Force Application Reinstall in Microsoft Intune (Win32 Apps)

During our Microsoft Intune trainings this year, one of the most frequently asked questions has been on how to force a reinstall / rerun / redeploy – whatever you like to call it – of an application deployed to Windows 10 or Windows 11 PCs. Well first of all, the correct Intune term is not deployed, it is assigned, since apparently using the same terminology across different systems management platforms developed by the same vendor is not on the table. Shorthand: Deployments in ConfigMgr are called Assignments in Intune.

Scenario

The reasons for wanting to force an application reinstall, or rerunning a script can be many, but it is indeed quite useful during testing, especially larger scale testing of required assignments, or when trying out different detection rules for an app in Intune (the equivalent of detection methods in ConfigMgr).

Win32 Apps – Background Info

Most organizations I've worked with are configuring their Win32 apps install behavior to system, since it doesn't require the user to be an administrator during the installation of the application. In this example you will learn how to force the reinstall of a required application assignment to a device.

Win32 App Install behavior in Intune

When a Win32 app is installed via Intune, it's installed via the Microsoft Intune Management Extension (IME) agent. IME keeps track of deployments in the following registry key:

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\IntuneManagementExtension\Win32Apps

Under the Win32Apps key, you find one sub key for each user, where the key name is the same as the user object id in Azure Ad. If you want to force a reinstall of all apps deployed, you can simply delete the user id key. But if you want to force a reinstall of a single app, you need to delete the app id as well as it's corresponding GRS (Global Retry Schedule key). Both located under the user key. Here is an example:

Win32Apps registry key sample from a machine enrolled into Microsoft Intune.
GRS Key

In the preceding images, the red rectangle is the user key, and the blue rectangle is one of the deployed apps. Based on this info, if I wanted to reinstall all apps, I could run this PowerShell script which deletes all app IDs as well as the GRS keys:

# Delete all apps for a user
$Path = "HKLM:SOFTWARE\Microsoft\IntuneManagementExtension\Win32Apps"
$UserObjectID = "18ba2977-ea61-4547-8e8b-e9cbbced8719"
Get-Item  -Path $Path\$UserObjectID | Remove-Item -Recurse -Force

If I wanted to reinstall a single app, I would first delete the single application id instead, and then I would have to locate the right GRS key and delete that one. The GRS key is found by parsing the IME log file, and Andrew (@AndrewZtrhgf) has a great function for getting that.

function for getting Intune Win32App GRS hash from Intune log file · GitHub

# Sample to delete a single app
# Note: Don't got forget to delete any files/installs that the detection method uses on your machine
# Deleting specific application based on its object id
$Path = "HKLM:SOFTWARE\Microsoft\IntuneManagementExtension\Win32Apps"
$UserObjectID = "18ba2977-ea61-4547-8e8b-e9cbbced8719"
$AppID = "8ea44431-bb08-460c-b881-52bdff6a7128"

# _getAppGRSHash function from Andrew (@AndrewZtrhgf): https://gist.github.com/ztrhgf/18f1c32220764f79af3da52d9f47d266
function _getAppGRSHash {
    param (
        [Parameter(Mandatory = $true)]
        [string] $appId
    )

    $intuneLogList = Get-ChildItem -Path "$env:ProgramData\Microsoft\IntuneManagementExtension\Logs" -Filter "IntuneManagementExtension*.log" -File | sort LastWriteTime -Descending | select -ExpandProperty FullName

    if (!$intuneLogList) {
        Write-Error "Unable to find any Intune log files. Redeploy will probably not work as expected."
        return
    }

    foreach ($intuneLog in $intuneLogList) {
        $appMatch = Select-String -Path $intuneLog -Pattern "\[Win32App\] ExecManager: processing targeted app .+ id='$appId'" -Context 0, 2
        if ($appMatch) {
            foreach ($match in $appMatch) {
                $hash = ([regex]"\d+:Hash = ([^]]+)\]").Matches($match).captures.groups[1].value
                if ($hash) {
                    return $hash
                }
            }
        }
    }

    Write-Error "Unable to find App '$appId' GRS hash in any of the Intune log files. Redeploy will probably not work as expected"
}

(Get-ChildItem -Path $Path\$UserObjectID) -match $AppID | Remove-Item -Recurse -Force
$GRSHash = _getAppGRSHash -appId $AppID
(Get-ChildItem -Path $Path\$UserObjectID\GRS) -match $GRSHash | Remove-Item -Recurse -Force

# Restart the IME Service
Get-Service -DisplayName "Microsoft Intune Management Extension" | Restart-Service 

Credit: Thank you Lucas for pointing out the GRS key info missing in the post, and thank you Andrew for the function that parses the IME log.

