In modern environments managed by Intune, detection rules are essential for reliable application deployment. But what happens when those rules stop working – not because of a packaging error, but because the app silently updated itself?
Welcome to a common yet frustrating issue: broken detection logic caused by automatic patching in application lifecycle management.
The Problem
You package an application like Google Chrome and define a detection rule that checks for a specific file version — for example:
C:\Program Files\Google\Chrome\Application\chrome.exe = 114.0.5735.91It’s deployed, tested, and verified. Everything works.
Then, two weeks later, there is a software update available by the vendor and Chrome silently updates to version 114.0.5735.150. In many cases, these auto-updates are applied under the user context or via background services that don’t require admin approval. However, when updates are incomplete or system-wide components change, administrator permissions may be required — which further complicates packaging and detection. Your detection rule fails — Intune no longer sees the app as “installed.” It tries to reinstall, fails or loops, and triggers alerts or user disruption.
This happens frequently with:
- Chrome, Zoom, Slack, Adobe products
- Apps with built-in auto-updaters
- Devices not enrolled in centralized patch management
Why It Happens
Detection rules rely on consistency — typically:
- A file version (e.g.,
chrome.exe = 114.0.5735.91) - A registry value
- An MSI product code
But when an application updates outside your control:
- The version no longer matches
- The registry key changes (or disappears)
- The MSI GUID becomes invalid
How to Avoid It
1. Control Updates Centrally
Use a patch management solution like Apptimized Care to control when and how apps are updated. Block built-in updaters when possible.
2. Use More Flexible Detection Logic
Instead of relying on exact versioning, use script-based detection with PowerShell. For example, in PSADT:
Get-ItemProperty -Path "HKLM:\Software\Wow6432Node\Apptimized\[PackageName]" -ErrorAction SilentlyContinue | Where { $_.IsInstalled -eq 1 }
This logic checks whether the application is marked as installed, regardless of version, using a custom registry key set during packaging.
✅ Third Party Patches and Packages delivered via Apptimized Care include this robust detection logic by default, reducing the risk of detection failures due to automatic patching or version drift.
3. Test Patching Impact
Always test how patching affects your detection logic before wide deployment. Some apps maintain structure across versions — others don’t.
4. Revisit Detection Rules After Major Vendor Updates
If you know a vendor like Zoom or Chrome just rolled out a new build, double-check your affected detection rules.
How Apptimized Helps with Intune Detection Rules
Apptimized doesn’t just create reliable packages — we ensure they remain manageable over time. With Apptimized Care, we combine controlled patch delivery and smart packaging, so your detection rules don’t break after a silent update.
Tired of fixing broken detection rules? Let Apptimized bring order to your patching and packaging.
