This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(198.4, 89%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Hi There,
I recently joined a small company with 165 End users using Windows 10 Laptops scattered around the globe.
Thankfully this is a relatively new company and the end users are all on AAD and the devices are AAD joined, the end user licenses have just been upgraded to 365 Premium so that we can start to roll out Intune.
Prior there was only a handful with Premium Licenses and my predecessor has created an "Intune" AAD Group with only a few select people. The config and compliance policies are assigned to this group.
I have tested Autopilot and deployed applications for a few new machines and this works great, I have tested this with some Test AAD Groups.
Taking office 365 as an example where this application was historically installed manually on the devices. My question is, what is the best practice in deploying this as to not have this conflict with the machines with the manually installed application?
Do we add all users into the "Intune" AAD group and assign that group to the app or do we target all machines? I don't want to see lots of install failures because the app already exists on the target machines but I also don't want to have to maintain AAD groups for existing users and people onboarded after the rollout.
I maybe overthinking this but some guidance would be helpful as any web searches have just showed me how to setup intune but not how to integrate an already existing user and device base
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(233.6, 30%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECM%3C/text%3E%3C/svg%3E)
@Adev67 , Thanks for posting in Q&A.
For the application, if the application is already installed, and we only want to install the application on the device which is without it. We can consider to deploy it via Win32 app. The detection rule in it can detect the presence of the app. We can see more details in the following link:
https://learn.microsoft.com/en-us/mem/intune/apps/apps-win32-add
As a reminder, the install command and uninstall command in win32 configuration needs to support silent install without user interaction.
Meanwhile, In general, we will firstly deploy app to a test group to make sure it is working. Then try to deploy to others who want the app.
Hope it can help.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Thank you so much for your reply that is really helpful, I will follow this method for installs going forward.
As part of my original question I asked what is the best practice for rolling out applications? Should we create AAD groups that are specifically for apps i.e. <IntuneApp-WinRar> and assign users that need access to the app then Assign that group to the application?
@Adev67 , Thanks for reply. I am glad that our information can help.
For your question, this depends on who will use this application. If it is only needed by a few people or devices, we can create an AAD group to assign the application. When create group, we can choose assigned or dynamic group. Assigned group is one that we need to add or remove the member manually. For Dynamic group, we can use dynamic membership rule to automatically add and remove members. Here are some article with more details for the reference:
https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-groups-create-azure-portal?context=%2Fazure%2Factive-directory%2Fenterprise-users%2Fcontext%2Fugr-context#group-types
https://learn.microsoft.com/en-us/azure/active-directory/enterprise-users/groups-dynamic-membership
Hope it can help.
@Adev67 , Hope things are going well. I am writing to see if there's any more we can help. If yes, feel free to let us know.
@Adev67 , Long time not heard from you. Is there anything else we can help? If the information is helpful, please click "Accept Answer" Thanks!
Thanks so much for your answer it was most helpful.
@Adev67 , Thanks for your reply. I am glad the information can help. If there's anything else we can help in the future, feel free to post in our Q&A. We are always glad to help.
Thanks for your time and have a nice day!