Listen to this Post
Introduction
Managing Win32 applications in Microsoft Intune can be challenging, especially when the original installation files are lost or need updating. Fortunately, Intune retains the encrypted source files, which can be retrieved and decrypted using the same method as the Intune Management Extension. This guide walks you through the process of recovering these files for troubleshooting or updates.
Learning Objectives
- Understand how Intune stores and encrypts Win32 app files.
- Learn how to extract and decrypt Win32 app packages directly from Intune.
- Apply this technique to recover lost installers or update existing applications.
You Should Know
1. Locating the Encrypted Win32 App in Intune
Intune stores Win32 app packages in an encrypted format. To retrieve them:
1. Access the Intune Admin Center:
- Navigate to Apps > All Apps and select the Win32 app in question.
2. Obtain the App ID:
- Note the App ID from the URL (e.g., `https://endpoint.microsoft.com/blade/Microsoft_Intune_Apps/AppManagementMenuBlade/Overview/appId/[APP-ID]`).
2. Downloading the Encrypted .intunewin File
Use Microsoft Graph API to fetch the encrypted package:
Authenticate to Graph API
$token = (Get-MsalToken -ClientId "d1ddf0e4-d672-4dae-b554-9d5bdfd93547" -Scopes "DeviceManagementApps.ReadWrite.All").AccessToken
Download the encrypted app
Invoke-RestMethod -Uri "https://graph.microsoft.com/beta/deviceAppManagement/mobileApps/[APP-ID]/contentVersions" -Headers @{Authorization = "Bearer $token"}
This returns the encrypted download URL, which can be fetched using:
Invoke-WebRequest -Uri $downloadUrl -OutFile "encrypted.intunewin"
3. Decrypting the .intunewin File
Intune uses AES-CBC encryption. To decrypt:
Extract the encryption key from Intune (stored in registry) $key = Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\IntuneManagementExtension\Win32Apps" | Select-Object -ExpandProperty EncryptionKey Decrypt using OpenSSL (Linux/WSL) openssl enc -d -aes-256-cbc -in encrypted.intunewin -out decrypted.intunewin -K $key -iv 0
4. Repackaging the Decrypted App
Once decrypted, the `.intunewin` file can be repackaged:
1. Use the Microsoft Win32 Content Prep Tool:
IntuneWinAppUtil.exe -c C:\extracted -s setup.exe -o C:\output
2. Reupload to Intune for deployment.
5. Automating the Process with PowerShell
For bulk extraction, automate with:
Fetch all Win32 apps
$apps = Invoke-RestMethod -Uri "https://graph.microsoft.com/beta/deviceAppManagement/mobileApps?`$filter=isof('microsoft.graph.win32LobApp')" -Headers @{Authorization = "Bearer $token"}
Download and decrypt each
$apps.value | ForEach-Object {
$appId = $_.id
Download and decrypt logic here
}
What Undercode Say
- Key Takeaway 1: Intune’s encrypted Win32 app storage ensures security but allows recovery if you know the process.
- Key Takeaway 2: This method is invaluable for IT admins managing legacy apps or troubleshooting deployments.
Analysis:
While Microsoft doesn’t officially document this method, it leverages the same mechanisms used by the Intune Management Extension. Organizations should use this technique responsibly—such as for recovery—rather than circumventing compliance. Future Intune updates may enforce stricter encryption or access controls, so automating backups of original `.intunewin` files is recommended.
Prediction
As cloud-based app management grows, expect Microsoft to enhance Intune’s app lifecycle features, including native versioning and recovery options. However, until then, this decryption approach remains a critical tool for enterprise IT teams.
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Https: – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
