Introduction
Today, we will discuss the methods for uninstalling an Intune app by assigning uninstallation group(s) to an Intune application. Of course, many ways exist to achieve this goal, but we often look for a solution requiring the least effort and management. Effectively managing application installations and uninstalling Intune app is crucial for maintaining system integrity and security within an organization.
Assigning an uninstallation group to an application is often overlooked. When a user is a member of a specific group, the application is installed, but what happens when the user is removed from that particular group? Do you create a group and assign it to the uninstall assignment for each application? Or do you opt for a different approach for uninstalling an Intune app? In this blog post, I’ll share my experiences and advice.
Please note, this blog is not intended to dictate what is or isn’t the correct solution, but rather to share my advice and perspective on the available methods for uninstalling an Intune app. Always consult internally with your team to determine what best suits the needs and requirements of your organization. And make sure the process is documented.
Chapters
Commonly used
In practice, I often encounter creating an uninstallation group or simply leaving the uninstall assignment blank, which results in the application not being uninstalled.
While this second approach is commonly used, it is far from ideal in terms of governance or security. Additionally, removing a user from the installation group (whether required or available) does not trigger the removal of the application.
Cheat sheet 💡
Here are some general guidelines for assigning the All Users group to the uninstall assignment
- “All Users” as an assignment refers to all users with an Intune license.
- A required or available installation of an application always takes precedence over an Uninstall¹.
- An exclusion always takes precedence over inclusion².
- An Entra ID-registered device will not be affected by the assignment.
- You can use device filters on the All Users assignment.
- When using the All Users assignment, you need an exclusion group to exempt a specific user from the installation trigger.
- When an Intune application is required for a user to install, the uninstalling process differs from applications that are made available.
- Don't mix up user-to-device group relationships. If you assign apps to mixed groups, te results may not be what you want or expect.
Pro's and Con's
In this blog, I will describe the pros and cons, as well as the configuration, of using the following methods:
1. Assign the All Users group to the Uninstall assignment
2. Create a (dynamic) group and assign it to the Uninstall assignment
These advantages and disadvantages generally apply to Windows, iOS, and Android devices. However, the specific behavior may vary depending on the operating system and configuration.
Using All Users assignment
Benefits of using the All Users assignment:
1. Less Effort: The setup process is simpler and faster; you don’t need to assign the application to individual users or groups manually.
2. Reduced Management: Creating and maintaining separate groups is unnecessary, which reduces the ongoing management overhead.
3. Broad Coverage: The application reaches all users, which is particularly beneficial in urgent situations, such as addressing a zero-day vulnerability.
4. Filters: We can use filters to control which type of devices are included, even when All Users are assigned.
Disadvantages of using the All Users assignment:
1. Less Control: You have limited control over which users receive or uninstall the software, which can result in unexpected behavior if some users don’t have it.
2. High Impact: If the software is mistakenly removed, it affects all users, potentially causing widespread disruption.
3. Exclusion group required: To remove the software from specific users, you must create and manage an exclusion group, adding complexity to the process.
In the screenshot below, you can see that I have selected All Users for uninstalling the software. My recommendation is to always use a filter to ensure that, for example, only MDM-managed devices are targeted.
Using a (dynamic) user group assignment
In practice, a separate group is often created for uninstalling software from a device. This approach requires more effort because you must remove the user from the installation group (this only applies if it’s a required application) and then add the user to the uninstallation group. A required installation of an application wins over an Uninstall.
Below are some advantages and disadvantages of using (dynamic) uninstallation groups.
Benefits:
1. Greater Control: You have more precise control over which users or devices have the software removed, reducing the chance of errors.
2. Reduced risk of unintended removal: By managing specific groups, you minimize the risk of accidentally removing software from users who still need it.
3. Flexibility in management: You can tailor the uninstallation process to different users or groups, allowing for more customized management.
In this case, excluding the user from whom the software needs to be removed is unnecessary, as the user is directly added to the uninstallation group.
Remember that the user needs to be deleted from the Installation group.
Disadvantages:
1. Increased Effort: Managing separate installation and uninstallation groups requires more administrative work and oversight.
2. Complexity: Adding and removing users from different groups can become complex, increasing potential mistakes.
3. Risk of adding the wrong users: There’s a risk of accidentally adding the wrong users to the uninstallation group, leading to unintended software removal.
4. Slower Process: The uninstallation process can be slower, especially if multiple groups need to be managed and updated.
5. Less uniformity: Not all users may have the software removed simultaneously, leading to inconsistencies across the organization.
In the screenshot below, the user is added to the uninstallation group. It is also necessary to remove the user from the required installation group; otherwise, the software will be reinstalled, and the uninstallation will be ignored.
Wrap-up
The biggest difference between using an All Users assignment and an Uninstall group is manageability. Assigning All Users requires much less management than using a group. However, an exclusion group is necessary when utilizing the All Users assignment. By implementing a filter, we ensure that only specific devices are targeted, instead of an uncontrolled set of users.
Conclusion
In many organizations, uninstalling an Intune app is based on user roles and dynamic rules related to a user’s function to assign application installation. For this reason, you might prefer using the All Users assignment. It is uncommon for a user to need to be excluded from their role. The need for an exclusion typically arises only when there are issues with the software installation. Although it requires an exclusion group to which users or devices must be added, it avoids creating a separate uninstallation group for each application. You also want to avoid overburdening the IT operation team with these tasks. That’s one of the reasons why uninstalling an Intune app via the All Users assignment is preferred.
What a brilliant idea to use all users in uninstall target to have applications uninstalled as soon as the user is removed from the group instead of using a dynamic or manual group to uninstall!
Keep in mind that when an enduser installs the software manual as a local administrator on an Intune managed workspace and the detection rule is triggered this can lead to undesired behavior.