Blog Post

Core Infrastructure and Security Blog
4 MIN READ

Installing Offline Microsoft Store Apps with Intune for Intune Government Customers

ChrisVetter's avatar
ChrisVetter
Icon for Microsoft rankMicrosoft
Nov 27, 2024

Updating the built-in store applications on windows has always been more of a challenge for government environments. This blog will help you accomplish the task with Microsoft Intune

Hey everyone, Chris Vetter Sr. Cloud Solution Architect at Microsoft. 

As organizations strive to enhance their digital workplace, the need for seamless app deployment and management becomes more critical. For government entities using an Intune Government Subscription, installing Offline Microsoft Store Apps can present unique challenges and opportunities. This blog post aims to provide a step-by-step guide to help you navigate this process efficiently.

Why Choose Offline Microsoft Store Apps?

Offline Microsoft Store Apps offer several benefits, especially for government entities that require stringent security and compliance measures:

  • Enhanced Security: Offline apps are not dependent on an internet connection, significantly reducing the risk of external threats.
  • Controlled Deployment: Admins have full control over the app versions being deployed, ensuring that all devices are running the same, tested software.
  • Compliance: Many government organizations have policies that restrict internet access, making offline apps a viable solution.
Prerequisites

Before you begin, make sure you have the following prerequisites:

  • An active Microsoft Intune subscription
  • Administrative access to Microsoft Intune
  • Access to the download offline apps with Windows Package Manager (Winget)

Step-by-Step Guide

  1. Acquiring Offline Apps

The Microsoft Store for Business/Education was officially retired on August 15th, 2024, and can no longer be accessed for downloading the offline app packages and their dependencies. The current method to obtain the files is with Windows Package Manager (Winget tool). I am not covering this process in this blog as there are other helpful articles on this which I will link at the bottom of this blog.

  1. Downloading the App Package and License

Download the app package (in .APPX or .MSIX format) and the corresponding license file. Make sure to store these files in a secure location, as they are required during the Intune deployment process. As of this writing Intune does not have any built-in method to deploy the license so your targeted endpoints will need to be able to reach out to the Microsoft license server to retrieve the license. For this article, I will be using “Company Portal” as the LOB App. Below is a sample of my Winget to download the files and what the downloaded files should look like after a successful download.

"Winget download --name "Company Portal" --architecture x64 --accept-package-agreements --accept-source-agreements --authentication-account <Account with Proper Role Assigned>"

 

 

 

As for this writing I know version 11.2.900.0 is the latest version for Windows 11 so that is the one I will be selecting.

  1. Uploading the App to Intune

Now, log in to the Microsoft Intune admin portal. Navigate to Apps > Windows > Add. Select the option to add a Line-of-business app, as this is the category for offline Microsoft Store apps.

 

 

 

 

 

 

  1. Configuring the App Information

Select the “.AppXBundle” from the downloaded content. You will see a list of dependencies that will need to be uploaded as well. These will be in the dependencies folder in the downloaded content. I specified x64 when I downloaded the content so those are the only dependencies I will have to upload.

 

 

 

Fill in the necessary details such as the app name, publisher, and version. You can also add a description and logo to make the app easily identifiable for end users (*HINT: If you use the –show parameter with Winget it will provide most of the info just like from the store application).

 

 

 

  1. Assigning the App to Devices

Next, assign the proper scope tag (scope tags are necessary for applying RBAC efficiently). Navigate to Assignments and choose the user or device groups that should receive the app. You can configure the deployment to install the app automatically.

 

 

  1. Monitoring the Deployment

After assigning the app, monitor the deployment status in the Microsoft Endpoint Manager admin center. Navigate to Apps > Monitor to check the installation progress and troubleshoot any issues that may arise.

 

 

Best Practices

To ensure smooth deployment, here are some best practices:

  • Test Before Deployment: Always test the app on a few devices before rolling it out organization wide.
  • Regular Updates: Keep track of app updates and new versions to ensure your devices are running the most secure and efficient version.
  • Documentation: Maintain detailed documentation of the deployment process and any issues encountered for future reference.
  • Monitor for new version releases as you will have to repeat this process to update the application
Conclusion

Installing Offline Microsoft Store Apps with Intune for Intune Government customers can streamline app management and enhance security. By following the steps outlined in this guide, you can ensure a smooth and efficient deployment process. Stay proactive in monitoring and updating your apps to maintain a secure and productive digital environment.

Thank you for reading, and happy deploying!

 

Disclaimer

The sample scripts are not supported by any Microsoft standard support program or service. The sample scripts are provided AS IS without warranty of any kind. Microsoft further disclaims all implied warranties including, without limitation, any implied warranties of merchantability or of fitness for a particular purpose. The entire risk arising out of the use or performance of the sample scripts and documentation remains with you. In no event shall Microsoft, its authors, or anyone else involved in the creation, production, or delivery of the scripts be liable for any damages whatsoever (including, without limitation, damages for loss of business profits, business interruption, loss of business information, or other pecuniary loss) arising out of the use of or inability to use the sample scripts or documentation, even if Microsoft has been advised of the possibility of such damages.

 

All screenshots and folder paths are from a non-production lab environment and can/will vary per environment. All processes and directions are of my own opinion and not of Microsoft and are from my years of experience with the Intune product in multiple customer environments.

 

References

Distribute LOB apps to enterprises - Windows apps | Microsoft Learn

Downloading Microsoft Store apps using Windows Package Manager - Microsoft Community Hub

Windows Package Manager | Microsoft Learn

Updated Nov 27, 2024
Version 2.0
ChrisVetter
No CommentsBe the first to comment