This blog post explains how you can overcome the GRS restriction which limits IME to wait for 24 hours before it can further process a Win32 App deployment after 3 consecutive failed attempts.
Background
Intune Management Extension (IME) a.k.a Intune Sidecar is instrumental in deploying Win32 apps and PowerShell scripts on the managed Windows 10 endpoints.
While processing a Win32 app deployment, the IME agent on the endpoint is hardcoded to do 3 execution retries separated by a time gap of 5 mins, to get the app deployed on the endpoint.
As such, while validating IME logs, you would see IME enters the Execution phase with a marked retry count.
It is during the execution phase that IME creates the installer process to perform the app install using the install command with which the app was configured. If the app install succeeds in the subsequent attempt, it’s good.
However, if the app fails to install in all the 3 attempts, GRS (Global Reevaluation Scheme) kicks in which makes IME to ignore the app for further retries, for the next 24 hours since the last failed attempt.
Even if you make any changes to the app in the Intune portal (like consider making a delta change to force Intune to redeploy, or, changing the detection/install/uninstall parameters) to try to fix the deployment issue, IME will continue to ignore the app for further execution till it is in GRS and will again process the app (again 3 execution attempts) only once GRS expires.
You can well understand that when you are actively working on app packages to test deployment success, waiting for 24 hours is not an ideal scenario. Thus if you find yourself in such a position…
What will you do to override the IME GRS restriction?
Override GRS: Trigger IME to retry failed Win32 App deployment
- From the IME log, note the app ID that is currently being skipped due to GRS and head straight to Windows Registry (Regedit).\
- Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\IntuneManagementExtension\Win32Apps\{SID}\{App GUID} where the App GUID matches with what is noted in the previous step.
Note: Successful deployment will always show an ExitCode 0.
- Delete the subkey which corresponds to the app ID.
- Restart the IME service
Initiating a Sync from the Company Portal app also triggers an IME sync. Or, you can also use simple run command to trigger an IME sync as explained by Oliver Kieselbach in his blog post here.
This resets the IME retry attempt counter and GRS limitations for the particular app and you would see that IME would again start processing the app.
The End
Well, that was all for today. Wish you all a happy time working with Intune Win32 app deployments with IME.
If you are interested to know more about how IME works and processes a win32 app deployment on the endpoint, do check my deep-dive post on Intune Management Extension which covers the Win32 app processing phases and troubleshooting tips. I also shared this in brief in my other blog post troubleshooting Intune app deployments using data retrieved from endpoints.
Starting 1st Jan 2021, I have started my own blog site. You can find all my latest posts here at joymalyabasuroy.com
Seems like MS changed it since this blogpost was written as I don’t see a “ExitCode” regkey but thanks to your beautiful post I was able to find the new GRS markers.
Now there’s a new subkey under \Win32Apps\{SID}\ called “GRS” inside you’ll find different subkeys (not sure what the subkey names refer too) one of them had the app ID that I wanted to reset, I deleted the subkey that had the app ID.
Hello ,I Havel problem auth error 0x80070001
Any idea,palese?