Note #1: Make sure you also uninstall the existing application or remove whatever the application detection rule is configured to look for. Sometimes an Intune policy sync is also required.

Note #2: When deleting a single application, you have to use a wildcard match, since the registry key actually contains the revision of the app as well.

As for finding the application id, you can see it in the browser address bar when viewing the application in Intune, or you can use the below PowerShell script. Just remove the trailing _1 from the app registry key when searching for a matching guid:

# Connect to Microsoft Graph 
# Requires the Microsoft.Graph.Intune module to be installed
Connect-MSGraph -ForceInteractive

# Get all Apps and their id
$Apps = Get-DeviceAppManagement_MobileApps 
$Apps | select displayName, id

# Get Apps, their size in MB, and their id. Filter on App Name
$Apps = Get-DeviceAppManagement_MobileApps -Filter "contains(displayName, '100 MB Single File')"
$Apps | select displayName, @{Label="Size in MB";Expression={[math]::Round(($_.size/1MB),2)}}, id 
Showing details for a specific application.
About the author

Johan Arwidmark

5 2 votes
Article Rating
Subscribe
Notify of
guest
24 Comments
Newest
Oldest Most Voted
Inline Feedbacks
View all comments
Peter Breeze
Peter Breeze
2 months ago

Great article and very useful

Last edited 2 months ago by Peter Breeze
Aleks
Aleks
5 months ago

Awesome job, this is a great resource. One thing to add for anyone who stumbles on this is that I found log messages may have changed since this was last written. So the regex pattern for extracting the hash did not quite work for me and I would receive the "Unable to find app" error message. In my experience the hash could be extracted by looking for a log message with the following format [GRS Manager] Saved GRS Value: [timestamp] to path: $UserObjectId\GRS\$GRSHash\$AppId… Something like the following regex pattern should be able to extract the GRS hash "\\[GRS Manager\\] Saved… Read more »

Last edited 5 months ago by Aleks
Ross
Ross
7 months ago

Pardon my ignorance on this, but does this also apply to mobile devices? We have deployed Company Portal / Intune on our company cell phones and quite often we have to uninstall / reinstall Microsoft Teams / Office and it's a nightmare. Any suggestions / steps to make this process more seamless and palatable?

Andrew Johnson
Editor
7 months ago
Reply to  Ross

Hi Ross – this method would be Windows only, unfortunately. The only method I'm aware of for mobile devices is what you've already stated – you can assign an uninstall then assign an install.

Ross
Ross
6 months ago
Reply to  Andrew Johnson

Thank you. I'm hoping the future is brighter for mobile devices with Intune and that Microsoft improves this process, since that's the direction we're headed with business operations. Thanks again.

Søren
Søren
7 months ago

Thanks Julius,
Could you explain a bit how the detection works for available deployments and how that could be triggered?

Lets say you have a scenario where you want to run detection checks on "available" deployments. Is there any way to force check of only "available" type deployments instead of just required?

Chris
Chris
8 months ago

Not really adding anything useful here – thanks for the useful post as ever Johan – but it is wholly unacceptable that we have to go to such lengths to do this. I wish MS could just put a button in Intune 🙁

Julius
1 year ago

Is the GRS hash unique to each machine or is it unique to the app/appid?

Lucas
Lucas
1 year ago

Hi !
Thank you for this post. Did you have any idea why in my case it doesn't reinstall ? I removed the registry key as you said and did sync but nothing happening (since yesterday).

Lucas

Lucas
Lucas
1 year ago

Hi ! I found the problem, it was caused by the Registry key GRS. I just removed it and it's done. Thank you. Maybe you should add it in your article.

Capture.PNG
Bj ch
Bj ch
1 year ago

Do you know how to find out how to see What app is connected to the registry Keys?

Femi
Femi
1 year ago

How do you get the app id that correlates to the app you want to reinstall? Cannot find anything in Intune that indicates that

Johan
Johan
1 year ago

Hi,

What about the Detection rules? You don't need to take them in considerations? Won't the package think it's still installed if you only delete the registry key mentioned in above?
Br
Johan

Manuel
Manuel
1 year ago

But what about the detection rule. Does the detection rule mark the application as installed before the installer is started ?

Andrew
Andrew
1 year ago

>