The new Intune Win32 app management is a great way to deploy Win32 apps with Microsoft Intune. Imagine you have a kind of source share for all the .intunewin files you have created. At some point in time you like to modify a package but you do not have the source files right now, only the .intunwin package. Wouldn’t it be nice to convert the .intunewin package back to an unencrypted package? Additionally what is if you lost your complete sources, can we get them back directly from the Intune tenant?
As a quick reminder, the packaging workflow is like this:
- Compressing the source folder of the Win32 apps and its files to a sub folder ‘Contents’ with the new extension .intunewin
- Encrypting the compressed file
- Computing a SHA265 hash
- Generating a detection.xml file in a sub folder ‘Metadata’
- Compressing complete working folder and create again an .intunewin file
As described in my previous post “Part 3, Deep dive Microsoft Intune Management Extension – Win32 apps” the portal and the Intune service gets all necessary information from the detection.xml file to deal with the Win32 app. The EncryptionInfo in the detection.xml file is stored with your Intune tenant to gain access to the uploaded encrypted .intunewin package. The encrypted .intunewin (located in the contents folder) can be distributed safely by Microsoft to the Intune back-end services responsible for content distribution without getting exposed to others, only the tenant who uploaded the file has the EncryptionInfo and can decrypt the file. The clients will get this information also when they are requesting Win32 apps for installation via policy.
If we try to open the inner encrypted .intunewin file with 7-Zip, it is expected to be not working. We will see the following error message:
I’m using the fact that the encryption information is stored along with the package before uploading. As long as this information is available we can make use of it. I wrote a small .net tool “IntuneWinAppUtilDecoder” to extract the .intunewin file content, read the EncryptionInfo from the detection.xml file to get the encryption key and initialization vector and decrypt the inner .intunewin package from the contents folder back to an unencrypted .intunewin package. Et voila – we have an unencrypted .intunewin.decoded file, which we can open with our favorite archiver like 7-Zip.
The IntuneWinAppUtilDecoder is available on my GitHub account here:
https://github.com/okieselbach/Intune/tree/master/IntuneWinAppUtilDecoder
The direct download link to the zipped binary file is here.
Let’s have a look how the tool looks like when running. The command line utility is pretty simple to use, just point to the path of the .intunewin file and optionally you can run it in silent mode to prevent output. If you already have the encrypted .intunewin, and the encryption key, and the Initialization Vector you can provide these information on the command line as well:
IntuneWinAppUtilDecoder.exe <FullPathToIntunewinFile> [/s | /silent]
[/key:base64encodedKey /iv:base64encodedIV]In my following example I’m decrypting an Adobe Acrobat Reader DC package:
As you can see the tool will ask for any overwrite and cleanup of extracted files before proceeding. Sometimes it is useful to keep the extracted content for further inspection. For easy proceeding just hit enter and let the tool do the cleanup of the extracted .intunewin content. After successful decryption we have now an additional .intunewin.decoded file in the same directory as the original .intunewin file:
This .decoded file can be opened with 7-Zip and easily extracted and here we have back the original sources:
When running the tool in silent mode /silent it will not ask for overwrite or cleanup, the overwrite of existing .decoded file and the cleanup of the extracted files is always done in silent mode.
How to get the sources back from the Intune tenant directly?
UPDATE: The following is not true anymore! Microsoft changed the log entries and the relevant decryption information is currently not available in the log files. I’ll see what I can do to get it elsewhere…
I finally found a way and have a blog post about it here IME debugging and Intune Win32 Apps decoding – Part 2
I discovered that all relevant download and decryption information to get the sources back from your tenant are in the regular log files of the Intune Management Agent here:
C:\ProgramData\Microsoft\IntuneManagementExtension\Logs\IntuneManagementExtension.log
So, I wrote a small PowerShell script to parse the logfile and extract all relevant information of the already installed .intunewin files (otherwise we would not have the log file entry :-)). This is an example of that log file entry:
<![LOG[Get content info from service,ret = {
"odata.metadata":"https://fef.msub03.manage.microsoft.com/SideCar/StatelessSideCarGatewayService/$metadata#SideCarGatewaySessions/@Element","odata.id":...
