MicrosoftPlease add the ability to create dynamic groups with inventory data, so we can deploy software to a specific group of devices. Is software inventory data coming too? That is the only major piece left for us to move from ConfigManager to Intune since we use it primarily for three things: 1) HW Inventory: done, 2) SW Inventory: not available, 3) deploying apps: done .
MicrosoftHi Chris Rhoda. It's awesome to hear that you are on the path to full Intune management. Lior did address targeting above. Note that it most likely won't be using dynamic groups directly, but we are seriously investigating how to best achieve this. Software Inventory already more or less exists in Intune in the form of Discovered apps although we fully acknowledge that this can be improved and are also investigating how to best achieve this as well.
Question on "software inventory", what exactly do you want to see (since "Software Inventory" is quite generic). In general, we're not trying to recreate what ConfigMgr does as cloud management and services have their own unique constraints that we must account for so knowing the exact requirements (without saying things "like "ConfigMgr") that folks have (including the why if possible) helps us validate (or modify) what we are working on or investigating and prioritize this work appropriately as well.
Maybe there is another way to accomplish this, but one thing I use software inventory for in SCCM is for device collections based on what applications a device has installed. I then leverage these collections to mandate updates for said applications even though those applications may not be installed on all devices in the company.
I.e.
App X is optionally available to users in a certain group. They can go into Company Portal/Software Centre to install this if they so choose.
Then, any device that has App X installed gets added to a collection of devices with that app installed (detected via software inventory). This collection has App X deployed (Required). Particularly, new versions of App X I publish are deployed as required to this software inventory based collection.
This achieves the behaviour of users being able to Opt-In to have App X installed on their device, but that app is kept up to date across every devices which has it, therefore meeting our security requirements.
With Intune you can have Requirements set on the app, i.e. a requirement that Appx.exe is detected. But then you would need two apps, one with the requirement and one without it. The one without requirements would be Assigned as Available to a group of eligible users/devices to install via company portal, and the second app with the requirements would be assigned to a device group of every device that could theoretically have the app installed.
There might be another technique/feature I could leverage to achieve this behaviour, if there is I apologise
I understand that some of this functionality can be found when deploying the app under Win32 using the Detection Methods, but then I must create multiple apps to have multiple deployment scenarios. (example: 1) where the folder/file is found but an older version, 2) where the folder/file isn't found so anyone can add it). This doesn't seem as "clean" as CM where the collection (group) is separate from the App. Allowing you to create an app and then deploy to multiple collections (groups).
Thank you for the reply. I'm looking at this purely from a security standpoint. For example, I have 400 users/devices, some of which (almost half) have chosen to install Chrome (in addition to Edge). When Defender for Endpoint tells me Chrome now has security vulnerabilities and they can be patched with the newest version, I want to be able to create (natively in Intune) a collection that says "All devices with Chrome but not version 133.x.x.x". Then I can deploy in Intune, like I currently do in CM, a required install for those devices. (Chrome is just the example, I do this with dozens of software packages.) I know I can (for now), cloud sync my CM collection to Intune, but if I could create these natively in Intune, I would no longer need the CM server, the CMG server, and the CM agent on my clients (which lets me implement a security recommendation for Win11 from Microsoft that currently conflicts with CM). I'm hoping the Intune team will find a way to implement inventorying software with Intune, and be able to create Groups on that (as well as being able to create groups based on the new HW inventory items, like BIOS version - another security related item we monitor).
Chris Rhoda
