π§ͺ Test your Intune Win32 app deployment packages locally using Windows Sandbox before deploying to production.
A PowerShell module that enables you to pack and test Win32 Content Prep Tool packages (.intunewin) in an isolated Windows Sandbox environmentβno need to deploy to actual devices during development.
- One-click packaging β Right-click any folder to create
.intunewinpackages - Isolated testing β Run packages in Windows Sandbox without affecting your system
- SYSTEM context execution β Scripts run as SYSTEM user, mimicking real Intune deployments
- PSADT support β Automatic detection of PowerShell App Deployment Toolkit (v3 & v4) packages
- Exit code capture β Retrieve
$LASTEXITCODEfrom script execution for validation - Toast notifications β Visual progress feedback inside the Sandbox
- Windows 10/11 Pro, Enterprise, or Education
- PowerShell 5.1 or later
- Administrator privileges
- Windows Sandbox feature (will be enabled automatically if not already)
Install-Module -Name Intune-App-SandboxRun the setup wizard to configure context menu integration:
Add-SandboxShellThis will:
- Enable the Windows Sandbox feature (if needed)
- Create the operating folder at
C:\SandboxEnvironment - Download the latest
IntuneWinAppUtil.exefrom Microsoft - Add right-click context menu options
You can choose which context menu items to install:
| Option | Description |
|---|---|
| Run test in Sandbox | Test .intunewin files in Windows Sandbox |
| Pack with IntunewinUtil | Package folders into .intunewin format |
| Both | Install both options (recommended) |
Update-Module -Name Intune-App-Sandbox
Update-SandboxShell-
Create a folder with the same name as your install script:
π Install-VSCode/ π Install-VSCode.ps1 π VSCodeSetup.exe π config.json -
Right-click the folder β Pack with IntunewinUtil
-
The
.intunewinfile is created in the same folder
-
Right-click the
.intunewinfile β Run test in Sandbox -
Windows Sandbox launches and executes your script as SYSTEM
-
Review the results in the Sandbox environment
The module automatically detects PowerShell App Deployment Toolkit packages:
| Package Type | Detection | Setup File |
|---|---|---|
| PSADT v3 | Folder name contains PSADT |
Deploy-Application.exe |
| PSADT v4 | Folder name contains PSADTv4 |
Invoke-AppDeployToolkit.exe |
| Standard | Any other folder | <FolderName>.ps1 |
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β HOST MACHINE β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β Right-click .intunewin β
β β β
β βΌ β
β βββββββββββββββββββ ββββββββββββββββββββββββββββββββββββ β
β β Invoke-Test.ps1 βββββΆβ Generate .wsb configuration file β β
β βββββββββββββββββββ ββββββββββββββββββββββββββββββββββββ β
β β β
β ββββββββββββββββββββββββββββ β
β βΌ β
β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β β WINDOWS SANDBOX ββ
β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββ ββ
β β β 1. Decode .intunewin using IntuneWinAppUtilDecoder β ββ
β β β 2. Extract package contents to C:\Temp β ββ
β β β 3. Create scheduled task running as SYSTEM β ββ
β β β 4. Execute install script β ββ
β β β 5. Capture $LASTEXITCODE to file β ββ
β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββ ββ
β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
A .wsb file is dynamically generated with:
<Configuration>
<VGpu>Enable</VGpu>
<Networking>Enable</Networking>
<MappedFolders>
<MappedFolder>
<HostFolder>C:\Path\To\Your\Package</HostFolder>
<ReadOnly>true</ReadOnly>
</MappedFolder>
<MappedFolder>
<HostFolder>C:\SandboxEnvironment\bin</HostFolder>
<ReadOnly>true</ReadOnly>
</MappedFolder>
</MappedFolders>
<LogonCommand>
<Command>powershell.exe -WindowStyle Hidden -noprofile -executionpolicy bypass -Command ...</Command>
</LogonCommand>
</Configuration>The module uses a scheduled task to run scripts as the SYSTEM userβthe same context Intune uses for Win32 app deployments:
# Nested PowerShell captures exit code
$Action = New-ScheduledTaskAction -Execute "powershell.exe" `
-Argument '-ex bypass "powershell {& C:\Temp\Install.ps1};New-Item C:\Temp\$Lastexitcode.code -force"'This nested approach ensures $LASTEXITCODE is captured correctly and saved to a file for verification.
C:\SandboxEnvironment\
βββ bin\
βββ IntuneWinAppUtil.exe # Microsoft Win32 Content Prep Tool
βββ IntuneWinAppUtilDecoder.exe # Package decoder for Sandbox
βββ Invoke-IntunewinUtil.ps1 # Packing script
βββ Invoke-Test.ps1 # Test orchestration script
βββ New-WSBConfig.ps1 # Sandbox config generator
βββ New-LogonScriptContent.ps1 # Logon script generator
βββ New-ToastNotification.ps1 # Toast notification helper
βββ toast.xml # Toast notification template
| Issue | Solution |
|---|---|
| Context menu not appearing | Run Add-SandboxShell as Administrator |
| Sandbox won't start | Ensure Windows Sandbox feature is enabled |
| Package fails to decode | Verify the .intunewin file is not corrupted |
| Script not executing | Check that folder name matches script name |
Contributions are welcome! Please feel free to submit a Pull Request.
This project is licensed under the MIT License - see the LICENSE file for details.
Maciej Horbacz (@UniverseCitiz3n)
β If this project helps you, consider giving it a star!