LOG]!>
Basically. I’m searching for this particular log entry which I then decode with the certificates on the device as they include decryption information of the installed .intunewin file. The installed .intunewin file is encrypted and can only be decrypted by your device with the right certificate. The log entry does include the download location also. It would be possible to write a tool to request the file from Intune directly to get to this information but in fact then I would write lots of the parts of the agent myself again. Getting tokens for requests, dealing with discovery, decryption, etc. So, I decided to not do that and let the agent to its job and grab the necessary information from the log files. In case of missing entries, you can simply enroll a device and install all software via Company Portal on it to get all log entries and then parse this info for further usage.
So, in the log entry we have everything we need. If we run the script provided below on an Azure AD joined device with Intune enrollment you can successfully decrypt the encryption information which you get from the Intune GatewayService to decrypt and download the encrypted .intunewin file. The agent itself does nothing else during a normal install. It requests a policy which includes the package info, content info and decryption info. I decode this as well and provide it as plain text to you, or we can simply pass this to the IntuneWinUtilDecoder as parameters for instant decryption.
The script can also be found on my GitHub account here: https://github.com/okieselbach/Intune/blob/master/Get-DecryptInfoFromSideCarLogFiles.ps1
Here the script in action, downloading an app discovered in the log entry (yellow is the download URL, cyan is the encryption info highlighted) and in the end decoding it:
I hope this small utility and script is as useful for you as for me as I deal with a lot of test deployments in my lab and miss from time to time my source files. With the IntuneWinAppUtilDecoder and the script I’m now able to simply extract my source files again in any case.
Have fun at decrypting 🙂 your .intunewin files!
Modern IT - Cloud - Workplace 
First of all, best wishes for 2019 and keep up the blogging!
Very nice tool and very handy.
Do you know a way how to download a intunewin or msi package from intune ? Lets say we uploaded a msi or intunewin but do not have the sources anymore?
Thx Rkast,
there is a way to get the content where the agent is downloading the content, look at the log files there you find a entry [Win32App DO] start creating a new download job, FileId=… and there is a download URL for the file but this is the encrypted only .intunewin. So you don’t have the encryption information then to decrypt the file. The encryption info is somewhere in the transferred policy but I didn’t researched this to get to this information but it should be possible as the agent itself needs this information so there is for sure a way to get to this information also.
best,
Oliver
Hi Rkast,
I did an update to my solution to cover your ask now :-). I parse the Intune Management Agent log file for the original download URL and decryption information of the intunewin package (which are included in a encrypted form), decrypt via device certificated the decryption info and decode the downloaded encrypted .intunewin file. I used the log file info so I do not have to deal with talking to the Intune gateway service myself. I let the IME do that and grab the info after that from the log file.
best,
Oliver
Thanks Oliver! Thats really helpfull. This way we can download older packages and reuse them. Good find and thanks die updating and sharing.
If you build a Win32 app for example snagit and it has an update but users cant install the update because they are not admins. What is the best way to get that app updated?
Hi,
most of the time a update is a new version of the complete product like SnagIt 2019.11. Then it depends on the installer of the product, some of them recognize older versions and upgrade them (msi installer do this often). Others installers are not that clever and we must take care of uninstalling old version and installing the new version. As you see it is always different but a good way is to just package the new version and in the install script uninstall the old version and install the new version. For snag it it might be that the installer takes care of uninstall or upgrade itself, test it out in a VM and then create a new SnagIt package and assign it.
best,
Oliver
Hello Oliver,
first of all, thanks for your investigations.
I’m trying to create a script to transfer Win32 apps between different tenants. If possible I don’t want to cache any files locally.
