How to update win32 applications with Microsoft Intune

Today a short blog about updating applications for Windows devices with Microsoft Endpoint Manager (Intune). It`s not about updating apps we deployed as required app, but which we made available for our users and are not installed on all our devices.

If we deploy Win32 apps as required to all our Windows devices, or a group of Windows 10 devices, we can just update our application package and deploy it as required to the same group of devices as required. The current installed version will be updated with the latest version and that`s it.

But what about applications we made available and are not deployed as required apps? How to make sure the application is updated on the devices on which the application is installed via the Company Portal by the user? We cannot just assign the new version to all devices, as this will also install the application on devices where the application was not installed before.

A solution for this is using an application requirement. In the requirements by default we set the OS architecture and minimum operating system version, but we also have custom requirement options. In such a custom requirement rule we can use the same controls as we have in the manual detection rules. We can for example use the presence of a file or registry key. We can expand this for example by checking the version of a file to determine if an (old) application version is installed on a device.

By using such a requirement rule, we can target the (new version of the) application to all Windows devices. Devices which have not installed the old version of the application, will be marked as not applicable and the application won`t be installed on that device. On devices on which the old application is installed, the new version will be installed.
A down-side of this approach is you actually need to create two deployments (at least temporary). One deployment to update all existing applications and the second to make the new version available to the users.

Let`s see where this requirement rule needs to be added to the app deployment.

Add the requirement rule to the app deployment

In my example I have Adobe Reader made available for my users, which is installed on a couple of Windows devices. Adobe made a new version available, which needs to be installed as soon as possible on the devices where the old version is installed.

I create an application with the latest installation files in it an target this to all my Windows devices so the old version is replaced as soon as possible with the new version.

In my Win32 app deployment I create an application requirement rule which checks if the AcroRd32.exe file is present on the device and I also check the version of this file.

The file version I use is 20.6.20042 which I got by running this PowerShell command;
(Get-Command “C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe”).FileVersionInfo.FileVersion

Now switch over to the Endpoint Manager Admin center (Intune), upload your .intunewin file, fill in the required information and browse to the Requirements tab.
Click Add under No requirements are specified.

Choose a Requirement Type of your choice. I choose File.
Here you can create your requirement rule with the settings which fits your needs.
As described, with my example I check if the file AcroRd32.exe is present under %ProgramFiles(x86)%\Adobe\Acrobat Reader DC\Reader. Besides that, I also check the file version with the Property String (version).

Finish the application deployment and assign it to the group of choice or all devices as required.

The client side

Let`s have a look at the client side to see what happens.
The Win32 application installation is handled by the Intune Management Extension. The Intune Management Extension log file can be found on the local Windows 10 device at %programdata%\Microsoft\IntuneManagementExtension\Logs and is named IntuneManagementExtension.log. The file can be opened by using a text editor or CMTrace.
In the log file we see the AcroRd32.exe file is checked and version comparison is done. The actualVersion is checked with the compareVersion. In this case applicationDetected is true, so the application will be installed.

If we take a look at the log file on a device where Adobe Reader isn`t installed we see the same check is done, but ofcourse the application isn`t detected and the installation of Adobe Reader isn`t started.

In the Endpoint manager admin center the device status is shown as Not applicable for a device where Adobe Reader isn`t installed. And the status details is (in my example) fileSystemRequirementNotMet.
And ofcourse on the other device Adobe Reader is installed.

That`s it for this short post. I hope you found it informative.

I`d really like to hear your thoughts on this approach of updating applications with Endpoint Manager (Intune) and if you have another (maybe better!) approach, please leave a comment.


  1. Hi,
    Do i need to change the detection rule also when updating the package when using a required setting?

    If we deploy Win32 apps as required to all our Windows devices, or a group of Windows 10 devices, we can just update our application package and deploy it as required to the same group of devices as required. The current installed version will be updated with the latest version and that`s it.

    • You should create a new intunewin package with the new version and upload that as new win32 deployment. Assign it to the same group as the old version.
      In the new deployment make sure the detection rule is updated compared to the old version.

  2. and for updating Win32 app (non requiered) can i use the same appication over again when there is a new version or do i need to add a new app instance in intune everytim when there is a new version and delete the old one?


    • You should create a new deployment every-time you have a new version.
      And probably you need two deployments temporary. One with the requirement rule to update the installed apps which are installed using the available assignment.
      And create the second deployment to make the new version available.
      Not ideal, but at this moment the only way to work around the limitations of app deployments in Intune.

