Patch My PC has discovered an Intune software deployment bug. The Intune Management Extension incorrectly processes the available time for an Intune application if all of the following conditions are met:
- The Intune Win32 application includes a requirement rule.
- The application is assigned as required to at least 2 groups.
- One of the assignments has an available time set to “As soon as possible”
- One of the assignments has an available time set to sometime in the future.
- The targeted device(s) exist in at least 2 of the groups with the “As soon as possible” group being one of those groups.
Instead of processing the assigned application immediately, the Intune Management Extension will wait until the next availability date to perform the app installation, completely ignoring the “As soon as possible” assignment. There is no error code associated with this bug.
Behavior with an Assignment Set to “As Soon as Possible”
Patch My PC was able to replicate this issue using the steps below.
- Create an Intune app with a requirement rule.
- A Patch My PC Intune Update creates an Intune Win32 app with a requirement rule.
- Assign that app to two groups of devices as required.
- Both groups should contain the same client device.
- On one assignment set the availability date/time to “As soon as possible”
- On the other assignment set the availability date/time to sometime in the future (three days for this test).
- Move to the Intune client and allow policy to process. This process can be sped up by running an Intune sync or restarting the “Microsoft Intune Management Extension” service.
When creating assignments as noted above, we expected the client to perform the application installation immediately due to the “As soon as possible” availability assignment. However, we found that the IME would actually delay the application installation until the delayed assignment “Availability” time.
Behavior with an Assignment in the Past
Patch My PC was able to create the desired installation timeline by creating a deployment in the past instead of using the “As soon as possible” assignment. The steps below indicate the process we used to test this deployment scenario.
- Create an Intune app with a requirement rule.
- A Patch My PC Intune update creates an Intune Win32 app with a requirement rule.
- Assign that app to two groups of devices as required.
- Both groups should contain the same client device.
- On one assignment, set the availability date/time to a time in the past.
- On the other assignment, set the availability date/time to sometime in the future (three days for this test).
- Move to the Intune client and allow policy to process. This process can be sped up by running an Intune sync or restarting the “Microsoft Intune Management Extension” service.
For this scenario, we also expected the client to install the application immediately due to the assignment with an availability set to the past. In this case, the assignment did process successfully, and the installation completed successfully as soon as possible.
We also found that if we had an existing assignment that was not installing due to the aforementioned bug, the assignment would process as soon as an Intune sync ran when we changed the existing “As soon as possible” assignment to the past.
How This Effects Patch My PC Customers
Patch My PC contacted Microsoft about this bug on August 10th, 2023, and hopes for a speedy resolution. However, until a resolution is found, Patch My PC customers who utilize Intune updates and assign updates to multiple groups should ensure that at least one of the following conditions is met:
- Device groups for assignments each contain unique devices that are not in other assignment groups (for example: Devices that are members of a “test” group, are not also members of a “production” group). Additionally, refrain from using the “All Users” or “All Devices” groups, as these groups will always contain members from other groups.
- Consider creating a “Production” group that excludes the members of the other assignment groups’ members.
- Refrain from creating assignments with their availability set to “As soon as possible”. Instead set the availability time to a time in the past. In the Patch My PC Publisher “Manage Assignments” right-click option, this can be accomplished by choosing “+0” days and a time before the scheduled Publisher sync time.
