• Welcome to Support Forum: Get Support for Patch My PC Products and Services.
 

Questions about Intune Update assignments

Started by ashearera, July 17, 2023, 08:37:56 PM

Previous topic - Next topic

ashearera

Hi everyone, I realise some of these questions or similar may have been asked before, but I haven't found exactly the answers I'm looking for.

We're planning to use Patch My PC in our Intune environment, all devices are Azure AD Joined and in Autopilot.

Like many, we are planning to make most of our Intune Apps "Available" to users via Company Portal (either All Users if suitable, or if a restricted licence app to an AAD group of known users).

Then we will make the correspdoning Intune Updates Required, as I understand this ensures the update script runs regularly to detect the app and update it if necessary. My questions are:

1. When an app is set to Required for Users, how frequently does it run? I couldn't find this in any of the MS documentation. Is it triggered by a certain event (login, reboot) or is there some regular time interval? I've read somewhere that policy check ins happen roughly every 8 hours by default - is this valid here?

2. How are people setting up their Required Assignments for the Intune Updates? I have read about people having AAD groups setup almost like Update Rings, so if an update goes wrong the impact is limited if caught early.

Do you have a generic AAD User early adopter group for apps scoped to All Users (could probably even re-use our Windows Update Ring group...). How would you ensure your Early adopter group had a decent spread of the Available app actually installed? It's possible all of your early adopters may not have installed an Available app...

In the case of apps restricted to a smaller group of users, I guess you would then have individual early adopter groups for each app you setup?

3. If you have an app limited to a set group of users, do you also set the Intune Update to be Required only to that group of users? Or do you just Require all updates to All Users? Is there a significant performance issue doing this?

Thanks for any input.

Scott (Patch My PC)

Hey @Ashearera

Intune Policy runs every hour and evaluates win32apps.
when initially deployed, the updates should be installed by Intune within an hour of deployment. If the installation fails, Intune will retry the installation every 24 hours, unless the exit code is Retry.

We have a KB article on retries here - https://patchtuesday.com/blog/tech-blog/win32app-retry-interval/

reeksk

Quite interested in an answer for number 3

3. If you have an app limited to a set group of users, do you also set the Intune Update to be Required only to that group of users? Or do you just Require all updates to All Users? Is there a significant performance issue doing this?


Scott (Patch My PC)

You can, if you wish, target that group specifically with the required update.

If you do this though, you may find that other users that have installed that application from a different source do not receive the update.

The recommendation would be to assign it to an All group. (users or devices). There is no noticeable performance impact.

ashearera

#4
Just to reply to reeksk's question we ended up scoping updates to All Users and it has been fine.

Scott, maybe a question for you as I've just thought... if we are scoping Intune Updates to All Users, the update will only run when a user is logged into a PC, is that correct?

If we instead scoped updates to All Devices, the updates would run daily regardless of whether someone is logged into a PC? We're an education institution where some on-campus shared PCs are used more heavily than others so that may make more sense for us?

Thanks