Conflicting App Deployment Rules: Fix Your Intune Migration Configuration Issues


By Matt Shadbolt | Senior Service Engineer | https://blogs.technet.microsoft.com/ConfigMgrDogs/

Important: This guide is intended to explain how a migration blocker occurs, and how to remove the blocking issue. The guide is not intended to provide guidance on how to redesign your grouping/targeting to achieve functionality caused by the blocking issues.

We suggest you thoroughly review your grouping/targeting strategy before making any changes.

Your migration may be blocked if you have app deployments to groups where the deployment intent conflicts with a child group’s deployment intent.

App deployment intent describes how an app is targeted at a user; be it Install Required, Install Available, Uninstall or Not Applicable.

For example, the following configuration would block migration

clip_image002[5]

clip_image004[6]

In these screenshots, the Outlook app is targeted as Required install to the All Users group. The Outlook app is then targeted as Uninstall to the Outlook – Uninstall child group of All Users.

This guide will help you remove these conflicting app deployments, based on the example above.

IMPORTANT
You should note that when your groups are migrated and users are targeted with duel intent there will be some consequences to be aware of.
For example a user with a Required/Available app intent as well as an Uninstall, will only receive the Required/Available install.

https://docs.microsoft.com/en-us/intune-azure/manage-apps/deploy-apps#changes-to-how-you-assign-apps-to-groups-in-the-intune-preview

To solve this, ensure that a user is only targeted by a single app deployment intent at a time. Do not overlap deployment intents in migrated groups.

This situation only affects migrated groups – newly created AAD groups will understand multiple target intents.

To fix, follow these instructions

1. Login to https://manage.microsoft.com with your Admin credentials.

2. First, we’ll want a group that mimics the ‘All Users’ group. Browse to Groups and create a new group.

clip_image006[5]

3. Name the group something obvious, and select All Users as the parent group.

clip_image008[7]

4. In the Criteria Membership section, select All Users in the Parent group. This will mean every user found in the All Users group will now become a member of this new “All Users Deployment Group”.

clip_image010[5]

5. Click finish to complete the group creation.

clip_image012[5]

6. Now browse to Apps > Apps from the main menu.

clip_image014[6]

7. Right-click each app and then click Manage Deployment.
clip_image016[5]

8. Browse to the Deployment Action tab. You’re looking for any app that is deployed to All Users AND has a conflicting Approval or Deadline.

clip_image018[5]

9. When you’ve found an app with conflicting intent, note the details of the deployment. You’ll be redeploying this app in a minute, so you’ll want to remember what the intent was. Click Previous so that you can see the Selected Groups.

clip_image020[5]

10. Select the All Users group and click Remove.

clip_image022[5]

11. Now select your new replacement group All Users Deployment Group and click Add.

clip_image024[5]

12. You should now have two groups selected. Click Next.

clip_image026[6]

13. Confirm the changes when prompted.

clip_image028

14. Change the deployment intent for your new group to mirror what was previously set on the All Users group.

clip_image030

15. Finish of the wizard. You’ll need to perform this check for all apps that meets the criteria.

Your migration should now be unblocked for this issue. For more information about configurations that can block your Intune migration, see http://aka.ms/intunemigrationblockers.

Comments (0)

Skip to main content