This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(9.6, 25%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMV%3C/text%3E%3C/svg%3E)
In intune I want to create a dynamic group that checks wether or not some app is installed on this user's device. Is there any way to query to see if an app is installed on a device or on a user's device.
Thanks!
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(12.8, 27%, 11%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJD%3C/text%3E%3C/svg%3E)
I think its very common to create Configuration Manager collections based on information in the ARP. Would love to be able to do the same for managing applications in Intune.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(294.40000000000003, 28.000000000000004%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDO%3C/text%3E%3C/svg%3E)
I'm not the OP but my example would be the current Chrome vulnerability. I have devices that have Chrome not installed via Intune.
I want to be able to force install an update to Chrome on all machines that have it installed without having to force install Chrome for everyone or having to go through and pick the machines.
https://msendpointmgr.com/2020/05/26/automated-3rdparty-patch-remediation-in-intune-with-azure-automation/ That is an example someone else came up with to solve this problem.
For that specific scenario (and assuming Windows since it doesn't make sense on iOS or Android necessarily), you could/would deploy the update to all devices using a Win32 App and use the detection method to ensure it only runs on systems where the update is applicable -- this is the entire purpose of Win32 apps having a detection method.
Yes was discussing Windows in this situation. So for MSI I would need to package it as an intunewin app to get the options for app detection method. I didn't realize the app detection rules were used to also detect if the app was already there. I thought they were intended to use to see if the App is now showing up as installed.
I realized you're probably pointing out the detection rules under requirements. Got it, that would solve this, I would just need to maintain an app without the requirement rule for first time installs of the app.
Sorry, I called out detection method when I actually meant the requirement rule.
For an MSI based installer, yes. In general, packaging MSIs as a Win32 package is always recommended for a variety of reasons.
There's no direct method to do this today. What's the purpose of the group once you created it? IOW, what will you use it for?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(224.00000000000003, 92%, 31%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMM%3C/text%3E%3C/svg%3E)
To add some insight to this question...
We have a lot of applications inside the Company Portal that are available to users to install. The Assignment is set to All Users. When someone installs the application we need to make sure the installed application remains up to date. Usually the users cannot run these updates on their own because they do not have Admin rights. Most applications that have self-update mechanisms (Jabra, Power BI desktop) need Admin rights to install the update.
That leaves is with the challenge that a user installed Application A some weeks ago through Available Apps... no updates can be installed because the user does not have the rights to install an update. We regularly update the Available application so users always install the latest version when they have not installed the application yet, but this leaves us with all the users that already installed a previous version. We also need to update these versions.
The solution we have in place for the moment is to create another Win32app for the same application with the latest version (same as the available one). We make this application Required for all users with a requirement rule where the requirement is set to check if the application is installed on the system (just a simple check on the presence of an executable). If the application is present MEM will check the detection rule to see if the correct version is installed. If not, the application is installed and as such the old version is updated to the new version.
This method works, but it has some drawbacks. Since the application is Required for All Users, everytime MEM does a check if an application is installed it also checks the required applications to see if they are installed or not. Most users might not have the application installed, so they also don't need to go through this check every time. We also notice that during the ESP user phase all the applications are checked because they are required. They are not installed most of the times because the requirement rule is not matched.
It gives a lot of unnecessary overhead in our opinion, but we need it in our current situation, because we like to give the users control over the applications, they install from the Company Portal but we also like to keep the applications up to date once installed. Of course we could choose to create AAD groups, add the users to the groups and add these groups to all our applications and make them Required so they are automatically installed when they are part of the AAD group, but this takes away the possibility to let users do their own installations.
What would help is a dynamic query on installed applications just like we use for our requirement rule. If the application is installed the user is added to the dynamic group and this group can then be used as a required Installation group for the Application that was previously published to All Users (with a requirement rule). By limiting the requirement to the dynamic group MEM does not have to check all the applications published unnecessary as Required to All Users. The check would only have to be done if the user is a member of the Dynamic group.
Hope it makes some sense. If there is another solution to keep Available applications up to date we would be interested to hear what the solution would be.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(137.6, 99%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERF%3C/text%3E%3C/svg%3E)
It's like Microsoft lives on another planet with an alternate reality.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(166.4, 61%, 26%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EP%3C/text%3E%3C/svg%3E)
Hi,
I would have the same question, how to have a dynamic group based on installed software. This would be to assign configuration profiles for specific apps.
As an example App A is assigned to a group of users, but with an exclusion on some devices with special settings. If I now assign a configuration profile to the same group of users, I cannot exclude the devices anymore.
Out workaround at the moment (in a tenant attached, co-managed SCCM/Intune environment): create SCCM collections based on the installed software and sync to an AAD group to assign the configuration profile. Is there a way to make this easier and quicker?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(224.00000000000003, 67%, 31%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EM%3C/text%3E%3C/svg%3E)
I have to same questions. I want to uninstall certain Dell Optimizer packages from all Dell systems via Intune with a script, but only for devices from dell that have the Optimizer installed. Dell Optimizer is screwing up our connection management and stores a large amount of unwanted data. So it needs to go to only targeted devices.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(284.8, 33%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERM%3C/text%3E%3C/svg%3E)
Thats easy to solve. I created an uninstall script and published it to all devices. Detection rule is something like "if the executable exists"
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(284.8, 26%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ED%3C/text%3E%3C/svg%3E)
I've also been looking for a way to create a dynamic group that has O365 installed. I'm looking to deploy 64bit office to new devices or device missing office. I don't want it to overwrite any device that currently has the 32bit version of office installed.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(156.8, 50%, 25%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPJ%3C/text%3E%3C/svg%3E)
iI you deploy it with the flag MigrateArch=true in the xml file Office will do an inplace upgrade from 32 to 64 bots architecture.
previously one had to uninstall the 32 bit version of office and then deploy 64 bit but this solves that issue.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(227.2, 64%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
we have the same query - we know about the MigrateArch. We want to keep those devices with 32bit office as they are and only target new devices with 64bit.