Update and retire applications in Microsoft Intune
Intune supports app updates, but the update method depends on the app type. Some apps update automatically through their platform or vendor, while others need an administrator to package a newer version or create a replacement workflow. Because of that, updating apps in Intune is not a single process for every platform. A successful update strategy starts with understanding how each app type is serviced.
Update Microsoft Store Apps
On Windows, the update process depends on the app type. Apps deployed with Microsoft Store app (new) are generally kept up to date automatically. For UWP apps, automatic updates continue through the Microsoft Store unless the policy that turns off automatic download and installation of updates is enabled. Microsoft Store Win32 apps that are assigned in Intune are also kept up to date by Intune. For apps assigned as Available, Intune begins managing updates after the user installs the app from Company Portal.
Update line-of-business and Win32 apps
For Win32 apps, Intune supports supersedence. Supersedence allows a newer Win32 app to update or replace an older Win32 app. This makes it useful when a new version of the same application is released or when one Win32 app is being replaced by another.
For line-of-business apps, updates are package-based. When a new package is uploaded, Intune extracts the version from the package and compares it with the version already stored for the app. If the versions are the same, Intune rejects the update. That means administrators must upload a genuinely newer package when they want Intune to treat it as an updated app.
Update apps from the Enterprise App Catalog
For Windows apps, another update path is the Enterprise App Catalog. This capability is part of Microsoft Intune Enterprise Application Management, which helps administrators discover, deploy, and keep catalog apps current. The catalog contains prepared Win32 apps hosted by Microsoft, and Intune prepopulates many of the installation, detection, and requirement settings for those apps.
This feature requires Microsoft Intune Enterprise Application Management, which is available either as a standalone SKU or as part of Microsoft Intune Suite.
Updates from the Enterprise App Catalog are not applied automatically just because a newer version appears in the catalog. Instead, admins review updates under Apps > Enterprise App Catalog apps with updates, create a new app, and then use a supersedence relationship to move devices from the older version to the newer one. Some catalog apps are self-updating, in which case the vendor’s own mechanism installs the update while Intune checks that the installed version still meets the required minimum version.
Update iOS/iPadOS and Android apps
On iOS/iPadOS, update behavior depends on how the app was obtained and how the assignment is configured. For Apple volume-purchased apps, automatic updating is controlled at the assignment level by the Prevent automatic app updates setting, which works only when the token-level Automatic app updates setting is enabled. When automatic updates are allowed, updates can still take up to 24 hours to reach the device, and the device must be unlocked and available to install the update. There is also an important assignment detail: if a VPP app that was previously assigned as Required is later changed to Available, copies that are already installed stop updating automatically until the user installs the app again manually.
On Android Enterprise, Intune uses Managed Google Play as the enterprise app source. For managed and unmanaged Android devices, Managed Google Play apps are updated automatically by Google Play, when the app publisher releases a new version.
For Android Enterprise devices, administrators can also control app update behavior instead of relying only on the default Google Play update process. By default, Managed Google Play apps update only when default conditions are met, such as the device being connected to Wi-Fi, charging, not actively used, and the app not running in the foreground. For dedicated, fully managed, corporate-owned work profile, and personally owned work profile devices, admins can choose an app update mode when assigning a Managed Google Play app to groups.
The available app update modes are Default, High Priority, and Postponed. Default uses the normal Managed Google Play update behavior. High Priority installs the update as soon as possible after a new version is released, even if this bypasses the usual default conditions. This is useful for urgent security or stability updates. Postponed delays the update for 90 days, which gives administrators time to validate a new app version before broader rollout. The 90-day postponement window is not configurable; to end it early, admins change the update mode back to Default or High Priority.
Administrators can also use Android Enterprise device restriction settings to control general app auto-update behavior at the work-profile or device level, such as allowing updates only on Wi-Fi, always allowing updates, preventing updates, or leaving the behavior to user choice where supported.
For iOS/iPadOS and Android line-of-business apps assigned as Required, Intune delivers the update automatically when a newer package is uploaded and the app version requirements are met. For apps assigned as Available, users can install or update the app through the Company Portal app.
An admin can update a line-of-business app by uploading and publishing a newer app package in Intune.
Retire and remove applications
Retirement is the point in the lifecycle where an app is removed because it is outdated, replaced, or no longer needed. Intune treats removal as the final stage of the app lifecycle, and it includes built-in ways to uninstall apps when that point is reached.
At the assignment level, Uninstall is the standard way to remove an app from targeted users or devices. Intune resolves uninstall behavior through assignment intent, and in some conflict scenarios an uninstall intent can remove an app that was previously installed.
On iOS/iPadOS, app retirement can also be controlled with Uninstall on device removal. This setting determines what happens to managed apps when the device is unenrolled or the management profile is removed.
On unmanaged Android devices, retirement behaves differently. When the work account is removed, apps installed from the Play Store remain installed on the device and do not uninstall automatically. That means retirement in Android MAM scenarios often removes access to work resources without removing the app binary itself.
Selective wipe, device retirement, and temporary removal
In BYOD and app-protection scenarios, the organization often needs to remove corporate data rather than uninstall the whole app. App selective wipe creates wipe requests for protected apps and removes managed work data from the app context. This is useful when a user leaves the organization or no longer needs access on a personal device.
This is different from the Retire device action. Retire removes company data, managed settings, profiles, and many Intune-delivered apps while leaving personal data in place. On iOS, Retire also triggers a selective wipe for apps protected by app protection policies. On Windows, company apps installed by Intune are removed, although Intune management extension-installed Win32 apps are not uninstalled on unenrolled devices.