Intune Cheatsheet

Shared Devices vs User Assigned Devices

Check-In, Policy and App Functionality

Feature	Shared Devices	User-Assigned Devices
Check-in Frequency	Every 7 hours (device context)	Every 8 hours per user (user context)
Check-in Trigger	Automatic (device)	Per user login and automatic (device)
App Deployment	Apps assigned to device install once	Apps assigned to user install per user
Policy Deployment	Device-targeted policies apply once	User-targeted policies apply at login and refresh
Company Portal	Not required or supported	Required for user self-service & enrollment features
Multi-user Support	Yes (optimized for hot-desking or kiosks)	Not ideal (designed for single primary user)
User Context Features	Limited (e.g., no user-based compliance checks)	Full user-based features and compliance checks

Dependency vs. Supersedence in Intune

Dependency (App Dependencies)

Ensures a required app (App B) is installed before the main app (App A).
App B remains installed unless explicitly removed.
If App B is not separately assigned, it may stay installed even if App A is uninstalled.
Does not affect visibility in the Company Portal—dependent apps are still listed if assigned.

Supersedence (App Replacements)

info

If an app is force-installed (Required) and you supersede it with a new version, the old app will no longer be installed again. Instead, Intune will ensure that the new (superseding) app is installed in its place.

Replaces an older app version with a newer one (e.g., App A replaces App B).
If "Uninstall previous version" IS checked: Old app is removed after the new one installs.
If "Uninstall previous version" IS NOT checked: Old app stays installed but hidden in the Company Portal.
Users can only see the latest (superseding) app in the Company Portal.

Assigning an Application

When assigning an application to a group in Intune, you can choose from several assignment types, each defining how the app behaves on the target devices or users:

Required: The application is automatically installed on devices or assigned users, with no user intervention required. The app is installed as soon as the assignment condition is met.
Available for enrolled devices: The application is available in the Company Portal for users to install on their devices. Users can choose to install or uninstall the app as needed, but it is not automatically installed.
Available for unmanaged devices: Similar to "Available for enrolled devices," but this option applies to devices that are not managed by Intune. Users can install the app from the Company Portal on their unmanaged devices.
Re-install: The application is removed from the targeted devices or users. If the app is not already installed, no action is taken. If the app was previously installed, it will be uninstalled.
Not Applicable: The app is not assigned to the group, and no action is taken for devices or users in that group.

Additional Assignment Options for Applications in Intune

Toast Notifications: You can configure toast notifications to alert users when the application is being installed, updated, or uninstalled. This provides users with visibility and keeps them informed about the app's status.
Delay the Installation: You can set a delay for the app's installation on the target devices. This can be useful if you want to stagger installations or avoid overloading the network during peak hours.
Install the App in the Background: This option ensures the app is installed silently in the background without requiring any user interaction or notification. This is typically used for required applications where no user input is needed.
Force Restart after Installation: After the app is installed, you can configure a forced restart of the device if necessary. This can be important for apps that require a restart to finalize the installation process.
Availability Window: This setting allows you to configure a time window during which the app will be available for installation. After the window closes, the app becomes unavailable.
Make the App Required Only During Specific Conditions: You can configure the app to be installed only if certain conditions are met, like specific device compliance or operating system version requirements. This ensures that the app is only installed on devices that meet predefined criteria.
Reboot Behavior: You can specify the reboot behavior after installation. Options include whether the reboot is immediate or if users are prompted to reboot later.
User Notification Behavior: Control whether users are notified when the app is being installed or updated. This includes setting up notifications when the app is being installed, updated, or removed, ensuring users are informed about any changes.

Using Scripts for Compliance Policies

Create expected value for script output.

{
    "Rules": [
        {
            "SettingName": "AppName",
            "Operator": "IsEquals",
            "DataType": "Boolean",
            "Operand": true,
            "MoreInfoUrl": "Sensible URL for end user to click",
            "RemediationStrings": [
                {
                    "Language": "en_US",
                    "Title": "This machine is missing the requirement for xyz.",
                    "Description": "To continue to use this device the xyz must be configured."
                }
            ]
        }
    ]
}

Create script, example below.

# Logic that you want to check for, a running service for example/

$svc = Get-Service -Name Something

if(!$svc.Status -ne 'Running'){
    $status ='false'
} else {
    $status ='true'
}

$output = @{
    Appname = $status
}

return $output | convertto-json -compress

Collecting Logs

Reference doc Collect MDM Logs | Microsoft Doc.

This command will collect almost all of the same data as the Intune option, Collect Diagnostics.

MdmDiagnosticsTool.exe -area "DeviceEnrollment;DeviceProvisioning;Autopilot;Tpm;Connectivity" -zip "C:\Users\Public\Downloads\mdmdiags.zip"

Confirming the sync has run

Commands to confirm what has happened in the last 30 minutes:

This will retrieve the last 30 minutes' worth of polling events.

Get-WinEvent -FilterHashTable @{
 LogName = "Microsoft-Windows-TaskScheduler/Operational"
 StartTime = (get-date).AddMinutes(-30)
} | ? { $_.message -match "Task Scheduler started|Task Scheduler successfully completed task" -and $_.message -Match "Schedule to run OMADMClient by client|Sync Status Poll|PushLaunch"} | Select TimeCreated, Message

Executing PowerShell from Win32Apps

Install string for executing a script from a Win32 Application

# Execute script
Powershell.exe -executionpolicy bypass -noprofile -file Something.ps1

Shared Devices vs User Assigned Devices​

Check-In, Policy and App Functionality​

Dependency vs. Supersedence in Intune​

Dependency (App Dependencies)​

Supersedence (App Replacements)​

Assigning an Application​

Additional Assignment Options for Applications in Intune​

Using Scripts for Compliance Policies​

Collecting Logs​

Confirming the sync has run​

Executing PowerShell from Win32Apps​