Skip to main content

Publish command

Deploy a packaged app to Intune

Publish command sample
wintuner publish {packageId} --package-folder {root-package-folder}


Publish Oh My Posh to Intune
wintuner publish JanDeDobbeleer.OhMyPosh --package-folder C:\Packages


{packageId}Package idWhat is the package id?
--package-folder {folder}Root folderRoot folder where the desirect folder structure should be created.
-v {version} / --version {version}Package versionWhich version should be used? Exact version, or latest when empty.
--tenant {tenantId}Tenant IDUse this tenant to connect to Intune.
--username {username}UsernameUse this username to connect to Intune.
--token {token}TokenUse this token to connect to Intune.
--category {category}CategoryAdd this app to a pre-existing category in Intune, see category
--available {id}Available toAssign this app to a group, see assignments
--required {id}Required forAssign this app to a group, see assignments
--uninstall {id}Uninstall forAssign this app to a group, see assignments
--verboseVerbose loggingSuper verbose logging, might help figuring out problems.
--jsonJson loggingOutputs all logging as Json, separated by platform line ending \r\n on Windows and \n on unix.
Package folder

This command expects the following folder structure {package-folder}\{package-id}\{version}, so make sure you use the same package folder as you did for packaging.


To deploy a package to Intune this app has to authenticate with the correct permissions. You have these options:

  1. Interactive authentication using the built-in native authentication method default.
  2. Using a token you got from another source --token {token}.
  3. Using managed identities is on the roadmap.
Single sign on

If you set the --username {username} parameter you're asked to login once, after that the tokens are saved locally and can be used for several days without you having to login again.

Using sso with home tenant
wintuner publish ... --username "{user}@{domain}" 

Using just the --username parameter will connect to Intune using your home tenant. You can connect to a different tenant by specifying it --tenant {tenant} (if you have guest access and the correct permissions, off course).

Do not elevate PowerShell as admin

There is absolutely no need to run this app as an administrator, and it might even cause problems. So please run this command in a normal PowerShell window. Running as admin will cause the authentication window to not show up. The interactive authentication prompt will let you pick an account, and there you can pick or enter your admin account.


In Intune you can organize applications in categories, these are created automatically. And the portal doesn't support creating additional once.

With the --category "{categoryName}" parameter you can make sure the application is added to that category. This parameter can be specified multiple times for more categories.

Add app to category
wintuner publish ... --category "Productivity" 


You can assign the application immediatly after publishing. This is useful for automation or if you know to which groups an app has to be assign up front.

You can use these parameters:

  • --available {id} To make an app available to a group
  • --required {id} To make an app required for a group
  • --uninstall {id} To make have a group uninstall an app

The {id} can either be a Guid of a group in Entra ID or allusers to use the special group All Users or alldevices to use the special group All Devices.

Quotes around ID

Guids are not be recognized correctly, so you have to put double quotes around them.

Assign app to groupId
wintuner publish ... --available "784d7b63-82db-4779-a1d8-1bce1ca5bd90" 

You can use all these paramters in the same command and multiple times.

Auto package

Instead of packaging and then publishing, you can also combine these steps into a single command by adding --auto-package. This also means you can set the following parameters.

Publish Oh My Posh to Intune with auto package
wintuner publish JanDeDobbeleer.OhMyPosh --package-folder C:\Packages --auto-package
--architecture {arg}Specify architectureArm64 or X64 (default) or X86
--installer-context {ctx}Specify installer contextSystem or User (default)
--use-wingetUse WingetUse Winget instead of the open-source index (windows only)

Technical description

  1. Discover latest version of package when no version is specified using the open-source index
  2. Packages the app (if --auto-package is added).
  3. Load data from app.json in version specific folder.
  4. Requests token (interactively, or through silent refresh)
  5. Creates the app in Intune
  6. Creates a content version, and a file reference.
  7. Uploads the file to provided Azure Storage link, with ChunkedFileUpload.
  8. "Commits" the uploaded file (the HMAC and encryption keys are send to Intune and validated by Micrososft, to prevent tempering).
  9. Updates the app with the just created content version.
  10. (optionally) Adds the categories and assignments to the app.

See PublishCommand.cs on GitHub.

Works on Linux

This command should work on any platform, except when you use the --use-winget option.