Search
How to prevent Microsoft Intune from going 'Untune'
Ryan's Picture
Eltjo's Picture
Ruben's Picture
Edwin's Picture
8 min read

How to prevent Microsoft Intune from going 'Untune'

Leee's Picture
Leee Jeffries

Table of Contents

Introduction

This research examines how quickly Microsoft Intune deploys applications after group membership changes. Automated tests on both static and dynamic groups reveal key insights into deployment delays, reliability, and how updating app versions affects deployment speed.

Understanding Intune Application Deployment Timing

Microsoft Intune is a cloud-based endpoint management platform that lets organizations manage devices, applications, and policies across their PC, Cloud PC, VDI and DaaS environment. A key feature is (Windows) application deployment, where apps are installed or removed on targeted devices based on group assignments.

Although app delivery should feel seamless to users, the timing and responsiveness behind deployments after group membership changes can vary significantly. The factors that may play into this variation will be examined further in this research; factors such as InTune Management synchronization windows and entra backend group membership. This research investigates timing differences for application installs and removals triggered by group assignment updates in Intune.

Why Focus on Group Assignment Changes?

In Microsoft Intune, application deployments are controlled through assignments linked to Entra ID user or device groups. These groups determine which devices receive specific applications. While this method is flexible and scalable, deployments only occur after Intune re-evaluates group memberships and device status.

Knowing the delay between a group assignment change and the actual app install or uninstall is important—especially in scenarios like onboarding, software updates, or security patches where timing matters. InTune allows the tracking of application installation within the port itself, the ability exists to review a specific list of devices and the installation status of an application. It’s important to note that this information is reliant on the InTune device synchronizing successfully.

7zip-app-deployment

This research focuses on Win32 apps deployed to Windows 10 and 11 devices using device-based static and dynamic group assignments. It’s important to understand how dynamic group membership works, more information can be found in the Microsoft documentation. Specific licenses are required for the use of dynamic groups, the documentation can be reviewed for all the details.

7zip-app-deployment

Research Goal

This research measures and compares the delay of application installs and uninstalls triggered by Entra ID group membership changes in Intune. It also examines how response times differ between static and dynamic device groups, both common in enterprise settings. The research measures the following steps:

  • Adding and removing devices from static groups
  • Dynamic group membership changes driven by custom attributes
  • Resulting application installs and uninstalls
  • Timing for each phase (group update and app state change)
  • Differences between deploying existing applications versus updating application details

Test Setup and Infrastructure

A custom framework was built using PowerShell and the Microsoft Graph API to capture precise timing data. This allowed for automated testing and consistent timing measurements across test iterations. All steps measured are considered a single iteration of testing, a total of ten iterations are performed, the data captured from these iterations is collated and then reviewed to provide minimums (fastest action time), averages (of all iterations) and maximums (slowest action time).

Test Environment and Automation Overview

The test environment consisted of eight managed virtual machines, four running Windows 10 and four running Windows 11, all configured with WinRM to enable remote automation and monitoring. A single packaged Win32 application (7-Zip) was used throughout the testing process to simulate both install and uninstall scenarios.

To simulate real-world deployment conditions, each machine was associated with either static or dynamic device groups in each iteration. Static group assignments were managed directly via Microsoft Graph API, while dynamic group membership was controlled through custom Entra ID attributes.

All automation was implemented using PowerShell, leveraging the Microsoft Graph API to manipulate group memberships and initiate application deployments. The automation framework tracked every stage of the deployment lifecycle from triggering group membership changes to verifying installation status and logged precise timing data for later analysis. In later test scenarios, the version number of the application was incremented between cycles to observe any changes in deployment behaviour.

Measurement Focus

This research focused on capturing the timing of three key operations within the Intune deployment process:

  • Propagation delay following group membership changes.
  • Time to detect successful application installation.
  • Time to confirm application removal.

