Intune’s auto-update of Available Win32 apps feature is broken

In April 2024 Microsoft introduced a much-desired feature to Intune: automatically update existing installations of Win32 applications that are assigned as ‘Available’.

Unfortunately, the implementation of this feature has been buggy since day zero. Trawling forums you’ll come across complaint after complaint about how inconsistent the feature is, or plain just doesn’t work at all.

In September 2024, the entire feature disappeared from the Intune portal for some people, and then magically reappeared and seemed to actually work!

The latest debacle for this feature (at least, for us) is that “something” has happened on “the Intune backend” which has caused some loss of data that underpins the functionality of auto-update.

How Intune’s auto-update functions

From troubleshooting with Microsoft I have gained further (although still scant) information about how the feature works behind the scenes:

1. When a user clicks install on an Available application a “Device Policy Assignment” (DPA) record is created.
2. DPA records are stored “on the backend” of Intune (ie: not stored on the device). DPA records are not accessible by customers, only Microsoft can query this data.
3. The auto-update feature completely and solely relies on the DPA record information to function.
4. Removing a user from the targeting of the Win32 Application Available assignment will trigger the DPA record to be deleted, therefore breaking the ability to use auto-update for that Application for that user/device. Retargeting the same Application won’t recreate the DPA record. The user has to click ‘Install’ again to recreate a new DPA record.

That last point is very important. Read it again.

“Something” happened

After playing word gymnastics with Microsoft Support and investigating Applications in our environment, Microsoft have confirmed that “something” has deleted the DPA records for our Applications. Microsoft naturally tried to blame us for doing “something”, however, fortunately for us we have several applications that fit the following scenario:

1. Created over 2 years ago.
2. Assigned as Available to the built-in “All Users” entity only. No filtering in place.
3. Intune Audit Logs prove neither the Application nor its assignment have been modified in more than 2 years.
4. Users throughout the environment have been installing this application every other week throughout the last 2 years, providing a good sample of installations over time.
5. The user objects have not been deleted or disabled (these are real users who have worked here for years without interruption). ie: they are part of the “All Users” entity (well, should be…)

Recall the point above that “Removing a user from the targeting of the Win32 application Available assignment will trigger the DPA record to be deleted”. The Application scenario I have described above is not an example of why a DPA record would be deleted. No assignments have been modified and the user has not fallen out of targeting for the Available assignment. Regardless, Microsoft claim the DPA records do not exist for these Applications, which explains why auto-update is not functioning for us.

Unfortunately for us, Microsoft have also stated that the DPA action log currently only stores the last 30 days of actions. As such, they cannot confirm exactly what triggered the deletion of our DPA records.

Looking online it does appear that we are not the only ones affected by this: https://learn.microsoft.com/en-us/answers/questions/1920488/intune-auto-update-with-supersedence-not-working

Limited usefulness?

Troubleshooting Intune’s auto-update and discovering how “fragile” its implementation is has made me question how useful the feature is.

In our environment we operate under a user “self-serve” model with almost all applications assigned as Available, either to the built-in All Users entity, or to application-specific Entra ID groups, with the user picking and choosing what to install via Company Portal.

Our primary purpose for wanting to utilise Intune’s auto-update feature is due to security. Having Intune handle the automatic deployment of updated versions of applications to devices that have the older versions installed.

With Intune’s auto-update feature so heavily tied to the uninterrupted targeting of the assignment to the user that installed it, there are several scenarios where this feature falls short:

1. On shared devices, the user that installed the software is not the only user. That user may not ever login to that device again or cease to work here anymore.
2. For software that is licensed/where access is controlled, the user may have their access removed for a period of time, therefore removing them from the Entra ID group that provided them with the Available assignment. Readding them doesn’t resolve the auto-update issue.
3. An IT admin modifies the assignment of the Application. It’s not common behaviour, however, if a simple modification completely destroys the relationship with all existing installations, that’s far too fragile and the impact of modifying the assignment is completely hidden.