This week is another week about apps on Windows devices. The major difference with last week is that this week is all about the discovered apps on Windows devices. In other words, the app inventory on Windows devices. Within Microsoft Intune that inventory always used to be a huge challenge. It was often not complete and simply missing pieces. Nowadays, it’s getting more and more mature. It contains nearly all application types, is structurally inventoried, and is displayed in a (basic) report. Within Microsoft Intune that report is the Discovered apps report. That report contains a aggregated list of the discovered apps on the devices within the tenant. So, it acts as the software inventory within the tenant. This post will look at the process for collecting that inventory data, followed with the available reports for that data and export capabilities. The focus will be mainly the Win32 app inventory, as that’s the most interesting process to follow.
Note: At the moment of writing, the Microsoft docs states that there is currently is no aggregate count for discovered Win32 apps and that it can only be viewed per-device. The experience is, however, that the aggregate count is available.
Having a closer look at the Win32 app inventory
When looking at the Windows software inventory, it’s more then just Win32 apps. The most interesting process to look at, however, is the inventory of those Win32 apps. And even more interesting, that process doesn’t rely on the Win32AppInventory CSP. Instead, within Microsoft Intune, that inventory process is part of the Intune Management Extension (IME).
One of the components of the IME is the Win32AppInventoryCollector. The functionality of that component is available in code of the Microsoft.Management.Clients.IntuneManagementExtension.Win32AppInventoryCollector.dll and logs it’s information in the Win32AppInventory.log. As shown below in Figure 1, the code makes it clear that the IME actually relies on WMI to collect the inventory of Win32 apps. More specifically, it relies on the Win32_InstalledWin32Program class in WMI. That class is compiled of the aeinv.mof, which is part of standard Windows functionality. That MOF relies on information in the registry. More specifically, the uninstall locations in the registry. The HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall location and the WOW6432Node version of that location.
Note: JetBrains dotPeek was used to decompile the DLL that is used for the Win32 app inventory.
Besides the information that is used to create the Win32 app inventory, the IME itself also stores the information of the latest inventory in the registry. That location is HKLM\SOFTWARE\Microsoft\IntuneManagementExtension\Inventories, as shown below in Figure 2. That locations contains keys for all the different apps. And that information is used as the starting point for the next inventory round, for calculating the differences. The number of apps that are newly installed and those that are removed. When there are any differences found, those differences will be sent to the Intune service.
The main settings of the Win32 app inventory are in HKLM\SOFTWARE\Microsoft\IntuneManagementExtension\InventorySetting, as shown below in Figure 3. That location contains the FirstTimeSwitch value that is used for the first full inventory, and the LastFullSyncTimeUtc value that is used for the registration of the latest full inventory. Besides that, it’s important to know that the full inventory will run when the IME is installed and after that once every 7 days. In between, the delta inventory will run once every 24 hours or when the IME starts. On a side note, also keep in mind that the inventory of the modern apps will run once every 7 days.
Reporting about the Windows app inventory
When the Windows app inventory is available in Microsoft Intune, the information is shown in the Discovered apps report (as shown below in Figure 4). In the early days, that would not include the information about the collected Win32 apps. Nowadays, that includes the information of the modern apps and the Win32 apps. Besides that, that information is also available on a per-device basis. The information in those reports is refreshed whenever there is new information send to Microsoft Intune. So, with the different inventory cycles of the devices. Not a weekly refresh for all devices at the same time. By default, it provides an overview of all the applications, including the different version numbers, and the related device counts.
Besides that, it’s also possible to easily export the data of that Discovered apps report. That can be achieved by manually using the Export button on the top of the report. That provides a CSV-file with the information. To make it even better, that process can also be automated by using the Microsoft Graph API. That can be achieved by using the following endpoint.
That endpoint requires a request body that contains the report name and the properties that should be exported. Simply use the HTTP POST method with the body as shown below, to make an export of the aggregate report.
The response message contains the id that can be used to get the CSV-file with the requested content. Simply use that id to query for the export request of the app inventory information. An endpoint as shown below, can be used to check for the status of that export request. Within that example, make sure to adjust the id with the id related to the performed request.
When the status of the export request changes to completed, the url in the response will contain a link to a downloadable ZIP-file in a storage blob. That ZIP-file will contain the CSV-file with the exported data. An example is shown below in Figure 5. That example highlights the same information that was already shown before throughout this blog post.
Note: For more details around the process of exporting the report, refer to this blog post of a earlier.
The accuracy of the inventory can sometimes be a bit challenging, as it might contain some duplicates due to older data, or data from multiple users that was counted multiple times. In that case it could also be interesting to look at the raw data and add custom filtering on the that data. The raw data includes the non-aggregated data of the installed versions of apps for the devices and their users. That raw data can be selected during the export and by using AppInvRawData in the export job.
For more information about the Windows app inventory and reporting, refer to the following docs.