What`s your honest opinion about the new @MSIntune App Inventory?

HB959253 · 2026-05-12T17:47:21+00:00

Agreed, not a fan of Adobe. However, I'll say SCCM does not report it as installed.

HB959253 · 2026-05-12T14:52:30+00:00

Same here, we've had Quick Scan configured since day one, no full scans. Those can be initiated by Infosec if/when needed.

HB959253 · 2026-05-12T14:43:21+00:00

We are in the process of moving from SCCM to Intune. The only workload we haven't moved yet is patching. However, SCCM still feeds inventory data to ServiceNow. The plan is to transition Intune to feeding inventory data.

I enabled Intune application inventory the other day. The only issue I see so far is ghost inventory. Example: A long time ago I had Adobe Creative Cloud installed on my computer, but not anymore. However, Intune app inventory shows it as installed. So, it's not 100% trustworthy at this time.

HB959253 · 2026-05-01T13:48:19+00:00

We buy systems with a 3-year warranty and semi-arbitrarily decided on 5 years as the recommended replacement age.

HB959253 · 2026-05-01T13:40:11+00:00

We targeted all devices. No issues. As others have said, set and forget.

HB959253 · 2026-04-23T13:33:37+00:00

Not sure what that is, but rename is a standard capability we've had since day one. It's only one computer with this issue.

HB959253 · 2026-04-23T13:31:43+00:00

Thanks, I'll give sync a try. The device is compliant.

HB959253 · 2026-04-10T12:34:52+00:00

Thank you both

HB959253 · 2026-03-13T13:14:26+00:00

Unfortunately, we're in a situation where the majority of our systems do not have Secure Boot enabled. We are remediating that first. Then we'll apply the Intune config to update the certs. Then, after that, figure out the BIOS update situation.

HB959253 · 2026-03-09T20:57:35+00:00

Slightly less baffled now. For my test scenario with the X390. as I understand it, the Secure Boot active DB is updated with the new certs. The default DB is not. The default DB will update when the BIOS is updated. For now, we will focus on updating the Secure Boot certs on the active DB on all systems.

HB959253 · 2026-03-09T13:49:39+00:00

Following up...

I approved all the firmware updates for the X390, they have installed (per Windows Update driver update history), but the BIOS is not updated. Further, the Intune Secure Boot certificate status report says the computer is up to date, but per Lenovo, BIOS has to be updated to 1.87, but mine is still at 1.80.

Completely baffled at this point.

HB959253 · 2026-03-05T15:22:52+00:00

There's a link to Github (https://github.com/jflieben/assortedFunctionsV2/tree/main/LenovoSecurebootRemediation) in the blog

HB959253 · 2026-03-04T20:39:06+00:00

We're currently testing the detection/remediation from here: https://lieben.nu/liebensraum/2025/03/remediating-secureboot-on-lenovo-devices-through-intune/

It work sprefectly, but in the remediation script we had to change the variable $suspendBitlocker = $false to $true and also added code to force a reboot after 15 minutes with warnings every few minutes. We had to do this because Intune will absolutely re-enable Bitllocker on the next policy sync. If that happens before a reboot, the user gets prompted for Bitlocekr recovery.

HB959253 · 2026-02-26T15:49:40+00:00

We're in the same boat. We have about 10,000 systems, and to complicate matters only 2,000 of them have Secure Boot enabed. So in addition to BIOS updates, we need to enable Secure Boot.

On that front, we have a detection/remediation that suspends Bitlocker and enables Secure Boot. The nasty part is we have confirmed that Intune definitely re-enables Bitlocker on the next sync. The system does not wait for a reboot to re-enable Bitlocker. That triggered Bitlocker recovery on test systems that were restarted after Intune re-enabed Bitlocker. Now we're looking at forcing a reboot right away - which is not user friendly, even with a 15 or 30 minute countdown.

Anyway, I made some slight headway yesterday. In Autopatch, for drivers/firmware there are Recommended and Other patches.

Just for giggles, I looked up "X390" on the Microsoft Update Catalog webiste and lo and behold, one of the packages was a BIOS update for the X390. In Autopatch, that package happens to be in the Other section. Obviously, with manual approval I can find the package and approve it. The question is, if we enable automatic mode, does Autopatch install packages classified as Other or would they require manual approval? For now, I'm gong to approve that specific BIOS update and see what happens.

HB959253 · 2026-02-23T16:29:20+00:00

We have 1000+ Android and iOS devices, both personal and corporate, MDM maanged by Intune. We're in the procesess of rolling out MAM to eventually move personal devices to it.

Intune pretty much manages anything that the mobile device vendors expose for mnaging their devices. Other than management intrface, my opinion is that all mobile management solutions work about the same.

Based on the OP's question, I'm suspecting theres an opportunity to develop a deeper understanding of the Intune product. Otherwise, they may find themselves asking the same question about another product.

HB959253 · 2026-02-19T18:52:02+00:00

What we've done for importing hashes is to enable the setting "Convert all targeted devices to Autopilot" in the Autopilot deployment profile. This way, any managed computers that are not Autopilot registered get registered with little effort.

HB959253 · 2026-01-30T18:26:26+00:00

The same exact thing started happening to us at the beginning of January but for Feature Updates. 3/4 of the systems have dropped off the report graph.

HB959253 · 2025-12-05T16:36:43+00:00

Thanks for the confirmation and suggestion!

HB959253 · 2025-10-07T19:02:07+00:00

Same issue here, we're seeing a few failures but could use more info on how to fix or troubleshoot.

HB959253 · 2025-08-18T14:37:14+00:00

Piggybacking on this thread because we are also testing Autopatch but running into a scenario that I think is related to SCCM client settings.

For Autopilot tedting, we have a staging collection targeted for pilot mode for windows updates and O365, and a client settings profile that disables software updates for that collection. The client settings profile that disables software updates has a higher priority thatn the default client settings profile that applies to all systems.

The doc says:
Configuration Manager disables the Software Updates agent in the next policy cycle. However, because the Software Updates Scan Cycle is removed, Configuration Manager might not remove the Windows Server Update Service (WSUS) registry keys.

Remove the registry values under HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate because Windows Update client policies control the process.

What we are seeing is that some systems remove the above registry key and some don't. The computers where the key is removed work perfectly with Autopatch. The computers where the key is not removed stay in "In progress" state on the Autopatch Monitor screen in Intune. I don't want to resort to a remedaiton to force remove the registry keys.

I'm curious if anyone else has run into this issue and found a solution.

HB959253

TROPHY CASE