VPP Apps on DEP iPadOS Devices Do Not Automatically Update Error code: 0x87D13B9F

Brass Contributor

We're in the process of migrating to Intune and we're starting with DEP devices.  However we've noticed that as applications are updated in the App Store, the device itself is not updating the applications automatically but requires human intervention.  Today we checked one of the devices and saw that the update failed with error 0x87D13B9F:



Application attempted to install
9/30/2021 6:43:12 AM
App installation failed
9/30/2021 4:13:53 AM
Hide details
Error code: 0x87D13B9F
An app update is available. Available apps can be updated using Company Portal and required apps will auto-update on device sync.
Suggested remediation
This code is returned when a VPP app is installed but there is a newer version available.



Our Apple VPP token is configured for automatic updates:



The Microsoft documentation confirms that:


  • Automatic app updates - Choose from Yes or No to enable automatic updates. When enabled, Intune detects the VPP app updates inside the app store and automatically pushes them to the device when the device checks in.

    Note: Automatic app updates for Apple VPP apps will automatically update for both Required and Available install intents. For apps deployed with Available install intent, the automatic update generates a status message for the IT admin informing that a new version of the app is available. This status message is viewable by selecting the app, selecting Device Install Status, and checking the Status Details.


All this to say that this configuration should be working as the application in question is required



But it's not happening automatically



Did we miss something somewhere?

Any advice is greatly appreciated.



Troubleshoot app installation issues - Intune | Microsoft Docs

App installation error codes - Intune | Microsoft Docs

Manage Apple volume-purchased apps - Microsoft Intune | Microsoft Docs

0x87D13B9F App Install Error - Microsoft Tech Community




11 Replies

I have been reading the docs.. and it looks like a lot of people are experiencing this issue... and most of them also made the app available so users could update them manually.. but that's indeed not what you want. Just wondering... but what happens when you don't specify a filter?
Thanks for taking the time to read and reply. The reason for the filter is to ensure we're targeting the right devices for the required deployment. Taking it off would mean that too many devices/the incorrect devices would receive the deployment which would not be good. But I hear you. We have other devices with required app deployments so I'll have to take a look to see if any of those apps have been updated recently and what the disposition is.
Hi, Please share the outcome as I am really curious if filtering could conflict with it
I definitely can't remove that filter for those devices as it would then incorrectly apply the software to devices that should not receive it. I'm thinking I'm going to have to open a case with Microsoft for this one as it's not really jumping out at any of us.
What if you create another required assignment and target an AzureAD group with just a few devices in it? If those get updated automatically, then it's probably the filter.
We're seeing a similar thing. Been working fine for months. Now all of a sudden, Apps, that would usually update automatically, are not.

These are pushed as required apps, with no filters on the assignments.

Only happening on a handful of apps, not all. All apps are deployed via VPP and Devices enrolled via DEP.

We only noticed this a couple of days ago.

Interested to see if you get any success.

@GaryHerbstman Check your Apple VPP Token in Endpoint manager.


Even though ours was showing as active, when we drilled in to it, the token state was showing as 'Inactive' 


Turns out our issue was that for some reason, we were using the same VPP token in 2 MDM Solutions, so had to create a secondary token so we had one for each MDM.

As soon as we did that, the apps started to update.


Might not be the same for you, but this solved our issue.

@Julius Perkins 


I came across that same issue last week. Somebody already mentioned it here, but it really was the case that the token (under Home > Tenant admin > Connectors and tokens) would show as active, but when you would click on it (Home > Tenant admin > Connectors and tokens > "TokenName")  the state of the token would say invalid even though the expiration date was not due yet. The only thing that helped was logging in to ABM downloading the VPP token and uploading it again. After a few minutes it would show the state as valid again and the apps would update on the devices affected by this.


Hope this helps.

@MattisJanos Thanks for following up on this and I appeciate the super hot tip.  I did a quick check and everything seems to check out:



Although this it is a pretty standard operation, I'm going to submit a request for change (RFC) to re-import the token & see how that goes.  


Question: We're transitioning from one MDM solution to Intune and I'm wondering if, since some apps were delivered using the other MDM solution, do need to set 'Take control of token from another MDM' to yes?

@Julius Perkins, your token looks fine, so that shouldn't be the issue here, you're right.


Regarding your question; This is what MS Documentation says;

"Take control of token from another MDM - Setting this option to yes allows the token to be reassigned to Intune from another MDM solution."


Not sure if I'd set this to yes, since you'll have to create a new MDM Server for Intune as a new solution in ABM anyways, so you'd also get a new token different from the one being used so far. I probably would leave it to no, since that what I also did when we had a migration project. It was from Intune to Intune, but the ABM tenant were two different ones and the users unenrolled their devices from the old Intune tenant before. Not sure if this information helps.