The new Intune Win32 app management is a great way to deploy Win32 apps with Microsoft Intune. Imagine you have a kind of source share for all the .intunewin files you have created. At some point in time you like to modify a package but you do not have the source files right now, only the .intunwin package. Wouldn’t it be nice to convert the .intunewin package back to an unencrypted package? Additionally what is if you lost your complete sources, can we get them back directly from the Intune tenant?

As a quick reminder, the packaging workflow is like this:

  1. Compressing the source folder of the Win32 apps and its files to a sub folder ‘Contents’ with the new extension .intunewin
  2. Encrypting the compressed file
  3. Computing a SHA265 hash
  4. Generating a detection.xml file in a sub folder ‘Metadata’
  5. Compressing complete working folder and create again an .intunewin file

As described in a post here “Part 3, Deep dive Microsoft Intune Management Extension – Win32 apps” the portal and the Intune service gets all necessary information from the detection.xml file to deal with the Win32 app. The EncryptionInfo in the detection.xml file is stored with your Intune tenant to gain access to the uploaded encrypted .intunewin package. The encrypted .intunewin (located in the contents folder) can be distributed safely by Microsoft to the Intune back-end services responsible for content distribution without getting exposed to others, only the tenant who uploaded the file has the EncryptionInfo and can decrypt the file. The clients will get this information also when they are requesting Win32 apps for installation via policy.

If we try to open the inner encrypted .intunewin file with 7-Zip, it is expected to be not working. We will see the following error message:

I’m using the fact that the encryption information is stored along with the package before uploading. As long as this information is available we can make use of it. I wrote a small .net tool “IntuneWinAppUtilDecoder” to extract the .intunewin file content, read the EncryptionInfo from the detection.xml file to get the encryption key and initialization vector and decrypt the inner .intunewin package from the contents folder back to an unencrypted .intunewin package. Et voila – we have an unencrypted .intunewin.decoded file, which we can open with our favorite archiver like 7-Zip.

The IntuneWinAppUtilDecoder is available on my GitHub account here:

https://github.com/okieselbach/Intune/tree/master/IntuneWinAppUtilDecoder

The direct download link to the zipped binary file is here.

Let’s have a look how the tool looks like when running. The command line utility is pretty simple to use, just point to the path of the .intunewin file and optionally you can run it in silent mode to prevent output. If you already have the encrypted .intunewin, and the encryption key, and the Initialization Vector you can provide these information on the command line as well:

IntuneWinAppUtilDecoder.exe <FullPathToIntunewinFile> [/s | /silent]
[/key:base64encodedKey /iv:base64encodedIV]

In my following example I’m decrypting an Adobe Acrobat Reader DC package:

As you can see the tool will ask for any overwrite and cleanup of extracted files before proceeding. Sometimes it is useful to keep the extracted content for further inspection. For easy proceeding just hit enter and let the tool do the cleanup of the extracted .intunewin content. After successful decryption we have now an additional .intunewin.decoded file in the same directory as the original .intunewin file:

This .decoded file can be opened with 7-Zip and easily extracted and here we have back the original sources:

When running the tool in silent mode /silent it will not ask for overwrite or cleanup, the overwrite of existing .decoded file and the cleanup of the extracted files is always done in silent mode.

How to get the sources back from the Intune tenant directly?

I discovered that all relevant download and decryption information to get the sources back from your tenant are in the regular log files of the Intune Management Agent here:
C:\ProgramData\Microsoft\IntuneManagementExtension\Logs\IntuneManagementExtension.log.

So I wrote a small PowerShell script to parse the logfile and extract all relevant information of the already installed .intunewin files (otherwise we would not have the log file entry :-)). This is an example of that log file entry:

<![LOG[Get content info from service,ret = {
"odata.metadata":"https://fef.msub03.manage.microsoft.com/SideCar/StatelessSideCarGatewayService/$metadata#SideCarGatewaySessions/@Element","odata.id":...
LOG]!>

Basically I’m searching for this particular log entry which I then decode with the certificates on the device as they include decryption information of the installed .intunewin file. The installed .intunewin file is encrypted and can only be decrypted by your device with the right certificate. The log entry does include the download location also. It would be possible to write a tool to request the file from Intune directly to get to this information but in fact then I would write lots of the parts of the agent my self again. Getting tokens for requests, dealing with discovery, decryption, etc. So I decided to not do that and let the agent to its job and grab the necessary information from the log files. In case of missing entries you can simply enroll a device and install all software via Company Portal on it to get all log entries and then parse this info for further usage.

So in the log entry we have everything we need. If we run the script provided below on an Azure AD joined device with Intune enrollment you can successfully decrypt the encryption information which you get from the Intune GatewayService to decrypt and download the encrypted .intunewin file. The agent itself does nothing else during a normal install. It requests a policy which includes the package info, content info and decryption info. I decode this as well and provide it as plain text to you, or we can simply pass this to the IntuneWinUtilDecoder as parameters for instant decryption.

The script can also be found on my GitHub account here:

https://github.com/okieselbach/Intune/blob/master/Get-DecryptInfoFromSideCarLogFiles.ps1

Here the script in action, downloading an app discovered in the log entry (yellow is the download URL, cyan is the encryption info highlighted) and in the end decoding it:

I hope this small utility and script is as useful for you as for me as I deal with a lot of test deployments in my lab and miss from time to time my source files. With the IntuneWinAppUtilDecoder and the script I’m now able to simply extract my source files again in any case.

Have fun at decrypting 🙂 your .intunewin files!

(1631)

There are no comments.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.