Deploying Line-of-Business (LoB) Apps via Microsoft Intune to Windows Devices
Managed Windows devices may be missing required enterprise applications when no LoB app deployment policy has been configured in Microsoft Intune. Administrators can resolve this by packaging the application as an MSI or .intunewin file, uploading it to the Intune Admin Center, and assigning it to the appropriate Azure AD device or user groups. This guide covers the end-to-end process of packaging, uploading, configuring, and monitoring LoB app deployments at scale.
Indicators
- Managed Windows devices are missing required enterprise applications such as Google Chrome
- Users must manually install applications that should be centrally deployed and managed
- No automated app deployment mechanism is in place for Intune-enrolled devices
- Newly enrolled devices complete provisioning without expected applications present
- IT team lacks a scalable, policy-driven method to push applications to Windows endpoints
Likely causes
- No LoB or Win32 app deployment policy configured in Microsoft Intune
- App package not uploaded to Intune or incorrectly packaged (wrong format)
- Device or user group assignment missing from the app deployment policy
- App installer not in the required .msi or .intunewin format for Intune ingestion
- Intune enrollment completed but app assignment not targeted to the correct Azure AD group
Diagnostic steps
-
Sign in to the Microsoft Intune Admin Center at https://intune.microsoft.com and navigate to Apps > Windows to review existing app assignments and identify any gaps.
-
Download the target application's enterprise installer (e.g., Google Chrome standalone 64-bit MSI from https://chromeenterprise.google/browser/download/). Prefer MSI format where available to simplify Intune ingestion.
-
If the installer is not in .msi format, convert it to .intunewin using the Microsoft Win32 Content Prep Tool: IntuneWinAppUtil.exe -c <source_folder> -s <setup_file> -o <output_folder>. Verify the output .intunewin file is generated without errors.
-
In the Intune Admin Center under Apps > Windows, click '+ Add'. Select 'Line-of-business app' for MSI packages or 'Windows app (Win32)' for .intunewin packages, then upload the prepared installer.
-
Complete the App Information fields: Name, Description, Publisher, App version, and any applicable Category. Click Next to proceed.
-
For Win32 app type, configure the Install command (e.g., msiexec /i GoogleChromeStandaloneEnterprise64.msi /quiet /norestart) and Uninstall command. Set detection rules to verify successful installation (e.g., file or registry key presence).
-
Under Assignments, assign the app to the appropriate Azure AD device or user group. Set assignment type to 'Required' for mandatory deployment or 'Available for enrolled devices' for self-service installation.
-
Review all settings and click Create to publish the app policy. Monitor deployment status under Apps > Monitor > App install status, filtering by the app name to identify successful and failed device deployments.
Resolution path
- Identify the required enterprise application and download the appropriate installer package (MSI preferred for simplicity)
- If the installer is not MSI, convert it to .intunewin format using the Microsoft Win32 Content Prep Tool
- Log into the Microsoft Intune Admin Center (https://intune.microsoft.com) and navigate to Apps > Windows > + Add
- Select the correct app type — 'Line-of-business app' for MSI or 'Windows app (Win32)' for .intunewin — and upload the package
- Complete all required app metadata fields (Name, Description, Publisher, Version)
- For Win32 apps, configure install/uninstall command lines and detection rules to confirm successful deployment
- Under Assignments, target the app to the relevant Azure AD device or user group with intent set to 'Required' or 'Available'
- Review, save, and publish the app policy
- Monitor deployment progress and failed installations via Apps > Monitor > App install status in the Intune Admin Center
Prevention
- Maintain a documented inventory of all required enterprise applications and their current Intune deployment and version status
- Use Azure AD dynamic device groups to automatically include newly enrolled devices in relevant app assignment groups
- Standardize all LoB app deployments on MSI or properly wrapped Win32 (.intunewin) packages to ensure consistent Intune compatibility
- Establish a process to update app packages in Intune whenever new application versions are released
- Test all new app deployments against a scoped pilot group before rolling out organisation-wide
- Enable Intune reporting and configure alerts to proactively detect and respond to deployment failures
- Document and store install, uninstall, and detection rule parameters for every managed application in the IT knowledge base
Tools
- Microsoft Intune Admin Center (https://intune.microsoft.com)
- Microsoft Win32 Content Prep Tool (IntuneWinAppUtil.exe — https://github.com/Microsoft/Microsoft-Win32-Content-Prep-Tool)
- Google Chrome Enterprise MSI Installer (https://chromeenterprise.google/browser/download/)
- Azure Active Directory (for device and user group targeting)
- PowerShell (for advanced packaging validation or scripted detection rules)
- Microsoft Endpoint Configuration Manager (optional, for co-managed environments)
References
- How to Install Chrome or Any Line of Business App on Intune Enrolled Windows Devices — wintips.org
- Microsoft Intune Documentation — Add a Windows line-of-business app
- Microsoft Intune Documentation — Add and assign Win32 apps
- Microsoft Win32 Content Prep Tool — GitHub
- Google Chrome Enterprise Browser Download