With this API It’s possible to get the Azure Storage URI of a certain app for the export: https://docs.microsoft.com/en-us/graph/api/intune-apps-mobileappcontentfile-get?view=graph-rest-1.0
The problem is that this is the encoded intunewin file. The reason for this is, that during the upload of the app via API (https://docs.microsoft.com/en-us/graph/api/intune-apps-mobileappcontentfile-create?view=graph-rest-1.0), you have to provide the encoded intunewin and commit the encryption information separately (https://docs.microsoft.com/en-us/graph/api/intune-apps-mobileappcontentfile-commit?view=graph-rest-beta).
Do you know if there is away to export the encryption information from the Intune tenant besides your method with the logfiles? e.g. some API calls I didn’t find yet 🙂
Hey Ricardo,
I didn’t found a way to get the info separately. The info comes down with the regular policy in which the app install intent is provided. With that in mind, MS does not even has the need to provide this as a separate API call. They just build a policy for an app installation intent for the client which includes the encryption info and send them to the client. Why would you transfer from one tenant to another tenant without sources? Do you plan for a migration tool without access to original files? Just curious 🙂
best,
Oliver
Hello Oliver,
thanks for your quick reply and your insights!
Yes, since we’re having multiple tenants (testing, productive) we plan to create a migration tool to automate some parts of the application release management processes. So I was just investigating how this could be implemented the best way and curious if it would be possible to migrate an entire app to another tenant without using locally stored files. But if it’s not possible it’s no serious problem because storing the files locally makes sense anyway (e.g. for documentation reasons) and implementing the migration tool by using local files also wouldn’t be that hard.
Best regard,
Ricardo
Hi Oliver,
I am currently getting an error “Invalid Bundle ID” when deploying Adobe Reader macOS app. I was wondering is it possible to open the .intunmac archive edit the detection.xml to set the correct bundle ID (which I can see doesnt match the Info.plist of the app installed then rearchive it somehow. Maybe using Intuneapputil program maybe…
Hey Gavin,
that’s a good question, I didn’t looked into this until now. Probably there is a way as the .intunemac is using the same approach, but I can’t give you exact advice here as I didn’t looked into it. If I find some time I will look into it, but can’t promise any time when this will happen.
best,
Oliver
Oliver thank you for your contribution. Its exactly what I’m looking for. I created an intunwin. I need to now modify a script within and update. Unfortunately and highly uncharacteristic of me I have misplaced the source. Looking at your script in action above. I see you are running a d POSH script. Could you possible share that source. As I’m not sure how I can pass it as a parameter for instant decryption and download.
Much Appreciated
Hey Oscar,
I’m running this script here: https://github.com/okieselbach/Intune/blob/master/Get-DecryptInfoFromSideCarLogFiles.ps1, the one shown on the blog post. I uncommented the line below # optional call: to directly call my small program and run the decode. But this is not necessary. You can simply run the script and get the URL for download, the Key and IV. This info can be passed to my program just by calling IntuneWinAppUtilDecoder URL /key: /iv:
best,
Oliver
Thank you so much for the quick reply. Much appreciated. I will re-look at the blog I think I may have missed that part.
Oscar
Hi Oliver,
I managed to get the URL and managed to download the *.intunewin.bin file. however, when i’m trying to decode (without /silent parameter) it’s giving me this message “End of Central Directory record could not be found.”… I can decode other .intunewin file though that I recently created in my device.
Thanks in advance.
Hi Oliver,
Is the script “Get-DecryptInfoFromSideCarLogFiles.ps1” still working? I’m not able to decode at all or I am missing something :).
Regards
Hey NickOff,
It is working for me. Are you sure you have entries in the log file regarding download and installs? Did you install some apps right before the script execution to produce the log entries?
Best,
Oliver
Hey Oliver,
Yes there are entries in the logs and able to download the file as well. but the problem is i can’t decode it.
