Force Application Reinstall in Microsoft Intune (Win32 Apps)

During our Microsoft Intune trainings this year, one of the most frequently asked questions has been on how to force a reinstall / rerun / redeploy – whatever you like to call it – of an application deployed to Windows 10 or Windows 11 PCs. Well first of all, the correct Intune term is not deployed, it is assigned, since apparently using the same terminology across different systems management platforms developed by the same vendor is not on the table. Shorthand: Deployments in ConfigMgr are called Assignments in Intune.

Scenario

The reasons for wanting to force an application reinstall, or rerunning a script can be many, but it is indeed quite useful during testing, especially larger scale testing of required assignments, or when trying out different detection rules for an app in Intune (the equivalent of detection methods in ConfigMgr).

Win32 Apps – Background Info

Most organizations I've worked with are configuring their Win32 apps install behavior to system, since it doesn't require the user to be an administrator during the installation of the application. In this example you will learn how to force the reinstall of a required application assignment to a device.

Win32 App Install behavior in Intune

When a Win32 app is installed via Intune, it's installed via the Microsoft Intune Management Extension (IME) agent. IME keeps track of deployments in the following registry key:

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\IntuneManagementExtension\Win32Apps

Under the Win32Apps key, you find one sub key for each user, where the key name is the same as the user object id in Azure Ad. If you want to force a reinstall of all apps deployed, you can simply delete the user id key. But if you want to force a reinstall of a single app, you need to delete the app id as well as it's corresponding GRS (Global Retry Schedule key). Both located under the user key. Here is an example:

Win32Apps registry key sample from a machine enrolled into Microsoft Intune.
GRS Key

In the preceding images, the red rectangle is the user key, and the blue rectangle is one of the deployed apps. Based on this info, if I wanted to reinstall all apps, I could run this PowerShell script which deletes all app IDs as well as the GRS keys:

# Delete all apps for a user
$Path = "HKLM:SOFTWARE\Microsoft\IntuneManagementExtension\Win32Apps"
$UserObjectID = "18ba2977-ea61-4547-8e8b-e9cbbced8719"
Get-Item  -Path $Path\$UserObjectID | Remove-Item -Recurse -Force

If I wanted to reinstall a single app, I would first delete the single application id instead, and then I would have to locate the right GRS key and delete that one. The GRS key is found by parsing the IME log file, and Andrew (@AndrewZtrhgf) has a great function for getting that.

function for getting Intune Win32App GRS hash from Intune log file · GitHub

# Sample to delete a single app
# Note: Don't got forget to delete any files/installs that the detection method uses on your machine
# Deleting specific application based on its object id
$Path = "HKLM:SOFTWARE\Microsoft\IntuneManagementExtension\Win32Apps"
$UserObjectID = "18ba2977-ea61-4547-8e8b-e9cbbced8719"
$AppID = "8ea44431-bb08-460c-b881-52bdff6a7128"

# _getAppGRSHash function from Andrew (@AndrewZtrhgf): https://gist.github.com/ztrhgf/18f1c32220764f79af3da52d9f47d266
function _getAppGRSHash {
    param (
        [Parameter(Mandatory = $true)]
        [string] $appId
    )

    $intuneLogList = Get-ChildItem -Path "$env:ProgramData\Microsoft\IntuneManagementExtension\Logs" -Filter "IntuneManagementExtension*.log" -File | sort LastWriteTime -Descending | select -ExpandProperty FullName

    if (!$intuneLogList) {
        Write-Error "Unable to find any Intune log files. Redeploy will probably not work as expected."
        return
    }

    foreach ($intuneLog in $intuneLogList) {
        $appMatch = Select-String -Path $intuneLog -Pattern "\[Win32App\] ExecManager: processing targeted app .+ id='$appId'" -Context 0, 2
        if ($appMatch) {
            foreach ($match in $appMatch) {
                $hash = ([regex]"\d+:Hash = ([^]]+)\]").Matches($match).captures.groups[1].value
                if ($hash) {
                    return $hash
                }
            }
        }
    }

    Write-Error "Unable to find App '$appId' GRS hash in any of the Intune log files. Redeploy will probably not work as expected"
}

(Get-ChildItem -Path $Path\$UserObjectID) -match $AppID | Remove-Item -Recurse -Force
$GRSHash = _getAppGRSHash -appId $AppID
(Get-ChildItem -Path $Path\$UserObjectID\GRS) -match $GRSHash | Remove-Item -Recurse -Force

# Restart the IME Service
Get-Service -DisplayName "Microsoft Intune Management Extension" | Restart-Service 

Credit: Thank you Lucas for pointing out the GRS key info missing in the post, and thank you Andrew for the function that parses the IME log.

Note #1: Make sure you also uninstall the existing application or remove whatever the application detection rule is configured to look for. Sometimes an Intune policy sync is also required.

Note #2: When deleting a single application, you have to use a wildcard match, since the registry key actually contains the revision of the app as well.

As for finding the application id, you can see it in the browser address bar when viewing the application in Intune, or you can use the below PowerShell script. Just remove the trailing _1 from the app registry key when searching for a matching guid:

# Connect to Microsoft Graph 
# Requires the Microsoft.Graph.Intune module to be installed
Connect-MSGraph -ForceInteractive

# Get all Apps and their id
$Apps = Get-DeviceAppManagement_MobileApps 
$Apps | select displayName, id

# Get Apps, their size in MB, and their id. Filter on App Name
$Apps = Get-DeviceAppManagement_MobileApps -Filter "contains(displayName, '100 MB Single File')"
$Apps | select displayName, @{Label="Size in MB";Expression={[math]::Round(($_.size/1MB),2)}}, id 
Showing details for a specific application.
About the author

Johan Arwidmark

5 1 vote
Article Rating
Subscribe
Notify of
guest
16 Comments
Newest
Oldest Most Voted
Inline Feedbacks
View all comments
Julius
3 months ago

Is the GRS hash unique to each machine or is it unique to the app/appid?

Lucas
Lucas
10 months ago

Hi !
Thank you for this post. Did you have any idea why in my case it doesn't reinstall ? I removed the registry key as you said and did sync but nothing happening (since yesterday).

Lucas

Lucas
Lucas
10 months ago

Hi ! I found the problem, it was caused by the Registry key GRS. I just removed it and it's done. Thank you. Maybe you should add it in your article.

Capture.PNG
Bj ch
Bj ch
1 year ago

Do you know how to find out how to see What app is connected to the registry Keys?

Femi
Femi
1 year ago

How do you get the app id that correlates to the app you want to reinstall? Cannot find anything in Intune that indicates that

Johan
Johan
1 year ago

Hi,

What about the Detection rules? You don't need to take them in considerations? Won't the package think it's still installed if you only delete the registry key mentioned in above?
Br
Johan

Manuel
Manuel
1 year ago

But what about the detection rule. Does the detection rule mark the application as installed before the installer is started ?

Andrew
Andrew
1 year ago

>