During our Microsoft Intune trainings this year, one of the most frequently asked questions has been on how to force a reinstall / rerun / redeploy – whatever you like to call it – of an application deployed to Windows 10 or Windows 11 PCs. Well first of all, the correct Intune term is not deployed, it is assigned, since apparently using the same terminology across different systems management platforms developed by the same vendor is not on the table. Shorthand: Deployments in ConfigMgr are called Assignments in Intune.
Scenario
The reasons for wanting to force an application reinstall, or rerunning a script can be many, but it is indeed quite useful during testing, especially larger scale testing of required assignments, or when trying out different detection rules for an app in Intune (the equivalent of detection methods in ConfigMgr).
Win32 Apps – Background Info
Most organizations I've worked with are configuring their Win32 apps install behavior to system, since it doesn't require the user to be an administrator during the installation of the application. In this example you will learn how to force the reinstall of a required application assignment to a device.
When a Win32 app is installed via Intune, it's installed via the Microsoft Intune Management Extension (IME) agent. IME keeps track of deployments in the following registry key:
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\IntuneManagementExtension\Win32Apps
Under the Win32Apps key, you find one sub key for each user, where the key name is the same as the user object id in Azure Ad. If you want to force a reinstall of all apps deployed, you can simply delete the user id key. But if you want to force a reinstall of a single app, you need to delete the app id as well as it's corresponding GRS (Global Retry Schedule key). Both located under the user key. Here is an example:
In the preceding images, the red rectangle is the user key, and the blue rectangle is one of the deployed apps. Based on this info, if I wanted to reinstall all apps, I could run this PowerShell script which deletes all app IDs as well as the GRS keys:
# Delete all apps for a user
$Path = "HKLM:SOFTWARE\Microsoft\IntuneManagementExtension\Win32Apps"
$UserObjectID = "18ba2977-ea61-4547-8e8b-e9cbbced8719"
Get-Item -Path $Path\$UserObjectID | Remove-Item -Recurse -ForceIf I wanted to reinstall a single app, I would first delete the single application id instead, and then I would have to locate the right GRS key and delete that one. The GRS key is found by parsing the IME log file, and Andrew (@AndrewZtrhgf) has a great function for getting that.
function for getting Intune Win32App GRS hash from Intune log file · GitHub
# Sample to delete a single app
# Note: Don't got forget to delete any files/installs that the detection method uses on your machine
# Deleting specific application based on its object id
$Path = "HKLM:SOFTWARE\Microsoft\IntuneManagementExtension\Win32Apps"
$UserObjectID = "18ba2977-ea61-4547-8e8b-e9cbbced8719"
$AppID = "8ea44431-bb08-460c-b881-52bdff6a7128"
# _getAppGRSHash function from Andrew (@AndrewZtrhgf): https://gist.github.com/ztrhgf/18f1c32220764f79af3da52d9f47d266
function _getAppGRSHash {
param (
[Parameter(Mandatory = $true)]
[string] $appId
)
$intuneLogList = Get-ChildItem -Path "$env:ProgramData\Microsoft\IntuneManagementExtension\Logs" -Filter "IntuneManagementExtension*.log" -File | sort LastWriteTime -Descending | select -ExpandProperty FullName
if (!$intuneLogList) {
Write-Error "Unable to find any Intune log files. Redeploy will probably not work as expected."
return
}
foreach ($intuneLog in $intuneLogList) {
$appMatch = Select-String -Path $intuneLog -Pattern "\[Win32App\] ExecManager: processing targeted app .+ id='$appId'" -Context 0, 2
if ($appMatch) {
foreach ($match in $appMatch) {
$hash = ([regex]"\d+:Hash = ([^]]+)\]").Matches($match).captures.groups[1].value
if ($hash) {
return $hash
}
}
}
}
Write-Error "Unable to find App '$appId' GRS hash in any of the Intune log files. Redeploy will probably not work as expected"
}
(Get-ChildItem -Path $Path\$UserObjectID) -match $AppID | Remove-Item -Recurse -Force
$GRSHash = _getAppGRSHash -appId $AppID
(Get-ChildItem -Path $Path\$UserObjectID\GRS) -match $GRSHash | Remove-Item -Recurse -Force
# Restart the IME Service
Get-Service -DisplayName "Microsoft Intune Management Extension" | Restart-Service Credit: Thank you Lucas for pointing out the GRS key info missing in the post, and thank you Andrew for the function that parses the IME log.