These phases represent the most common bottlenecks in application delivery workflows and are critical to understanding the responsiveness of both static and dynamic deployment models.

Test Process Summary

Each test cycle (iteration) has repeated ten times per operating system using the following sequence::

  • Deploy Phase
    • The device was added to the appropriate deployment group, either directly (static) or via attribute change (dynamic).
    • The system waited until the group change was reflected in Intune and then monitored the endpoint for confirmation that the application was installed.
    • A timeout of eight hours was enforced for installation detection.
  • Uninstall Phase
    • The device was removed from the deployment group and added to an uninstall group using the same mechanism as above.
    • The system again waited for group confirmation and then monitored for successful uninstallation, with the same timeout applied.

Each of these steps was precisely timed using PowerShell stopwatch objects and logged in a structured format for analysis.

Hypothesis & Results

It is expected that:

  • Dynamic groups are expected to take longer to update due to Entra ID’s asynchronous rule evaluation.
  • Application installs and uninstalls may experience delays caused by the Intune Agent’s synchronization cycle.
  • Static groups generally provide more consistent and faster results, while dynamic group timing can vary based on Entra ID processing load.

Results

Testing was performed on both Windows 10 and Windows 11 devices. Since timing results were largely consistent across platforms, the data has been combined where differences were negligible. Any notable platform-specific variations are highlighted separately.

Group Amendments

The following table summarizes the performance of group modifications for both static and dynamic assignment types, refer to the scatter graph for full details.

Group Type Time Taken Min (Min) Time Taken Min (Max) Time Taken Min (Avg)
Static Group 0.0023 0.016 0.0050
Dynamic Group 0.0036 7.2396 1.6981

Static group changes consistently completed in less than a second, while dynamic group changes showed more variability but still completed within minutes. This supports the hypothesis that dynamic group updates depend heavily on Entra ID’s evaluation latency, which can be affected by directory load and rule complexity.

Application Deployment (Unchanged Application)

In this scenario, the same Win32 application (7-Zip) was used throughout all test cycles. Installs and uninstalls were triggered only by group membership changes. The system waited up to 8 hours (480 minutes) for application state changes before timing out, which was recorded as a failure.

The table below represents timeout instances across all test cycles per machine:

Machine 0 1 2 3 4 5 6 7 8 9
Win11-01   x   x x   x   x  
Win11-02   x   x x x x   x  
Win11-03   x   x x   x   x  
Win11-04   x   x x   x   x  
Win10-02   x x   x x   x x  
Win10-03   x x x   x x x   x
Win10-04   x x x   x x   x x
Win10-05   x x   x x   x x  
Timeouts counted across all testing iterations (top row shows test iterations)


Note: Each “x” marks an 8-hour (480-minute) timeout where the application deployment or removal was not detected. These failures occurred on all machines, showing inconsistent deployment reliability, especially when reusing the same application version across multiple test cycles.


Minimum Time (hrs) Maximum Time (hrs) Average Time (hrs)
0.34 38 10.47

The graph depicts successful deployment timings only, there should be 8 datapoint’s shown on each iteration; one for each machine, the missing data points correlate with the failure table above. The minimum install time shows that deployments can be fast under ideal conditions. The picture is still incomplete from the maximum and average time taken to deploy. The next graph depicts the cumulative time taken where an iteration failed to deploy the application and the time taken is cumulative.

The cumulative time taken now completes the picture, displaying a maximum cumulative time to deploy the application in iteration 7.

Application Deployment - (Updated Version per Iteration)

To improve consistency, the application version number was incremented with each deployment. This forced Intune to recognize each deployment as a new update.


Minimum Time (Minutes) Maximum Time (Minutes) Average Time (Minutes)
0.0136 64.14 40.74

This approach greatly reduced deployment variability and increased reliability entirely, no failures were seen within the dataset. The results indicate that changing the app version prompts faster recognition and processing by the Intune agent, preventing caching or sync delays that occur when reusing the same version..

