Event banner
Event details
91 Comments
I like how this feature keeps getting addressed by demonstrating how clunky and unwieldy base Intune is. Why is this being packaged as an upsell for Intune Suite instead of being standard?
Rae_GoodhartMicrosoft
The existing pain is around finding the 3rd party applications, knowing when they update and figuring out how to install and detect them in a reliable way. This isn't just an app modeling problem, which is the core Intune model and will continue to be enhanced to ensure completeness, but an additional effort required to build and maintain the catalog, which is why it's value add on top of the core model.
- Many orgs need to update based on timelines, e.g. patches for critical vulnerabilities deployed within 5 days, high within x days, etc. Being able to specify Minimum version doesn't really scratch this itch: you still need to keep track of all 3rd party updates manually and update the version numbers--a lot of extra busywork. Will there be an alternative to the Minimum version approach, e.g. app must be updated within 5 days or it won't run (similar to Edge policies)?
- Thank you. To meet the requirement from a practical standpoint, we'd need to select n (rather than n-1). Defender has a nascent ability to block vulnerable app launches, but this is also entirely a manual, one-off process at this time: a vuln is detected, from which you can create a rule until remediation is in place, rinse/repeat again and again and again. It seems to approach the security concern backwards or tangentially rather than directly, resulting in a lot of unnecessary busywork (as Aria Carley noted in the RunAs Radio podcast, we simply just need to start patching stuff asap--the old, slow cycles are no longer acceptable security-wise). Whether this update-now-or-block ability comes via Intune or Defender or both... great! 🙂
I do not understand why this would even be necessary. Why should Microsoft have to re-package applications for software vendors? Particularly after the security/privacy/reliability focused requirements (UWP and MSIX) were lifted, vendors should publish their own applications through the Microsoft Store. To help highlight vendors and products that have transitioned to modern device management (and shame those that have not) there is a community maintained spreadsheet named "Modern Windows Management Database". https://1drv.ms/x/s!AgG_boPR-xfWjN9i2Z_y_8ErM6t--A
- Joe_Lurie
treestryder Thanks, Nathan. This has been asked a couple times below, on why it's necessary vs the Store. We are not competing with the Microsoft Store, or with Winget, or with any other "catalog" type of app deployment. We are giving you another option, where the apps are prepackaged, and the updates will come down to Intune automatically and allow you to push them in a guided scenario.
As long as they are allowed to do whatever they want, software vendors have no incentive to change.
The store was more than a list of installable apps. By requiring legacy apps to be APPX packaged, or better, MSIX packaged UWP apps, it got us closer to the security and privacy model that Android and iOS have.
Not only have we lost the security/privacy/reliability focused goals of UWP and MSIX, now we have a team at Microsoft doing the work of these slacking vendors.
#ShouldBeUWP #ShouldBeMSIX #CouldBeAPPX
- Will this require an additional license? or be included with standard InTune licensing?
- My understanding is it should be included with the Intune Suite. Intune Suite is an additional license.
- Joe_Lurie
mattreinhart This is part of the Intune Suite, or also available as a standalone SKU (or will be when it's generally available on Feb 1, 2024).
Last I looked, Intune Suite is license per user. What I haven't seen is which user. The admin? The user of the PC? Both? All?
- For self-updating apps, will content still come from Intune (using DO), or will the apps just pull directly from their app vendors?
- Rae_GoodhartIf the application is self-updating, then that will come through traditional non-Intune/DO paths. However, if you need DO content, and the app supports it, you can disable the self-updater and will then need to deploy and control the update yourself through the EAM catalog to get the content through Intune & DO.
- And you fully support different language versions of the apps for us who use non-English versions of the apps?
- Joe_Lurie
PanuSaukko Yes, several of the apps already come in various languages. Our expectation is that ISVs will offer us apps in multiple languages and we will support all of the languages offered.
- Can we streamline Enterprise app management with Defender for Endpoint Vulnerability Management? That way when a vulnerability is reported it can guide administrators into building a new app or click a button to update the versions?
- GCCH support planned? Thanks.
- Joe_Lurie
Andrew_Wadler Yes GCCH support is planned, though it will come at a later date. No date to share at this time.
- Thanks.
- What work is being done to help us deploy these app updates? There is currently no way to build groups in Intune based on installed applications.
- Joe_Lurie
mlawniczak123 There is no dynamic query built into Intune allowing you to create a group based on software inventory. This is something that we've heard in the past and will be investigating in another dev cycle in the future.
- Are we able to know which application will be available within the release? Thank you
- Joe_Lurie
Murilo_Amorim We do not have a list of apps, but when you open the catalog the apps will all be therefor you to view. There may be a list post GA, but at this time we do not have a shareable list of catalog apps.
