Deploying a Microsoft Store app through Intune should be the easy part of your day. You search the catalogue, click assign, and walk away. Then a device reports "failed" — even though the app is clearly installed — and you're back in the logs trying to work out what the Intune Management Extension actually did. This is the full picture: how Store app deployment works today, what lands on the device (registry, logs, services), how to read it, and the error codes that trip everyone up. Every device detail below was pulled read-only from a real Intune-managed Windows 11 machine.
What "Microsoft Store app (new)" actually is
"Microsoft Store app (new)" is an Intune app type backed by winget (the Windows Package Manager, winget.exe). Instead of packaging an .intunewin file, you search the Store catalogue inside Intune, pick the app, and assign it like anything else. Three things make it nicer than the old experience:
- One catalogue, three formats. It covers UWP apps, MSIX-packaged desktop apps, and now Win32 apps (.exe/.msi) published to the Store.
- Auto-populated metadata. When you search and select the app, Intune fills in the name, publisher, description and package identifier for you.
- Auto-updates. Intune keeps the app current as new versions land in the Store — no repackaging.
On the device, the work is done by the Intune Management Extension (IME) — the same agent that runs your Win32 apps, PowerShell scripts and remediations. The IME calls winget to do the install. That single fact explains everything you'll see on the device.
The package identifier — Package ID vs PFN
Two identifiers get confused constantly, so let's be precise:
| Identifier | What it is & where you use it |
|---|---|
| winget Package ID | The Store/winget catalogue ID (e.g. 9WZDNCRFJBBJ for the Store app, or Microsoft.PowerToys). Intune fills this in automatically when you pick the app. It's how winget finds and installs the package. |
| PackageFamilyName (PFN) | The unique name of an installed Appx/MSIX package — Name_PublisherId. This is what you use in detection and in PowerShell to confirm the app is really there. |
You rarely type the Package ID — Intune handles it. The PFN is the one you'll reach for when troubleshooting. Find it with PowerShell:
Get-AppxPackage -Name Microsoft.CompanyPortal | Select Name,PackageFamilyName
Name PackageFamilyName
---- -----------------
Microsoft.CompanyPortal Microsoft.CompanyPortal_8wekyb3d8bbwe
# a few more, for reference
Microsoft.Paint Microsoft.Paint_8wekyb3d8bbwe
Microsoft.WindowsNotepad Microsoft.WindowsNotepad_8wekyb3d8bbweThe deployment flow — portal to device
In the portal it's four clicks:
- Apps › All apps › Create, choose Microsoft Store app (new).
- Search the catalogue and select the app (metadata auto-populates).
- Assign to user or device groups (Required or Available).
- Intune syncs; the device installs and reports back.
On the device, the sequence is: the IME receives the app policy → downloads the encrypted content to its staging area → calls winget to install (as SYSTEM by default for device-targeted apps) → runs the detection check → reports the result to Intune. Hold onto that "SYSTEM by default" — it's behind a surprising number of failures.
What changes on the device — the real evidence
1. The IME tracks every app in the registry
The IME records its view of each deployment under HKLM\SOFTWARE\Microsoft\IntuneManagementExtension\Win32Apps. There's a sub-key per context — the device (00000000-0000-0000-0000-000000000000) and one per user (named by the user's Entra object ID) — and under each, one sub-key per app ID, plus a GRS (retry schedule) key. On the test machine:
00000000-0000-0000-0000-000000000000\ # device context — 19 apps
<app-id>\
<app-id>\
GRS\ # Global Retry Schedule
<user-object-id>\ # user context — 107 apps
<app-id>\
GRS\Each app's last reported state shows up in the IME logs as a ReportingState JSON. This is the single most useful blob on the device — here's a real one (app ID redacted), lightly trimmed:
{
"ApplicationId": "<app-id>",
"DesiredState": 2, # what Intune wants (e.g. installed)
"DetectionState": 1, # did detection find it
"DetectionErrorCode": null,
"ApplicabilityState": 0, # did the app apply to this device
"EnforcementState": 1000, # install outcome
"EnforcementErrorCode": 0, # 0 = no error
"InstallContext": 1, # 1 = user, 2 = system
"Intent": 3 # required / available / uninstall
}You don't need to memorise the enum numbers. The field names tell the story: did it apply, did it install (and with what error code), did detection find it, and in which context. When the portal and the device disagree, this is where the IME's "opinion" lives.