Conclusion

This research sheds light on the delay of Microsoft Intune Win32 application deployments and removals triggered by group assignment changes. After over 160 test cycles on Windows 10 and 11 devices, clear patterns emerged that quantify Intune’s behavior under various deployment strategies.

Static vs. Dynamic Groups

Static device groups consistently outperformed dynamic groups in responsiveness. With average propagation delays measured in seconds, static groups deliver applications predictably and quickly. Dynamic groups, though more flexible, showed greater variability, taking more minutes to update. This highlights that dynamic group evaluation is asynchronous and could be affected by Entra ID’s background processing cycles.

Application Delivery Consistency

Reusing the same application version across test cycles caused inconsistent deployments and frequent timeouts, even though machines were online. Incrementing the app version with each cycle proved highly effective, significantly reducing install delay and nearly eliminating timeouts. This suggests the Intune Management Extension may deprioritize or skip re-evaluations for unchanged app versions, is it always better to update the version number of an application?

Enrollment Behavior and Polling Frequency

It’s important to note that application and policy processing changes depending on the device’s lifecycle stage. When a device first enrolls, Intune increases the frequency of configuration check-ins to speed up provisioning. Full information about these details can be found in the Microsoft documentation. These check-ins vary by platform but typically follow a tiered schedule:

Platform Estimated Refresh Cycle
Windows 10/11 PCs (device-enrolled) Every 3 minutes for 15 minutes, then every 15 minutes for 2 hours, then ~8 hours

This behavior may contribute to faster deployment performance during initial onboarding phases compared to subsequent enforcement cycles. It also underscores the importance of understanding check-in intervals when planning deployment workflows.

Practical Takeaways

In this test, we can conclude that for time-sensitive deployments, static groups offer better reliability and lower latency. When using dynamic groups, customers can potentially expect more variability and longer propagation times. To ensure Intune reliably processes application deployments, increment the app version or update metadata to trigger re-evaluation. Application install and uninstall delays depend not only on client polling frequency but also on how group and app metadata are processed by Intune’s backend.

Ultimately, this study shows that understanding Intune’s orchestration layers, especially the interplay between group assignments, app metadata, and the Intune Management Extension, is essential for consistent and timely deployments. These insights can guide technical design and help set realistic expectations when automating deployments or onboarding devices in Intune environments.

Photo by Aron Visuals on Unsplash

Leee Jeffries
Leee Jeffries
Leee Jeffries is a freelance IT Consultant working within a range of different areas in the IT industry over the last 15 years, Leee's main focus is End User Computing.

You may also like

Dive into the details of Azure Hybrid Benefits
7 min read

Dive into the details of Azure Hybrid Benefits

Ryan's Picture
Ryan Ververs-Bijkerk
Benchmarking HP Anyware PCoIP on a GPU-enabled Azure VM
2 min read

Benchmarking HP Anyware PCoIP on a GPU-enabled Azure VM

Benny's Picture
Benny Tritsch
Unveiling the True Cost: Single-User Microsoft Azure Virtual Desktop vs. Windows 365
8 min read

Unveiling the True Cost: Single-User Microsoft Azure Virtual Desktop vs. Windows 365

Ryan's Picture
Ryan Ververs-Bijkerk
Ruben's Picture
Ruben Sprujit

Upcoming events

Experts Live Netherlands
03 Jun 2025

Experts Live Netherlands

Nieuwegein, Netherlands

EUC Forum Summer Meeting
17 Jun 2025

EUC Forum Summer Meeting

Edinburgh, UK

EUCtech Norway
03 Sep 2025

EUCtech Norway

Oslo, Norway

E2EVC 2025
14 Nov 2025

E2EVC 2025

Lisbon, Portugal

Sponsors

Buy us a beer

GO-EUC is a full community effort that is based on a non-profit foundation. All contributions are based on a voluntary basis to share insights with the community.


Please consider helping this community by buying a beer .