Note #1: Make sure you also uninstall the existing application or remove whatever the application detection rule is configured to look for. Sometimes an Intune policy sync is also required.
Note #2: When deleting a single application, you have to use a wildcard match, since the registry key actually contains the revision of the app as well.
As for finding the application id, you can see it in the browser address bar when viewing the application in Intune, or you can use the below PowerShell script. Just remove the trailing _1 from the app registry key when searching for a matching guid:
# Connect to Microsoft Graph
# Requires the Microsoft.Graph.Intune module to be installed
Connect-MSGraph -ForceInteractive
# Get all Apps and their id
$Apps = Get-DeviceAppManagement_MobileApps
$Apps | select displayName, id
# Get Apps, their size in MB, and their id. Filter on App Name
$Apps = Get-DeviceAppManagement_MobileApps -Filter "contains(displayName, '100 MB Single File')"
$Apps | select displayName, @{Label="Size in MB";Expression={[math]::Round(($_.size/1MB),2)}}, id 
Awesome job, this is a great resource. One thing to add for anyone who stumbles on this is that I found log messages may have changed since this was last written. So the regex pattern for extracting the hash did not quite work for me and I would receive the "Unable to find app" error message. In my experience the hash could be extracted by looking for a log message with the following format [GRS Manager] Saved GRS Value: [timestamp] to path: $UserObjectId\GRS\$GRSHash\$AppId… Something like the following regex pattern should be able to extract the GRS hash "\\[GRS Manager\\] Saved… Read more »
Pardon my ignorance on this, but does this also apply to mobile devices? We have deployed Company Portal / Intune on our company cell phones and quite often we have to uninstall / reinstall Microsoft Teams / Office and it's a nightmare. Any suggestions / steps to make this process more seamless and palatable?
Hi Ross – this method would be Windows only, unfortunately. The only method I'm aware of for mobile devices is what you've already stated – you can assign an uninstall then assign an install.
Thank you. I'm hoping the future is brighter for mobile devices with Intune and that Microsoft improves this process, since that's the direction we're headed with business operations. Thanks again.
Thanks Julius,
Could you explain a bit how the detection works for available deployments and how that could be triggered?
Lets say you have a scenario where you want to run detection checks on "available" deployments. Is there any way to force check of only "available" type deployments instead of just required?
Sorry, don't know about that
Not really adding anything useful here – thanks for the useful post as ever Johan – but it is wholly unacceptable that we have to go to such lengths to do this. I wish MS could just put a button in Intune 🙁
Is the GRS hash unique to each machine or is it unique to the app/appid?
I don't for sure, but on the machines I checked they are all different, even for the same user and app. Looks like they are generated as unique keys.
Hi !
Thank you for this post. Did you have any idea why in my case it doesn't reinstall ? I removed the registry key as you said and did sync but nothing happening (since yesterday).
Lucas
Hi Lucas,
Make sure whatever detection method the application have has been reset as well. Also, sometimes it takes a good while for the process to kick in.
Hi ! I found the problem, it was caused by the Registry key GRS. I just removed it and it's done. Thank you. Maybe you should add it in your article.
Hi Lucas,
Thanks for the update, I have added that info to the post.
Do you know how to find out how to see What app is connected to the registry Keys?
I've updated the blog post with a PowerShell script that lists the applications and their object id in Intune.
/ Johan
How do you get the app id that correlates to the app you want to reinstall? Cannot find anything in Intune that indicates that
I have updated the post with a PowerShell example on how to get the app id.
/ Johan
Hi,
What about the Detection rules? You don't need to take them in considerations? Won't the package think it's still installed if you only delete the registry key mentioned in above?
Br
Johan
Hi Johan,
Sorry for the very late reply, but yes, you'll have to remove the app or whatever the detection rule is looking for. Sometimes also forcing a policy sync is required. I've added a note in the post for this. Thank you.
But what about the detection rule. Does the detection rule mark the application as installed before the installer is started ?
Hi Manuel,
Yes, you need to take care of that as well. I have updated the post with that information.
It can be done using PowerShell like https://doitpsway.com/force-redeploy-of-intune-applications-using-powershell
Hi Andrew,
Thanks for sharing the link, it's a great solution.