HomeKb › Intune system vs user context
Knowledge base · Windows

It installs when I run it, but fails from Intune: SYSTEM vs user context

You double-click the installer on a test machine and it works first time. You package it as a Win32 app, deploy it from Intune, and it fails — often with no useful error in the portal. The most common root cause is not the package. It is the security context the installer runs in: Intune runs Win32 installs as SYSTEM by default, while your manual test ran as a logged-on user. Those are two very different worlds, and this article maps the differences and how to test for them before you deploy.

The problem

The symptom is maddeningly consistent: an installer that succeeds every time when run interactively fails when delivered as an Intune Win32 app. Typical signatures include:

This is one of the most frequently asked Win32-app questions on Microsoft Q&A, and the accepted diagnosis there is blunt: \"A frequent root cause is context mismatch: Intune runs installs under SYSTEM by default, while manual testing likely runs under user context\" — installers that expect HKCU, %APPDATA%, mapped drives, or a visible UI \"may install to the wrong profile or fail entirely\". If you tested as a user and deployed as SYSTEM, you tested a different scenario from the one you shipped.

Why it happens

When you set a Win32 app's Install behavior to System (the common default choice), the Intune Management Extension runs your install command as NT AUTHORITY\\SYSTEM in session 0. That account can do almost anything to the machine — but it perceives the machine very differently from a logged-on user:

ResourceLogged-on user contextSYSTEM context
HKCUThe user's own hiveSYSTEM's hive (HKEY_USERS\\S-1-5-18). Writes intended for the user land in a profile no human ever loads.
%APPDATA%, %LOCALAPPDATA%, %USERPROFILE%C:\\Users\\<name>\\...C:\\Windows\\System32\\config\\systemprofile\\...
Mapped drivesVisible (they belong to the user's logon session)Invisible. Drive letters are per-logon-session; SYSTEM has none of yours. UNC paths may also fail because access is evaluated against the computer account.
Interactive UIDialogs appear and can be clickedSession 0 is non-interactive. Any prompt, EULA screen or message box hangs invisibly until the install times out.

Three follow-on traps compound this:

The fix

The theme is simple: test in the same context you deploy in, and match the install behaviour to what the installer actually is.

1. Classify the installer: per-machine or per-user?

2. Rehearse the deployment in a real SYSTEM shell

Before anything goes near Intune, reproduce the exact conditions with Sysinternals PsExec from an elevated prompt:

3. Make it genuinely silent

SYSTEM cannot click anything. Verify the silent switches (/qn, /S, /verysilent /suppressmsgboxes, or the vendor's documented equivalent) suppress every dialog, including EULA and reboot prompts — in the SYSTEM shell, not just in your user session.

4. Getting HKCU settings onto machines from SYSTEM

When you must deliver per-user registry settings or files via a SYSTEM deployment, use a pattern built for it rather than hoping:

5. Remove dependencies SYSTEM cannot satisfy

Never reference mapped drive letters in an install command. Package all content inside the .intunewin file, or use UNC paths that grant read access to Domain Computers / the device identity, not just users.

6. When it still fails, read the real logs

On the device, open %ProgramData%\\Microsoft\\IntuneManagementExtension\\Logs\\ and read IntuneManagementExtension.log and AppWorkload.log (CMTrace makes them legible). The actual installer exit code and command line are recorded there, which beats guessing from a portal hex code.

How Decolla handles it

Decolla is a zero-touch Windows provisioning service (from The Cloud Platform Ltd) that runs over your own Intune/Autopilot tenant. The context-mismatch problem is exactly the class of failure its library exists to remove: every app, policy, script and fix in the curated catalogue — 260+ items across 21 sections — is pre-built and industry-tested, and the library records the verified install context and delivery method for each item. Before anything runs, you approve a written, itemised plan that states the delivery method and reversibility class per item, so a per-user installer never silently ships as a SYSTEM deployment, and anything Decolla changes can be rolled back per item (Decolla's own changes, that is — it does not undo third-party state it never created).

To be clear about the boundary: Decolla does not repackage or context-test your bespoke line-of-business installers. For anything outside the catalogue, the PsExec-as-SYSTEM rehearsal above remains the right discipline — Decolla simply means the standard estate-building layer arrives already tested, so your context debugging is confined to the apps only you own. Decolla is pre-launch; there is a waitlist at decolla.app.

Sources

See it on a real device.

Decolla is in private build — early-access members see a build defined, deployed and rolled back first.

Get early access