It’s no secret that Intune is dominating the market as the leading cloud solution for endpoint management. Even though its initial focus was mobile device management (MDM), its capabilities were quickly expanded to include Windows and macOS devices as well.
Today, more and more large organizations use Microsoft Intune to manage their estates. As it integrates with Entra ID, it can keep a tight handle on device configuration, user access, and data protection. To keep up with today’s fast-moving world, Intune features and functionality are being added at a crazy pace. If you don’t believe me, just check out Microsoft’s release history.
This momentum is great! Well, until you want to keep track of all these changes without your head exploding. Of course, here is where tech blogs come to our aid with their much-needed reviews and deep dives into Intune’s newly added features. But some things are bound to slip through the cracks. One such example is the Intune Discovered Apps, this unsung hero of the Intune dominion.
Even though it has been around for a few years, there is little to no information available about Discovered Apps, and most of what is out there is out of date. This blog post will hopefully shed some light on Discovered Apps and address some of the most common questions about this great feature.
Is There an Intune Software Inventory?
This might seem like a silly question, right? At least until you check the Intune portal and find nothing by that name. But don’t worry, a software inventory does exist: Intune just calls it Discovered Apps. This name makes sense because Intune uses detection rules to “discover” the applications installed on your devices, regardless of whether they are managed or unmanaged. (note: this refers to the applications only. Microsoft Intune has no power over unmanaged devices.)
How Do I Access Discovered Apps?
The process depends on what you’re after. Discovered Apps are visible per individual device or as an aggregate count across your tenant. This is where you can find each.
They say an image is worth a thousand words, so by my calculation, two images must be worth two thousand. Cha-ching!
How Is the Software Inventory Collected?
It’s simple: with IME magic. The Intune Management Extension uses a specific WMI class – the Win32_InstalledWin32Program one, to be more precise – to query installed software, then writes that application information into the registry. The key it uses to store this data is the following:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\IntuneManagementExtension\Inventories
The application information collected will be referenced during the delta inventory that runs on the next scan. This is also the information that started being randomly deleted by the IME in July, causing all kinds of confusion. What exactly happened, you ask?
The Great Intune Inventory Bug of July 2023
At the beginning of July, a Microsoft Intune bug caused the Discovered Apps to return no entries for Win32 apps. This coincided with the release of IME version 1.68.105.0.
On the bright side, this prompted a fantastic PMPC engineer, Ben Whitmore, to take a deep dive into the underbelly of Intune Inventory and resurface with some excellent findings. His investigation not only cracked the case but also gave us a better understanding of how the Intune inventory is run.
On the not-so-bright side, poor Win32 apps went unnoticed for a few weeks, until IME version 1.68.204.0 rode in on its white horse and saved the day.
How to Use the Software Inventory Data Stored in the Registry
In addition to the app information IME stores in the “Inventories” key, it also saves your inventory settings in the following registry key:
HKEY_LOCAL_MACHINESOFTWARE\Microsoft\IntuneManagementExtension\InventorySetting
LastFullSyncTimeUtc
This registry value will let you know the time of the most recent full sync. You can use this information in conjunction with the Discovered Apps data to create a more accurate picture.
FirstTimeSwitch
If you don’t want to wait until the next sync and have no trouble being sneaky, you can delete this value to force a full sync.
Discovered Apps and Device Types
If you’re wondering which types of devices in the Intune portal return information about which of their installed apps, Microsoft offers a comprehensive list here. In rough translation, that means there are certain criteria that devices must meet for their installed apps to be detected by Intune.
Windows Device Requirements for Discovered Apps
To be eligible for the Intune Software Inventory, the following requirements must be met by Windows devices:
They must be Intune-enrolled devices.
They must have the IME agent installed.
They must be corporate devices.
If all of the above conditions are met and the OS version is Windows 10 or 11, Intune should be able to detect managed applications, as well as manually installed ones. For older Windows versions, only managed apps are detected.
Discovered Apps on Non-Windows Devices
As a general rule, macOS, iOS, and Android devices fall into two categories when it comes to app detection:
Personal devices – because of privacy concerns, only managed apps are inventoried.
Corporate devices – all apps installed on the device are detected.
What About Co-managed Devices?
Co-managed devices will only collect app inventory through Intune if the client apps workload in Configuration Manager is switched to Intune. This will prompt the Intune Management Extension to be installed on the devices so it can get the necessary data.
How Often Does the Software Inventory Run?
Discovered Apps refresh cycles are different depending on the OS and app types.
1. Non-Windows Devices Refresh Cycle
For macOS, Android, or iOS devices, as well as devices without the IME installed, the inventory will run every seven days from device enrollment.
2. Windows Devices Refresh Cycle
For Windows devices with the Intune Management Extension installed, the following will happen:
Win32 Apps
A delta inventory will be performed every 24 hours and when the IME service starts.
A full inventory will be taken when the IME is installed and every seven days after that.
Modern Microsoft Store Apps will be inventoried every seven days.
It’s important to note that the seven-day refresh cycle concerns every device individually and does not apply to the entire Intune tenant.
Can I Export the Intune Software Inventory Report?
Yes, you can. Both the individual and the aggregate Discovered Apps report can be exported as a CSV file.
For the tenant-wide discovered apps, you have a few choices:
Export the Discovered Apps Aggregate Data Set
This report will give you less detail in fewer columns but it will provide the total number of devices each app is installed on.
Export the Discovered Apps Raw Data Set
This report will not provide you with the aggregate numbers, but it will contain details about each individual device a certain app is installed on, such as the device name and the user ID.
A More Elegant Solution: Discover Apps with PowerShell and Graph
If you’re not a big fan of CSV files and you like PowerShell, my colleague Vincent has got you covered. He wrote a great script you can use to get the Discovered Apps information from Intune via Microsoft Graph.
Discovered Apps Inconsistencies
Much like everything else in the world, the Discovered Apps feature in Microsoft Intune is imperfect. That means the results it returns are not always accurate. Possible reasons for inconsistencies include:
targeting changes reflected with a delay in the detected apps
different time intervals for collecting information about discovered apps and app status
multiple users on the same device
So What Have We Been On About?
The Microsoft Intune Discovered Apps feature is a great – albeit imperfect – way of keeping track of the applications installed within your tenant. In an increasingly security-driven IT landscape, this capability is a must-have.
Learning how to use this functionality will help you better manage and protect your infrastructure. The ability to detect apps already installed on your devices will allow you to identify and address any possible vulnerabilities.
If regularly checking software inventory reports against vendor websites to keep your software up to date seems like a daunting task, you don’t have to do it alone. Patch My PC can integrate with Intune to automate 3rd party software patching for you. Schedule a live demo today and find out exactly how that works!