  3. I hate that we have to come up with these crazy workarounds to what should be included as basic functionality. Sometimes I miss Configuration Manager. :0)

    I suppose you could do a version check and say if installed version is less than new version. Does anyone know how the logic works for non-integers? Example: is >

    • I use a simple custom detection script for this
      $version = (Get-Item ‘c:\Program Files\VideoLAN\VLC\vlc.exe’).VersionInfo
      if ([version]::Parse($version.FileVersion) -lt [version]::Parse(‘3.0.16’))
      { Write-Host “true” }
      { Write-Host “false” }
      Still searching for solution in the scenario:
      1. a software is installed from Intune
      2. software update with version detection is deployed from intune and software is updated
      3. client reinstalls software with older version
      4. detection script won’t check installed version – this is something I don’t know how to overcome. how to force intune to check periodically if software match version with detection script and if not take an action to update it.

  4. I have deployed an application on Win32 app as available. After waiting an hour, the app is not available in my compony portal. Request you to please suggest troubleshooting steps or refer any website or URL where I can find the troubleshooting steps for the same.
    I want to deploy the same application on another device or device collection which I was deployed on another devices two days back. Is that any option to add the multiple device or device collection in single win32 application?
    Thanks in advance

    • Don`t know a location or log file to troubleshoot why your app is not shown in the Company Portal app. I suggest checking the assignment. Have seen in the past that the assignment was accidentally assigned as excluded instead of included. And make sure you assign available apps to user groups, not device groups.

      You can assign a WIN32 application to multiple security groups.

  5. I feel like this statement could be an over-simplification:

    “If we deploy Win32 apps as required to all our Windows devices, or a group of Windows 10 devices, we can just update our application package and deploy it as required to the same group of devices as required. The current installed version will be updated with the latest version and that`s it.”

    However, I’m new to software deployment. How sure are you that on average, applications can be uninstalled then have new version installed, and everything to the user remains OK? Like, I assume some applications do better than others as far as keeping users’ settings in tact through such a process?

    I like apps that update themselves, because ideally, that would be happening, and then when we do as you describe here, and update the Win32 app in Intune, as well as the detection rule (to detect a higher version than previously), Intune management extension should hopefully find the already-updated app to be OK (i.e. already up-to-date).

    I’m just not sure about when apps aren’t self-updating, if simply uninstall current version, then install new version is going to be graceful. Hopefully this makes sense. Any advice in this area?

    Thanks very much.

  6. Thanks for this suggestion. I’ve deployed it in our tenant successfully.

    I have few comments.

    As to creating new apps when new version is released: I’ve just made two apps “App” and “App Update”. I do not recreate the applications when new version is released, I just update the payload as appropriate and the requirement and detection rules.

    I’m now thinking of trying to use dependency in the “App Update” to get away of having to upload the payload twice. I’m going to use a dummy .cmd file as the “App Update” payload, and set up a dependency to the “App”. I’m thinking that it should get the “App” installed to satisfy the dependency and update the app in he process, which would then satisfy the detection rule in the “App Update”.

  7. Good writeup, thanks for that! One question though, when you define the requirements to install the update, should it not look for the AcroRd32.exe version LESS THAN the one you try to deploy? In your screenshot you choose ‘Greater than or equal to’, which IMO would lead to the update not being installed. Or am I getting this wrong?

  8. Hello,
    I am trying to do this on our tenant. The scenario is we have Dell machines so we have DCU 4.0.0 installed and would like it intune to update the machines to 4.1.0. So far it has failed each time.

  9. I’m a bit lost with 32-bit apps on 64-bit client in Intune. When you set switch ‘Associated with 32-bit app …’ to Yes, you should use %ProgramFiles% not %ProgramFilesx(86)%.

    At least in MECM it works like this, I expect same in Intune. Why even there would be that ‘Associate with 32-bit app’ switch then, when you avoid it by using %ProgramFilesx(86)%?

  10. If I’m to upload a new version of a required Win32 app (in this case Google Drive Filestream v 58), will I need to delete the previous Win32 App Version (v 49) entry from my Intune App list or remove it from the required install groups?

  11. I came here from the Windows Tech community forum post.

    I’ve tried your method, but I think this causes issues.
    With the added Requirement rule, it prevents apps from being installed initially.
    So if a user deletes the app or a new user is signing in for the first time, this Win32 app will never install.
    It seems that because the requirement can’t find the app, so can’t see the version, it never installs.

    How have you solved this?
    For new users, I created a Power Automate Flow. When a new user is added, they get added to a group. This group has apps assigned to it, but these Win32 app deployments do not have the additional requirement for versioning.
    After a few days, they are removed from the group and placed into a group with all other existing users. This other group has Win32 apps assigned with the requirement rule.

    This is really only a partial solution. If a user signs into a different machine or accidentally deletes a required app, the apps will never install.

  12. I need to do the reverse of this, we have two versions of citrix vda – cu2 and cu3. CU3 needs to go out to all new builds only and CU2 is going to be superseded in phases. how can i create a cu3 app to only target machines which do not have cu2 installed?

Leave a Reply

Your email address will not be published.