Intune: Deploy Apps with PowerShell

Key insights

• New PowerShell installer — Intune now lets you upload a separate PowerShell script as the Win32 app installer instead of embedding the script inside the .intunewin package.
  You still upload the .intunewin for static content, but the .ps1 runs from app metadata at install time.
• No repackaging — Edit and reupload the script without rebuilding the entire IntuneWin package to fix or tune installs.
  This cuts packaging time and removes a common source of deployment friction.
• How to add — In the Intune admin center go to Apps > Windows > Add > Windows app (Win32), upload the .intunewin, then choose the PowerShell script option in the Program section and upload or edit the .ps1.
  Define detection rules, uninstall commands, and assignments as you normally would.
• Execution behavior — The Intune Management Extension downloads app metadata, writes the script to disk, and runs it in the chosen context (system or user).
  Intune treats the script result by return code, runs silently, enforces a timeout (about 30 minutes), and retries on IME check-ins if needed.
• Script requirements — Scripts must run silently, return appropriate exit codes, and stay within the portal size limit (commonly cited as 50 KB; some reports mention higher limits, so confirm current limits in your tenant).
  Design scripts for both system and user contexts and avoid interactive prompts.
• Use cases and notes — Use the feature for complex installs like Chrome with registry tweaks, prerequisite checks, conditional logic, and post-install validation without repackaging.
  Detection, assignments, and uninstall behavior remain the same, and features like Multi-Admin Approval may affect when you can attach scripts.

Quick summary

Dean Ellerby [MVP] published a concise YouTube walkthrough that highlights a small but meaningful change in Microsoft Intune: you can now deploy Win32 apps using a separate PowerShell script uploaded directly in the Intune console. This change means administrators no longer must bundle their installer script inside the IntuneWin package and rewrap the entire payload each time a script tweak is needed. Instead, Intune stores the script as part of the app configuration and executes it via the Intune Management Extension during installation. Consequently, routine script updates become faster and less error-prone.

What changed and why it matters

Previously, any change to an install script required repackaging the entire Win32 payload, which cost time and created friction in testing and iteration. Now, administrators can upload or edit a PowerShell script in the app creation flow and keep static content untouched, allowing fast script-only updates without rebuilding the IntuneWin file. This separation reduces packaging overhead and simplifies complex deployments that rely on conditional logic or frequent updates. Moreover, the workflow preserves the existing detection, assignment, and reporting mechanisms administrators already rely on in the console.

How it works in practice

When you add a Windows app (Win32) in Intune, the new option lets you select a PowerShell script as the installer in the Program section, while still uploading the .intunewin content as usual. The Intune Management Extension downloads the package, extracts metadata, writes the script to disk, and runs it under the chosen context (system or user) with standard execution handling and return-code-based reporting. Detection rules, uninstall commands, assignments, and timeout behaviors remain part of the app configuration so existing deployment controls continue to apply. Administrators will notice that the script becomes visible and editable in the portal, removing the need to touch the binary payload for script changes.

Real-world example and practical steps

In his video, Ellerby demonstrates installing Chrome while applying a registry customization via an uploaded script, which shows the feature’s practical value for real deployments. To replicate that approach, you upload the .intunewin file, choose the PowerShell installer option, and then add a silent script that performs prerequisite checks, executes the installer, and writes detection keys or values. The portal enforces script size and execution constraints, so keep scripts concise, avoid interactive prompts, and exit with standard return codes to indicate success or failure. This pattern supports advanced flows like prechecks, conditional branch logic, and post-install validation without repackaging the full application every time.

Tradeoffs and operational challenges

Although this feature reduces repackaging work, it introduces new tradeoffs that teams must manage. For example, there are script size limits and execution timeouts that can constrain very large installers or long-running sequences, so teams may still need to bundle heavy payloads in the .intunewin and use the script only for orchestration. Additionally, separating scripts from payloads means tighter governance is required: scripts are easier to change, which can speed mistakes to production unless change-control and testing are enforced. Security reviewers will want to validate scripts and, when Multi-Admin Approval is enabled, ensure scripts are added or updated in line with approval policies.

Best practices and recommendations

Administrators should treat the uploaded script as a controlled artifact and adopt source control, testing, and staged rollout processes to limit risk. For reliability, include clear detection rules that match the installed state and build retry logic or idempotent behavior into scripts so repeated runs are safe. Where heavy installers are needed, continue packaging content into the IntuneWin file and use the script primarily for orchestration, configuration, or validation. Finally, monitor installation telemetry and test across contexts (system vs. user) and device states to uncover edge cases early.

Conclusion

Dean Ellerby’s video frames the update as a small UI change with an outsized impact on daily packaging work, which is accurate: removing the need to rewrap every script tweak streamlines maintenance and speeds iteration. However, teams should balance agility with governance, watch for script limits and timeouts, and keep robust testing and detection in place to avoid operational regressions. Overall, the enhancement tightens the gap between packaging and scripting, and it offers a practical way to reduce friction in complex Win32 deployments while retaining familiar Intune controls.

Keywords

New Intune feature, Deploy app with PowerShell, Intune PowerShell deployment, Microsoft Intune PowerShell, Intune app deployment script, Win32 app Intune PowerShell, Automate Intune app deployment, Intune management PowerShell