URL: http://swdb02.manage.microsoft.com/3737e19c-7772-4a43-8279-c46e40334e9f/0f011e1c-0733-4140-bc53-a118d058c681/17c1ac20-db69-4475-9333-241ed1248feb.intunewin.bin
Key: p5ZzPOOTTuUH6sK0p8sg1vfje0fa15XagjMbRutp9aM=
IV: jaZVfrVnrb3zW/Vf3tm0NA==
Regards
hi,
I get this error when i run the script.
Expand-7Zip : Invalid archive: open/read error! Is it encrypted and a wrong password was provided?
If your archive is an exotic one, it is possible that SevenZipSharp has no signature for its format and thus decided it is TAR by mistake.
At C:\Temp\Source\DownloadinstalledApps.ps1:42 char:9
+ Expand-7Zip -ArchiveFileName $destinationFile -TargetPath “$o …
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (SevenZip4PowerS…ip+ExpandWorker:ExpandWorker) [Expand-7Zip], SevenZipArchiveException
+ FullyQualifiedErrorId : err01,SevenZip4PowerShell.Expand7Zip
Any help would be appreciated.
Hey Engin,
I’m sorry but if you look at my script it (https://github.com/okieselbach/Intune/blob/master/Get-DecryptInfoFromSideCarLogFiles.ps1) doesn’t have any Expand-7Zip function in it. I think you maybe have modified it by yourself or have a modified version form someone. It is not my script :-). So, I’m not aware what your script is doing and why it actually fails.
best,
Oliver
Thank you so much!! Works like a charm. One small note, windows renames the logfile you mentioned after a while, in my case, IntuneManagementExtension-20210629-155749.log so IntuneManagementExtension.log does not have the information at that point. remove the app, restart the Microsoft Intune Management Extension Service, app will be pushed again (if applicable), then the IntuneManagementExtension.log can be used again
The Decrypt function seems to be broken in Windows 10 21H1, machine is joined to AAD and logged into with AzureAd account, installing applications from the Company Store correctly but when run the script I get the following,
###——————-###
Exception calling “Decode” with “1” argument(s): “ASN1 unexpected end of data.
”
At C:\Temp\Company Portal\Get-DecryptInfoFromSideCarLogFiles.ps1:20 char:5
+ $envelopedCms.Decode($content)
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [], MethodInvocationException
+ FullyQualifiedErrorId : CryptographicException
Exception calling “Decrypt” with “1” argument(s): “Exception of type ‘System.InvalidOperationException’ was thrown.”
At C:\Temp\Company Portal\Get-DecryptInfoFromSideCarLogFiles.ps1:21 char:5
+ $envelopedCms.Decrypt($certCollection)
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [], MethodInvocationException
+ FullyQualifiedErrorId : InvalidOperationException
###——————-###
###——————-###
$envelopedCms
Version : 0
ContentInfo : System.Security.Cryptography.Pkcs.ContentInfo
ContentEncryptionAlgorithm : System.Security.Cryptography.Pkcs.AlgorithmIdentifier
Certificates : {}
UnprotectedAttributes : {}
RecipientInfos : {}
###——————-###
It looks like the script can’t find the certificate on your device. I tested it on my device and it is still working. Are you running the script from an elevated command prompt? Did you try to run it from admin and user context for verification.
Yeah its definitely elevated, and running under the context of the AzureAd user, its a strange one!
Same error as arejaytee for me as well
Are you running the script from a AADJ device? It needs to be a device joined to the same Intune tenant. Otherwise you will not have access to the required certificated on the device to do the decryption.
It seems that the format in the log file changed completely.
In the past it works for us but now its not working anymore.
As per script defined the payload information is not present in the log line and before that the line itself changed.
In the script the line is getting an { and } but its not recognized as an JSON format.
Is there an update or changed microsoft the whole way
Hi MKrone,
I did some research and MS changed the content which is logged. The relevant information is not in the logs anymore. I’ll do some research if I can get it somehow elsewhere but this needs way more work to achieve this.
best,
Oliver