2. Where the bits actually land
| Path | What's there |
|---|---|
…\Microsoft Intune Management Extension\Content\Incoming\ | Encrypted content as it downloads |
C:\Windows\IMECache\ | Decrypted/staged package before the installer runs |
IntuneManagementExtension service | The agent doing all of the above (must be Running) |
Content folder and C:\Windows\IMECache — AV locking files mid-stage is a classic cause of vague install failures.The logs — and what to look for
| Log | What it contains |
|---|---|
AppWorkload.log | The one that matters. App check-ins, applicability, install attempts, exit codes, detection results. |
IntuneManagementExtension.log | Overall agent activity, policy processing, check-in timing. |
AppActionProcessor.log | Detection and applicability detail. |
winget DiagOutputDir | winget's own diagnostics — %LOCALAPPDATA%\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\LocalState\DiagOutputDir |
Event log AppXDeployment-Server | The OS view of MSIX/Appx (de)registration — gold for the 0x80073… codes. |
All the IME logs live in C:\ProgramData\Microsoft\IntuneManagementExtension\Logs. The workflow that never fails you: grab the app's GUID from the Intune portal URL, open AppWorkload.log in CMTrace, search that GUID, and read the lifecycle in order — download → applicability → install command → exit code → detection.
The error codes everyone hits
| Code | What it really means |
|---|---|
0x87D1041C | Installed, but not detected. The install worked; your detection rule didn't confirm it. The #1 false failure. Fix the detection rule (check the PFN). Note: in the Available flow the IME won't auto-retry this. |
0x80073CF3 | Appx/MSIX package validation failed — a missing dependency, a conflict, or wrong architecture (x86 vs x64). |
0x80073D02 | Package couldn't be (un)installed because resources are in use — the app or a shared dependency is running. (Cross-check against the MS Learn error-code list for your build.) |
0x87D10A1B | An IME install attempt didn't complete as expected (interrupted / content or execution didn't finish). (Confirm against the MS Learn error-code list — it's not a universally documented string.) |
0x80070005 | Access denied. Usually a SYSTEM-context permission problem — the install can't write/register where it expects. |
0x87D1041C is the trap. The app is on the device, the user is happy, and Intune is screaming "failed". You don't fix the install — you fix the detection rule. Use the PFN (Get-AppxPackage) as the source of truth for what to detect.PowerShell that earns its place
Confirm what's actually installed (the real device state, vs what the IME believes):
# Is the package actually present? (per-user and provisioned)
Get-AppxPackage -Name "Microsoft.PowerToys" | Select Name,PackageFamilyName,Version
Get-AppxProvisionedPackage -Online | Where DisplayName -like "*PowerToys*"
# Reproduce the install the way Intune does (winget)
winget search "PowerToys"
winget install --id Microsoft.PowerToys --source msstore --accept-package-agreementspsexec -s -i cmd before blaming the package.And the fix everyone eventually needs — force the IME to retry a stuck app. This changes the device, so it's not in the read-only script below; do it deliberately:
…\Win32Apps\<userSID>, delete the failing app-ID key and its matching GRS key, then restart the IntuneManagementExtension service. The IME re-evaluates that app on the next check-in. Test it before using it broadly.See your own device in one readout
Rather than open three log files and a registry hive by hand, I wrapped the read-only checks into one script — Get-IntuneStoreAppStatus.ps1. It shows the winget engine, the IME service, every app the IME is tracking (with failures flagged), recent install errors, and your installed Store packages with their PFNs. It changes nothing.
[ Engine and agent ]
winget (App Installer) : 1.28.240.0
IME service : Running
Incoming / IMECache : present
[ Apps tracked by IME (Win32Apps registry) ]
Device context: 19 app(s) tracked, 0 with issues
User a1b2c3d4…: 107 app(s) tracked, 0 with issues
[ Recent AppWorkload.log errors ]
No recent install errors found. (clean)
[ Installed Store packages — use the PFN for detection ]
Microsoft.CompanyPortal Microsoft.CompanyPortal_8wekyb3d8bbwe
Microsoft.Paint Microsoft.Paint_8wekyb3d8bbweBest practices & a quick checklist
- Pilot first. Assign to a small ring before the fleet.
- Trust the PFN for detection. Wrong detection logic causes most "failed-but-installed" noise.
- Test in SYSTEM context (
psexec -s -i) before assuming a package is broken. - Keep winget healthy. The App Installer package must be present and current for Store apps to deploy.
- Watch the right report. Intune › Apps › the app › Device/User install status.
AppWorkload.log searched for the app GUID? · Detection rule matches the real PFN?Store app deployment in Intune is winget wearing a portal. Once you know the IME does the work, that the device's opinion lives in the Win32Apps registry and AppWorkload.log, and that the PFN is your detection source of truth, most "mystery" failures stop being mysteries.
References & further reading
Microsoft Learn / official
- Add Microsoft Store apps to Microsoft Intune
- Troubleshoot Win32 app issues
- App installation error codes for Microsoft Intune
- Use WinGet to install and manage applications
Community & credit
- Inspired by a community infographic on Store app deployment & troubleshooting by Shankar Kumar Sony.
- Companion script: github.com/Imran76Awan/Intune-Store-Apps