If you’ve ever sat in an audit, a Zero Trust review, or a vulnerability call thinking:

“I know this device is compliant… mostly.”

Then you already understand the problem.

For years, Intune’s Discovered apps report told us just enough to be dangerous:

• Something is installed ✅
• Somewhere ❓
• For someone ❓
• At some point in time ❓

That’s not visibility.

That’s educated guessing with a dashboard.

With Enhanced App Inventory, Intune finally closes that gap—and from an audit and security standpoint, this is a much bigger deal than the release notes make it sound.

TL;DR

Here is a quick summary of the key takeaways from the post:

• The Problem: The legacy “Discovered apps” report was too slow, lacked critical metadata, and couldn’t prove data freshness, making it a nightmare for strict audits and Zero Trust compliance. mikemdm.de
• The Solution: Enhanced App Inventory turns application visibility into an explicit signal. It collects actionable data like install paths, architectures (x86, x64, ARM64), uninstall/modify commands, and install scope (device vs. user). 4sysops.com
• Opt-In Design: It is no longer a background feature. You must configure it via a Properties catalog policy. If you don’t assign the policy, you get no data. intunestuff.com
• Audit Readiness: The addition of a “Last checked” timestamp means you can actually prove to auditors that your inventory data is fresh and validated, rather than just assuming an app is still there. mikemdm.de

Application Inventory Isn’t Reporting. It’s a Security Control.

Zero Trust isn’t complicated. It’s uncomfortable.

You cannot trust what you cannot verify.

Application inventory directly feeds:

• Vulnerability exposure
• Attack surface analysis
• Allow/block decisions
• Audit evidence
• Incident response

The legacy model failed on almost all fronts:

• Slow data refresh
• Per-user installs often invisible
• Missing critical attributes (install path, architecture, uninstall command)
• No reliable way to validate data freshness

Try defending that in front of an auditor asking:

“How do you ensure unauthorized software is detected and removable?”

Until now, the honest answer was… complicated.

What Changed (And Why This Is Big)

Enhanced App Inventory is powered through the Properties Catalog, which turns inventory from a passive report into an explicitly configured signal.

Instead of “collect whatever we can,” you now control:

• What is collected
• From which devices
• At what level of depth

Behind the scenes, Intune enables a device-side inventory component that gathers local data and reports it back in a structured way.

And the difference shows immediately.

What You Get Now (That You Didn’t Before)

The new inventory model adds real context, not just presence:

• Install scope (device-wide vs per-user)
• User context (where available)
• Install date and path
• Architecture (x86, x64, ARM64)
• Estimated size
• Uninstall / modify commands
• Package identifiers
• A visible “last checked” timestamp

That last one matters more than it looks.

Because now you can say:

“This data was validated, recently.”

Not:

“This is probably still true.”

Audit-Wise, This Changes the Conversation

This is where the real impact lands.

You can now:

• Prove inventory freshness, not just existence
• Distinguish corporate-managed vs user-installed apps
• Identify shadow IT inside user profiles
• Detect legacy architectures (hello, hidden 32-bit installs)
• Support remediation with actual uninstall commands

This is the difference between:

“We believe the device is clean”

and

“Here is the evidence.”

Opt-In by Design — And That’s the Right Call

Enhanced App Inventory is not enabled by default.

You must configure it using a Properties Catalog policy.

At first glance, that feels like extra work.

From a security architecture standpoint, it’s exactly right.

• Inventory is intentional, not accidental
• You control scope by risk, device type, or business context
• It aligns with least privilege and data minimization

Intune quietly shifted app inventory from a background feature to a deliberate control.

That’s a design upgrade—not an inconvenience.

How to Enable It (Quick Reality Check)

There’s no magic toggle.

You must:

1. Create a Properties Catalog policy
2. Select Application properties
3. Assign it to devices
4. Wait for initial population (~up to 24 hours)

No assignment = no data.

This is also the #1 reason people think “it’s not working.”

Step 1: Create a Properties Catalog Policy

1. Sign in to the Microsoft Intune admin center
2. Go to:
   Devices → Manage devices → Configuration → Create → New policy
3. Select:
   • Platform: Windows 10 and later
   • Profile type: Properties catalog
4. Click Create

This policy controls exactly what application metadata is collected, making inventory an intentional security signal rather than a background side effect.

Step 2: Select Application Inventory Properties

1. In Basics, give the policy a clear name, for example:
   App Inventory – Enhanced (Audit & Security)
2. In Configuration settings, click + Add properties
3. Select ApplicationProperties
4. Choose the properties you want to collect.

Required (selected by default):

• App name
• App version
• Publisher
• Architecture
• Install scope (device or user)
• Platform
• User ID (if applicable)

Optional (recommended for security and audit use cases):

• Install location
• Install date
• Estimated size
• Uninstall command
• Modify command
• Platform‑specific package identifier

These additional attributes are what turn inventory data into actionable audit evidence — especially when identifying unauthorized or vulnerable software. [learn.microsoft.com]

Step 3: Assign the Policy

1. Assign the policy to device groups (recommended) or user groups
2. Start with a pilot group if you want to validate data volume and timing
3. Complete the policy creation

⚠️ Important: No policy assignment = no app inventory data.

Step 4: Wait for Initial Data Collection

• Initial population can take up to 24 hours
• After that, updates are significantly fresher than Discovered apps
• Inventory uploads are delta‑based, reducing bandwidth and processing overhead

You can verify freshness using the “Last checked” timestamp shown in the Intune portal — a critical improvement for audit defensibility.

Step 5: View the Enhanced App Inventory

You can access the data from:

• Devices → Select a device → All apps
• The new All Apps experience in Intune monitoring views

Where This Fits in Zero Trust

Modern endpoint security is no longer about “is the device compliant?”

It’s about:

• What is installed
• Where it lives
• Who owns it
• How fresh that knowledge is

Enhanced App Inventory feeds directly into:

• Exposure assessment
• Attack surface reduction
• Remediation workflows
• Audit defensibility

Not directly as a policy engine — but as a foundational signal behind every decision.

Final Thoughts

This isn’t a flashy feature.

It won’t get keynote time.

But from an enterprise standpoint, this is one of the most important Intune improvements in recent memory.

Because it does four things extremely well:

• Reduces blind spots
• Improves Zero Trust posture
• Strengthens audit evidence
• Replaces guesswork with verification

If you manage:

• Regulated environments
• Shared devices
• Large estates

— or if you’ve ever been challenged on software visibility —

this is not a “nice to enable later” feature.

It’s a baseline capability you should already be operationalizing.

Visibility isn’t optional anymore. Intune finally caught up. ✅