all the files and extract them locally.

Step 5: Now that we have the Intunefile, we need to extract it. This can be done with the program IntuneWinAppUtilDecoder.

Step 6: Paste the downloaded IntuneWinAppUtilDecoder.exe file into the same location where the PowerShell script was saved. In my case, this is “C:\Script\Decoder” again.

Step 7: Depending on if your Intunefile was just downloaded or if you already had the Intunefile available, you should run one of the three below commands to extract the Win32 app. If you just downloaded your Intunefile from your tenant, remove the .bin extension and run the command that says “With keys”. The keys can be found in the output that you received after running Step 3. If you already had your Intunefile, you can use the “Interactive” or “Silent” command to extract your file.
If you didn’t decrypt your just downloaded Intunefile with the key and iv, you will receive an error “Can not open file (filename) as archive“.

Interactive: IntuneWinAppUtilDecoder.exe "C:\Temp\MyWin32Package.intunewin"
Silent:      IntuneWinAppUtilDecoder.exe "C:\Temp\MyWin32Package.intunewin" /s
With Keys:   IntuneWinAppUtilDecoder.exe "C:\Temp\EncryptedMyWin32Package.intunewin" /key:AbC= /iv:XyZ==

In my case I wanted to extract an Intunefile that I just downloaded directly from my tenant, so I ran the following command:

PS C:\Script\Decoder> .\IntuneWinAppUtilDecoder.exe .\12033f08-b323-4e57-96ad-8c0b022f3ac6.intunewin /key:+9jy....Y= /iv:eu/1o....A==

This gave me a new output file with the .decoded extension. Now you can use 7-Zip to open the file.

Output decoded file
Output when running the IntuneWinAppUtilDecoder.exe

I hope my blog helps you to have fun with extracting your Win32 apps.

Did you already had the chance to read my previous blog about the feature Azure AD Staged Rollout?

Please follow and like us:
Pin Share

Write A Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.