Recently Microsoft announced the “new” Intune feature allowing end-users to uninstall Apps from the Company Portal: https://www.youtube.com/watch?v=rLJU9ERO81Y
I’ve written “new” like that, because SCCM had this feature in the Software Center since ages and quite frankly it makes sense to be able to uninstall an application, if you installed by yourself on the first place (not talking about push apps)
This feature is activated for all new Win32 Apps, which are created in the tenant, but what about the old ones ?
In order to activate it, you need to enable it in Intune, on the application program settings:
Since I have many client tenants and if I have to do something more than twice, I usually automate it, I wrote a quick PowerShell script to do the trick for all Apps in the tenant
Prerequisites:
You’d need an Enterprise App in Azure with the Application Permissions DeviceManagementApps.ReadWrite.All
Secondly you need to create a certificate for authentication.
You can use an official certificate provider or, like in this demo, create a self-signed one.
The process is documented here: Create a self-signed public certificate to authenticate your application – Microsoft Entra | Microsoft Learn
$certname = "<REPLACE WITH CERTIFICATE NAME>"
$cert = New-SelfSignedCertificate -Subject "CN=$certname" -CertStoreLocation "Cert:\CurrentUser\My" -KeyExportPolicy Exportable -KeySpec Signature -KeyLength 2048 -KeyAlgorithm RSA -HashAlgorithm SHA256
Export-Certificate -Cert $cert -FilePath "C:\tmp\Test\Certificates\$certname.cer" ## Specify your preferred locationOnce you have created the self-signed certificate, import it in your app registration and you’re ready to go:
Here is the script, which gets all Win32 Applications from your Intune Tenant and enables the “Allow Available Uninstall” feature, if it was not already enabled:
Intune-Allow-available-uninstall.ps1
**Disclaimer: The script is provided AS IS without warranty of any kind. For detailed disclaimer, please look in the script
Just add the correct parameters for TenantID , ApplicationID and Certificate Thumbprint, like this:
Intune-Enable-Uninstall-on-Demand.ps1 -TenantId “12345678-90ab-cdef-1234-567890abcdef” -ApplicationId “00000000-0000-0000-0000-000000000000” -CertificateThumbprint “1234567890abcdef1234567890abcdef12345678”
Once you execute the script, it will get all Win32 Apps from your Intune tenant, and if the feature is disabled, it will get enabled via GraphAPI:
Happy Scripting 🙂
