Company App: Unchained

Company App: Unchained

In this blog, I will give you my opinion on how I prefer apps to be deployed.

When deploying a zero-trust modern workplace you need to make sure your users are not members of the local admin group. Take a look at my blogs if you want to make sure a user is never a local admin. When your users are no local admin anymore, you can implement an AppLocker policy to make sure your devices are secure.

But here comes trouble… Many of your users are used to just installing the app(s) they need, and now they don’t have this option anymore.

Each company has its own business apps which are used by almost everyone. You will need to make sure these apps are deployed to all devices. But there are also some third-party apps not everyone is using. Just to mention a few: Java/Chrome/Firefox/Filezilla/7zip/Citrix Workspace/Silverlight/VLC/Zoom etc.

Of course, you can push all these apps to your endpoints when they are being enrolled, but why would you? In my opinion, the users have to choose for themselves which additional apps they need and when they need them.

I am going to divide this blog into three parts

  1. Configuring the Business store and the Company portal
  2. Configuring Applications as available
  3. Creating Categories for the Apps
  4. Creating Win32 app and make it interactive with the user’s context

1.Configuring the Business store and the Company portal

But how are you going to facilitate this approach? Make sure you have enabled the “Microsoft store for business”.

When the Microsoft Business Store is connected you will need to make sure the company portal is installed on all devices.  Just add/configure the company portal app.

Don’t forget to apply some governance. I guess you don’t want the user to remove their enrolled device from Intune?

2.Configuring Applications as available

When the company app is installed you’ll have some benefits.

One of them is the possibility to let end-users install apps even if they don’t have the permissions to do so.  The only thing you will need to do is configure the app assignments. Take a look down here, I changed the app to be available for enrolled devices instead of setting it to required.

When the app is available for enrolled devices it will show up in the company portal on the devices. The user only has to click on it to begin the installation. The Intune management extension (sidecar agent) will take care of the installation and will install the app in the machine/system context.

*Source: Intune Win32 App Troubleshooting Client Side Deep Dive (

As you can see in the picture above, I configured the apps to be installed with chocolatey. Chocolatey is a great tool for patching your third-party apps.  It’s best practice to set Chocolatey as a required app within the ESP to be sure users can instantly install apps at their first login.

Of course, it can be a lot of work to create all these apps manually each time you onboard a new customer. But why not automate it as I did? You can create your own baseline with all third-party apps and deploy it through PowerShell within minutes and each time a customer asks for another not available application you can add it to your baseline.

  1. Push all the apps to Intune
  2. Assign the apps as available for all users
  3. Add the logo. It really looks a lot nicer with a logo?

3. Creating Categories for the Apps

Now you could be questioning, how could we get a better overview of all the apps we have? That’s easy!. You only need to create some Categories first. Let’s open Intune and open the Apps plane and click on App-Categories.

And click on “add” and create all the categories you want!

Now we have created all the categories, let’s add them to the apps. You could do so by simply opening the app and start editing it. Please select the proper category and press save.

Isn’t that nice? Now you can sort by category in the company portal!

4.Creating Win32 app and make it interactive with the user’s context

Do you remember I told you the app will be installed in the system context? With the use of Serviceui.exe and the PowerShell App Deployment Toolkit, you can bring the installation process in the system context to interactive mode. That’s maybe the best part of publishing Apps to the company portal. It’s perfect for software that needs user interaction like brother software which requires the user to connect the USB scanner…

Short summary of what I did to get this working:

  • Downloading serviceui.exe (Microsoft deployment toolkit) and copied it to c:\packages\brother
  • Downloading the Powershell app deployment toolkit and unzipped it to c:\packages\brother
  • Downloaded the Brother software and extracted the files to c:\packages\brother\files
  • Changing the deployment-application.ps1 (variables application and the installation task:  Execute-Process -Path “$dirFiles\InstUI.exe”)
  • Created an intunewin package (Install file: deploy-application.exe folder: c:\packages\brother)
  • Created the Intune Win32 App (Install command: .\ServiceUI.exe -Process:explorer.exe Deploy-Application.exe)


Giving some “freedom” to your end-users on a zero-trust secured device to install apps on their own behalf is the best thing you can do. Also, with the help of serviceui.exe, you can create a great user experience.

Freedom GIFs | Tenor

Also, take a look at my blog about how to let end-users install printers on their own. Combining the possibilities to let end-users install apps and printers on their own could not be better.

Leave a Reply

Your email address will not be published. Required fields are marked *

  +  28  =  32