Forum Discussion

Timlowenna's avatar
Timlowenna
Copper Contributor
Sep 03, 2024

Laptop getting apps installed from intune even though the computer group is excluded

hello all

last year we switched to Autopilot and are now testing moving from hybrid to fully entra id joined and have hit a stumbling block.

we have a set of apps we normally install but for this test, we have a subset of laptops that were previously hybrid and added them to a test device group for the fully entra id join test.

For the test, we want to exclude a number of apps from installing on this subset, so have added the new device group and set it to Exclude. We go through the build process and when you click on the laptops under devices and look at managed apps we can see that the apps to be excluded do indeed show as 'Excluded'. However, they then start appearing on the laptops after they successfully complete the build process.

 

When I check in the event viewer i can see events id 1042 with the source msinstaller saying 'windows installer transaction: c:\windows\imecache and so on so can see it is intune that installed it. 

We were hoping someone may be able to point us in the right direction.

 

A couple of extra bits of information. Each time i try a test build I start off a usb bootable device and delete the partition so it's completely fresh. all our autopilot devices are in an 'autopilot - all devices group and the test subset also remain in that group as well as being in the entra test group. the apps in question have the all devices group set to required and the entra test group is assigned as 'Excluded'.

 

I was wondering if having the computers in both groups, one set to include and the other to exclude might confuse Intune, but im sure we have done that before

    • Timlowenna's avatar
      Timlowenna
      Copper Contributor
      Hey there
      thanks for the reply. no, we only use device groups
      • aterribletruth's avatar
        aterribletruth
        Copper Contributor

        Timlowenna 

         

        We had the same issue and there were two issues:

        1) We had a user group assigned without realizing it.

        2) We had two device groups: A default device group that new devices were put into by default (used as the "Include" group) and then a dynamic group that added devices based on serial number (used as the "exclude" group). For whatever reason, the order of operations in Intune was such that the flow allowed the PCs to receive the apps. It looked like what happened was:

        PC was added to Intune via autopilot.

        PC was immediately added to include group.

        App showed as "Include" for PC.

        App was pushed to PC.

        While app was pushing to PC, PC was added to exclude group by dynamic filter.

        App now showed "Exclude" for that PC.

        App finished installing on PC.

         

        We had to use a second dynamic group for our include group to solve this. Not sure if that's what's happening to you, but you might try testing it by change the assigned groups.

Resources