How to decode Intune Win32 App Packages

The new Intune Win32 app management is a great way to deploy Win32 apps with Microsoft Intune. Imagine you have a kind of source share for all the .intunewin files you have created. At some point in time you like to modify a package but you do not have the source files right now, only the .intunwin package. Wouldn’t it be nice to convert the .intunewin package back to an unencrypted package? Additionally what is if you lost your complete sources, can we get them back directly from the Intune tenant?

As a quick reminder, the packaging workflow is like this:

  1. Compressing the source folder of the Win32 apps and its files to a sub folder ‘Contents’ with the new extension .intunewin
  2. Encrypting the compressed file
  3. Computing a SHA265 hash
  4. Generating a detection.xml file in a sub folder ‘Metadata’
  5. Compressing complete working folder and create again an .intunewin file
.intunewin compressed file – internal folder structure

As described in my previous post “Part 3, Deep dive Microsoft Intune Management Extension – Win32 apps” the portal and the Intune service gets all necessary information from the detection.xml file to deal with the Win32 app. The EncryptionInfo in the detection.xml file is stored with your Intune tenant to gain access to the uploaded encrypted .intunewin package. The encrypted .intunewin (located in the contents folder) can be distributed safely by Microsoft to the Intune back-end services responsible for content distribution without getting exposed to others, only the tenant who uploaded the file has the EncryptionInfo and can decrypt the file. The clients will get this information also when they are requesting Win32 apps for installation via policy.

If we try to open the inner encrypted .intunewin file with 7-Zip, it is expected to be not working. We will see the following error message:

I’m using the fact that the encryption information is stored along with the package before uploading. As long as this information is available we can make use of it. I wrote a small .net tool “IntuneWinAppUtilDecoder” to extract the .intunewin file content, read the EncryptionInfo from the detection.xml file to get the encryption key and initialization vector and decrypt the inner .intunewin package from the contents folder back to an unencrypted .intunewin package. Et voila – we have an unencrypted .intunewin.decoded file, which we can open with our favorite archiver like 7-Zip.

The IntuneWinAppUtilDecoder is available on my GitHub account here:

https://github.com/okieselbach/Intune/tree/master/IntuneWinAppUtilDecoder

The direct download link to the zipped binary file is here.

Let’s have a look how the tool looks like when running. The command line utility is pretty simple to use, just point to the path of the .intunewin file and optionally you can run it in silent mode to prevent output. If you already have the encrypted .intunewin, and the encryption key, and the Initialization Vector you can provide these information on the command line as well:

IntuneWinAppUtilDecoder.exe <FullPathToIntunewinFile> [/s | /silent]
[/key:base64encodedKey /iv:base64encodedIV]

In my following example I’m decrypting an Adobe Acrobat Reader DC package:

As you can see the tool will ask for any overwrite and cleanup of extracted files before proceeding. Sometimes it is useful to keep the extracted content for further inspection. For easy proceeding just hit enter and let the tool do the cleanup of the extracted .intunewin content. After successful decryption we have now an additional .intunewin.decoded file in the same directory as the original .intunewin file:

This .decoded file can be opened with 7-Zip and easily extracted and here we have back the original sources:

When running the tool in silent mode /silent it will not ask for overwrite or cleanup, the overwrite of existing .decoded file and the cleanup of the extracted files is always done in silent mode.

How to get the sources back from the Intune tenant directly?

I discovered that all relevant download and decryption information to get the sources back from your tenant are in the regular log files of the Intune Management Agent here:
C:\ProgramData\Microsoft\IntuneManagementExtension\Logs\IntuneManagementExtension.log

So I wrote a small PowerShell script to parse the logfile and extract all relevant information of the already installed .intunewin files (otherwise we would not have the log file entry :-)). This is an example of that log file entry:

<![LOG[Get content info from service,ret = {
"odata.metadata":"https://fef.msub03.manage.microsoft.com/SideCar/StatelessSideCarGatewayService/$metadata#SideCarGatewaySessions/@Element","odata.id":...
LOG]!>

Basically I’m searching for this particular log entry which I then decode with the certificates on the device as they include decryption information of the installed .intunewin file. The installed .intunewin file is encrypted and can only be decrypted by your device with the right certificate. The log entry does include the download location also. It would be possible to write a tool to request the file from Intune directly to get to this information but in fact then I would write lots of the parts of the agent my self again. Getting tokens for requests, dealing with discovery, decryption, etc. So I decided to not do that and let the agent to its job and grab the necessary information from the log files. In case of missing entries you can simply enroll a device and install all software via Company Portal on it to get all log entries and then parse this info for further usage.

So in the log entry we have everything we need. If we run the script provided below on an Azure AD joined device with Intune enrollment you can successfully decrypt the encryption information which you get from the Intune GatewayService to decrypt and download the encrypted .intunewin file. The agent itself does nothing else during a normal install. It requests a policy which includes the package info, content info and decryption info. I decode this as well and provide it as plain text to you, or we can simply pass this to the IntuneWinUtilDecoder as parameters for instant decryption.

The script can also be found on my GitHub account here: https://github.com/okieselbach/Intune/blob/master/Get-DecryptInfoFromSideCarLogFiles.ps1

Here the script in action, downloading an app discovered in the log entry (yellow is the download URL, cyan is the encryption info highlighted) and in the end decoding it:

I hope this small utility and script is as useful for you as for me as I deal with a lot of test deployments in my lab and miss from time to time my source files. With the IntuneWinAppUtilDecoder and the script I’m now able to simply extract my source files again in any case.

Have fun at decrypting 🙂 your .intunewin files!

4 thoughts on “How to decode Intune Win32 App Packages”

  1. First of all, best wishes for 2019 and keep up the blogging!

    Very nice tool and very handy.
    Do you know a way how to download a intunewin or msi package from intune ? Lets say we uploaded a msi or intunewin but do not have the sources anymore?

    1. Thx Rkast,

      there is a way to get the content where the agent is downloading the content, look at the log files there you find a entry [Win32App DO] start creating a new download job, FileId=… and there is a download URL for the file but this is the encrypted only .intunewin. So you don’t have the encryption information then to decrypt the file. The encryption info is somewhere in the transferred policy but I didn’t researched this to get to this information but it should be possible as the agent itself needs this information so there is for sure a way to get to this information also.

      best,
      Oliver

    2. Hi Rkast,

      I did an update to my solution to cover your ask now :-). I parse the Intune Management Agent log file for the original download URL and decryption information of the intunewin package (which are included in a encrypted form), decrypt via device certificated the decryption info and decode the downloaded encrypted .intunewin file. I used the log file info so I do not have to deal with talking to the Intune gateway service myself. I let the IME do that and grab the info after that from the log file.

      best,
      Oliver

  2. Thanks Oliver! Thats really helpfull. This way we can download older packages and reuse them. Good find and thanks die updating and sharing.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s