Automated Application Management for Microsoft Endpoint Manager

Simplify third-party application management

Knowledge Base ArticlesRequest Trial

Scan Intune for Supported Products

In this article, the Intune scanning feature will be discussed. This will include what features are available, existing limitations, and the planned features. The ability to scan Intune for products that are supported by Patch My PC is actively under development and will continue to change.

Topics covered in this article:

Current Features

The intent with this feature was to provide some parity to our Configuration Manager scan feature shown here. The Configuration Manager database contains a monumental amount of data allowing us to provide a good representation of what our product can patch in your environment.

The Intune scanning UI can be seen below.

  •  Intune Connection:
    • This Intune Connection will share the configuration of the other Intune based features in the product. The configuration for API permissions can be found here.
  • Auto Publishing Rules:
    • If this feature is enabled the Intune scanning will occur every time a Publisher synchronization occurs. Based on the results of the scan Win32 Intune Applications will be published to Intune of the count threshold is met.
  • Filter:
    • The table of data can be filtered based on four fields
      • Product
      • Vendor
      • Count greater than…
      • Already enabled
        • The radio buttons to the right of the filters provide the ability to include, or exclude products which are already enabled as Win32 Intune Applications
    • The filter is cosmetic only, it does not affect the scans or the Export to CSV feature
  • Export to CSV
    • The data table can be exported out to a CSV file. This can be useful to pass to management or your cybersecurity team. Keep in mind the filters do not apply to the resulting CSV file.
  • Click OK
    • Intune Connection will be saved to your settings
    • Auto-publishing rules will be saved to your settings
      • Auto-publishing will occur during the next Publisher synchronization.
    • Changes in product selection in the data table will be saved to your settings.
      • Newly selected applications will be published during the next Publisher synchronization.

Limitations:

Because this feature is using the Microsoft Graph API, we are subject to any limitations presented by the API. These limitations are discussed below.

  • Inventoried Applications:
    • Intune currently keeps inventory of a subset of the applications installed on a device
    • Microsoft details this limitation in this docs page
      • Windows 10 Win32 Apps: Only MSI based apps on company-owned devices
    • This limits our Graph API queries to returning MSI based products that we support, as opposed to the Configuration Manager scans which will detail all our supported products based on the database query results.
  • Graph API 
    • Microsoft Graph API currently does not allow a query to return a full list of detected applications.
    • To list MSI based inventory data each device must be queried directly.
      • The detectedApps relationship can be expanded to get a devices MSI based detected apps
    • Because each device must be queried individually there is a lot of queries to perform
      • Graph batches are used to increase performance
      • For the quickest Intune scanning, the Publisher will group devices into batches of 20 and perform the Graph API queries in parallel

Planned Features:

  • Allow Defender ATP data to be used instead of Intune
    • This will be an optional feature due to ATP being licensed separately from Intune
  • Suggest devices the Win32 Applications deployment should target
    • Subject to Intune Graph API developments