Skip to main content

Publish store command

Deploy an app from the Microsoft Store to Intune

Publish store command by ID
wintuner publish  store --id {packageId}


Publish store command sample
wintuner publish  store --search {packageId}

App Parameter

Use one of these methods to specify the correct package. Either lookup the ID upfront and use that, or use the search feature and pick the first.

--id {storeId}Store IDDeploy the app with this ID
--search {query}Search stringSearch the store for a package and deploy the first one found.
Find the ID with WinGet (Windows Only)
winget search "{query}" --source MsStore


--tenant {tenantId}Tenant IDUse this tenant to connect to Intune.
--username {username}UsernameUse this username to connect to Intune.
--token {token}TokenUse this token to connect to Intune.
--category {category}CategoryAdd this app to a pre-existing category in Intune, see category
--available {id}Available toAssign this app to a group, see assignments
--required {id}Required forAssign this app to a group, see assignments
--uninstall {id}Uninstall forAssign this app to a group, see assignments
--verboseVerbose loggingSuper verbose logging, might help figuring out problems.
--jsonJson loggingOutputs all logging as Json, separated by platform line ending \r\n on Windows and \n on unix.


To deploy a package to Intune this app has to authenticate with the correct permissions. You have these options:

  1. Interactive authentication using the built-in native authentication method default.
  2. Using a token you got from another source --token {token}.
  3. Using managed identities is on the roadmap.
Single sign on

If you set the --username {username} parameter you're asked to login once, after that the tokens are saved locally and can be used for several days without you having to login again.

Using sso with home tenant
wintuner publish store ... --username "{user}@{domain}" 

Using just the --username parameter will connect to Intune using your home tenant. You can connect to a different tenant by specifying it --tenant {tenant} (if you have guest access and the correct permissions, off course).

Do not elevate PowerShell as admin

There is absolutely no need to run this app as an administrator, and it might even cause problems. So please run this command in a normal PowerShell window. Running as admin will cause the authentication window to not show up. The interactive authentication prompt will let you pick an account, and there you can pick or enter your admin account.


In Intune you can organize applications in categories, these are created automatically. And the portal doesn't support creating additional once.

With the --category "{categoryName}" parameter you can make sure the application is added to that category. This parameter can be specified multiple times for more categories.

Add app to category
wintuner publish store ... --category "Productivity" 


You can assign the application immediatly after publishing. This is useful for automation or if you know to which groups an app has to be assign up front.

You can use these parameters:

  • --available {id} To make an app available to a group
  • --required {id} To make an app required for a group
  • --uninstall {id} To make have a group uninstall an app

The {id} can either be a Guid of a group in Entra ID or allusers to use the special group All Users or alldevices to use the special group All Devices.

Quotes around ID

Guids are not be recognized correctly, so you have to put double quotes around them.

Assign app to groupId
wintuner publish store ... --available "784d7b63-82db-4779-a1d8-1bce1ca5bd90" 

You can use all these paramters in the same command and multiple times.

Technical description

  1. Lookup details
  2. Download logo
  3. Requests token (interactively, or through silent refresh)
  4. Creates the store app in Intune (with the logo set)
  5. (optionally) Adds the categories and assignments to the app.

See PublishStoreCommand.cs on GitHub.

Works on Linux

This command should work on any platform.