IntuneGet Logo
IntuneGet
Documentation

Unmanaged Apps Detection

Discover applications installed on your managed devices that are not yet deployed through Intune. Match them to Winget packages and claim them for deployment.

Overview

The Unmanaged Apps feature uses the Microsoft Graph API to retrieve discovered applications from your Intune-managed devices. It then automatically matches these apps against the Winget repository using fuzzy name matching and confidence scoring, helping you identify software gaps and bring unmanaged applications under Intune management.

Microsoft automatically filters out its own applications (e.g., Microsoft Edge, Visual C++ Redistributables) so you can focus on third-party software that needs management.

Required Permission

DeviceManagementManagedDevices.Read.All

This permission allows IntuneGet to read discovered application data from your Intune-managed devices. A Global Administrator must grant admin consent for this permission.

You can verify this permission is granted on the Settings page under the Permissions tab.

Permission Required

Without the DeviceManagementManagedDevices.Read.All permission, the Unmanaged Apps page will display a permission error. Contact your Global Administrator to grant admin consent.

How Matching Works

IntuneGet uses a multi-step matching process to identify which Winget packages correspond to discovered applications:

  1. Exact name matching - Compares the discovered app name directly against Winget package names
  2. Fuzzy matching - Uses string similarity algorithms to find close matches even when names differ slightly
  3. Confidence scoring - Each match receives a confidence score from 0% to 100% indicating match quality
  4. Manual linking - You can manually link unmatched apps to specific Winget packages when automatic matching fails

Match Statuses

Matched

A high-confidence match was found in the Winget repository. The app can be claimed and deployed immediately. Confidence score is typically above 80%.

Partial Match

A possible match was found but with lower confidence. Review the suggested package to verify it is correct before claiming, or use the Link Package option to manually assign the correct Winget package.

No Match

No corresponding Winget package was found. This may be a custom or proprietary application. You can manually link it to a Winget package if one exists but was not automatically detected.

Claiming Applications

Claiming an application adds it to your deployment cart with pre-configured settings based on the matched Winget package. IntuneGet automatically generates detection rules, install/uninstall commands, and PSADT configuration.

Individual Claiming

Click the Claim button on any matched application card to add it to your deployment cart. IntuneGet will fetch the package manifest, determine the best installer, and configure all deployment settings automatically.

Bulk Claiming (Claim All)

Use the "Claim All" button in the toolbar to claim all matched applications at once. This processes apps in batches of 5 for optimal performance. A progress modal shows the status of each app being claimed.

Claim Status

Each claim operation is tracked with a status: pending, success, or failed. Failed claims can be retried individually. Successfully claimed apps appear in your deployment cart ready for packaging and upload.

Linking Packages Manually

For apps with no match or an incorrect match, you can manually link them to a Winget package:

  1. Click the Link Package button on the app card
  2. Search for the correct Winget package by name or ID
  3. Select the package to create the mapping
  4. The mapping is saved and will be used for future syncs, upgrading the match status to Matched with 100% confidence

Filtering and Views

Filter Options

FilterOptions
SearchFilter by app name, publisher, or matched package ID
Match StatusAll, Matched, Partial Match, No Match
Sort ByDevice Count, Name, Publisher, Match Status (ascending or descending)
Show ClaimedToggle to show or hide already-claimed applications

View Modes

Toggle between Grid view (card layout with detailed information) and List view (compact table layout for quick scanning). The toolbar provides a view toggle switch.

Statistics Dashboard

The top of the Unmanaged Apps page displays key statistics:

Total Apps

Number of non-Microsoft discovered applications

Match Breakdown

Count of matched, partial, and unmatched apps

Total Devices

Combined device count across all discovered apps

Update Only Assignments

When deploying claimed apps, you can assign them with an "Update Only" intent. This is particularly useful for discovered apps: instead of force-installing the app on every targeted device, it only updates devices where the app is already present.

How It Works

Selecting "Update Only" tells IntuneGet to assign the app as "required" in Intune but with an additional requirement rule that checks whether the app already exists on the device. Intune then evaluates two conditions:

  1. Requirement met (app exists on the device) AND detection not met (new version not yet installed) -- Intune proceeds with the update
  2. Requirement not met (app not on the device) -- Intune skips the device entirely
  3. Requirement met AND detection met (app exists and is already up to date) -- device reports as compliant

Intune Evaluation Matrix

App Already Installed?New Version Installed?Result
NoNoSkipped -- requirement not met
YesNoUpdated -- requirement met, detection not met
YesYesCompliant -- already up to date

Configuring Update Only

  1. Claim an unmanaged app (or add any app to your cart)
  2. Open the app configuration and expand "Assignment Configuration"
  3. Enable assignments and add a target (All Devices, All Users, or an Entra ID group)
  4. Select Update Only from the intent dropdown -- the badge turns amber
  5. An info banner explains the behavior
  6. Save and deploy -- requirement rules are generated automatically

How Detection Works

The requirement rule detects the app using standard Windows uninstall registry methods, not the IntuneGet registry marker. This means it works for apps that were installed outside of IntuneGet (which is exactly the case for discovered/unmanaged apps):

  • MSI apps with product codes: A registry requirement rule checks the product code's uninstall key directly
  • All other apps: A PowerShell script searches both HKLM and HKCU uninstall registry paths by display name

Requirement Rules Are App-Level

Intune requirement rules apply to the entire app, not to individual assignments. If you mix "Update Only" with other intents (such as Required or Available) on the same app, the existence check will gate all assignments -- meaning even the Required assignments will only install on devices where the app already exists. A warning banner appears in the UI when this situation is detected.

How It Appears in Intune

The Intune portal will show the assignment as "Required" because "Update Only" is an IntuneGet concept -- there is no native "update only" intent in Intune. The additional requirement rule is what limits the installation to devices that already have the app.

Next Steps

Learn about MSP features for managing unmanaged apps across multiple tenants, or configure notifications for new discoveries.

MSP FeaturesSettings & Webhooks