There is currently a lot going on in the app deployment of Windows management with Intune. The new Microsoft Store came up, together with an integration to Intune. Simultaneously the Windows Packager Manager (winget) starts to find more establishment with these topics.

This is a write-up to my experience and some advice I can give, yet. If you have any inputs, please let me know.

Summarized notes

  • Microsoft Store for Business is deprecated by Q1 2023
  • The new Microsoft Store is the successor that is a general store experience for consumer and enterprises
  • With this topic the integration with winget came up, but these are generally separate topics
  • The new Store experience in Intune leverages winget to install apps on endpoints
  • Winget is the client interface to the Windows Package Manager service based on command line
  • Winget can install apps from multiple sources, including the public repository the new Microsoft Store, private app repositories are also possible
  • This is the public repository from winget where vendors and publishers as well as the community can sumbit packages and manifests
  • End-users may install winget apps through the command line on their own when the app comes through the Microsoft Store or is installed in the user profile only (essentially when it wouldn't trigger an UAC admin prompt)
  • This is the official docs on Store group policies > you should only set the Store to private (to prevent end user installations from the store), but not block it completely, as this would also stop app updates from the store
  • If you only want to disable the winget package source, you should try to disable the EnableDefaultSource setting thorugh OMA-URI - this will also have an impact on the agentexecutor.exe which is leveraged by Intune
    -> The better way to get app execution under control, is to consider AppLocker
  • Limitations: (Micorsoft is already working on it)
    • New Store apps in Intune can't be installed during the enrollment status page (ESP)
    • UWP apps are not supported in the device provisioning (context)
    • Scope tags do not work on the new Store apps (from my experience)
  • App updating is not covered when adding an app through the new Store integration
  • Winget command line tool is supported on Win 10 1709 or later - the first run comes up with a terms of use
  • Here you can also find all winget packages


Here are some basics with winget to understand its essential functionality.


Command Use
winget Show all commands
winget -v Show current installed winget version
winget source Show all sources for winget
-winget / public repo
-msstore / new Microsoft Store
winget settings Reference to the settings - default settings:


Install, upgrade and uninstall app

Command Use More
winget search app name Find an app from the sources
winget list List all installed apps on the local system Supports search for a package: winget list app name
winget install app identifier Install an app
winget upgrade app identifier Lookup for a new version of the app and upgrade to the new version Can upgrade all at once with: winget upgrade --all
winget uninstall app identifier Uninstall an app


App types

In a modern world we encounter the following app types in Intune and Windows:

  • Win32 - custom uploaded apps to Intune (with Content Prep Tool)
  • Microsoft Store app (new) -> in the background winget is always used
    • Universal Windows Platform (UWP) - Store apps
    • Win32 (currently in preview), third party vendors and publishers and the community that add their apps to the Microsoft Store


Log files are created by default when executing commands under:



Add new Store apps

Adding new Store apps to Intune is straightforward:

  1. Go to Intune>Apps>Add

  2. Search for the app by name

If you can't find the app by name, you can search for the packageIdentifier. For this, visit the Microsoft Store Online and search for your app. In the URL you can find the ID, that you can then use to also search apps in Intune.


This equals to the app in Intune:


Hint: here you can find a repository full of app icons.

Transition in Intune

You may ask now, how to make a transition to the new Store and removing the old Store for Business apps from Intune. You need to know:

  • The new Store is the future for app deployment, but at this time there might be some bugs or features are not fully developed
  • Package quality and reliability from third parties is unkown
  • Updating is not covered, when you only add the app (Proactive remediation could regularly run "winget upgrade --all")

My fellow mate Nicola Suter provided some Graph commands to create an assignment report including the app packageIdentifier. (They do not change anything)

Connect to Graph with the right permission scopes. (Verify that the Microsoft.Graph module is installed before)

Connect-Mggraph -Scopes "DeviceManagementApps.Read.All"

Get all assigned Microsoft Store for Business apps.

$apps = Get-MgDeviceAppMgtMobileApp -Filter "isOf('microsoft.graph.microsoftStoreForBusinessApp')" -ExpandProperty "assignments" -All | Where-Object {$_.Assignments.Count -gt 0}

Extract the packageIdentifier (which is used to uniquely identify an app).

$apps | ForEach-Object { "$($_.displayname) `t" + $_.AdditionalProperties["productKey"].Split("/")[0]}

Now take a look at the variable.


This should look like: (left side = app name, right side = packageIdentifier)


This post was written in December 2022 and contents may change as there is development in the background happening and we are still gaining experience.

Other sources

Endpoint Management with Microsoft Intune
Ever wanted a full tutorial how to deal with Microsoft Autopilot Intune Technology? Well here it is!
You’ve successfully subscribed to Oceanleaf
Welcome back! You’ve successfully signed in.
Great! You’ve successfully signed up.
Your link has expired
Success! Check your email for magic link to sign-in.