Skip to content

Automating 3rd Party application deployment in Intune with PatchMyPc

Patch My PC is probably the most known product for Automated Third Party Application Patch Management with SCCM integration. This is an amazing product that simplifies your Third Party Application deployment and patching.

Last week Patch My PC announced theirpreview for Win32 Application Management for Intune. This means Patch My PC can now automate the creation and patching of Win32 Apps in Intune.
As of now, this still requires a Windows VM to run the publishing service on and assumes you are using a hybrid set-up where you use Patch My PC for both SCCM and Intune.

During this blog post I will go through the setups to set this up on a standalone server, which you would set-up if your organization has migrated to a full cloud environment. Please be aware that this is currently not supported and that this feature is still in preview.

Installing the Publishing Service

Patch My PC has a 30 day trial available if you want to test this feature out without going out and buying a license. Be aware that you need an Enterprise Plus license to have the ability to automatically create applications like we will here.

The Publishing Service is an application that needs to be installed on a Windows Server that handles the creation and updating of the applications.

The first thing you need for this project is a Windows Server VM, I choose to do create a simple Windows Server 2016 VM in Azure. Because the Publishing Service is really light weight, a Standard DS1 v2 VM will suffice.

WSUS is a prequisite for the Publishing Agent. But we just need the WSUS GUI, open up an elevated powershell window and execute the following command:

Install-WindowsFeature -Name UpdateServices-Ui

Now it is time to install the Publishing Service, download the MSI file from the PatchMyPC website. The installation is really straight forward and is a next-next-finish installation. Launch the service after the installation.

Configuring the service for first use

Before we can use this preview, we need to set-up the service first.

Start by entering the catalog Information URL, this is the URL used to retrieve all the application information. If you have requested a trial, this URL will be sent through mail.
Generate a self-signed certificate for the publishing service. We don’t really need this, but the service will throw warnings if we don’t have a certificate installed.

Because these features are still in preview, we need to manually choose to receive preview builds. Go to the About page, select ‘Install preview builds’ and choose to Upgrade Now.

The upgrade wizard will now start. This is a next-next-finish installation.

After the upgrade, you will notice the ‘Intune Publishing’ options in the Advanced tab.

As you can see, PatchMyPC is using the Graph API to automate the creation of new applications.

Create a new app registration in AAD with the following API permissions:

  • DeviceManagementApps.Read.All
  • DeviceManagementApps.ReadWrite.All

Generate a new API Secret and write it down for later use.

Now we need to configure all the settings in the Patch My PC service.

  • Let’s begin by enabling the Intune Publishing Feature
  • Fill in the authority URL. This has to be in the format of ‘https://login.windows.net/{{O365domain}}’
    You can use any of the accepted domains in your tenant
  • The application ID of the app registration you just created
  • The application secret

Next-up we have a few options:

  • Sign the detection script
  • Copy the assignments when an updated application is created
  • Delete the assignments from old application
  • Delete old application

If would recommend to enable the last three settings, that way:

  • Updated application are automatically deployed
  • Old applications are not deployed any more
  • Old applications aren’t cluttering your Intune console

If you want, you can also disable the Applications and Updates tab in the Publishing service, that way the service is less cluttered. Because we don’t use SCCM in this example, we can easily disable these 2 tabs.

Next up, we can go to the ‘Intune’ tab to add the applications we want to deploy. Choose all the applications you want to deploy and select ‘Apply’.
In this example, I have selected Google Chrome and Greenshot.

If you want, you can right click any application and configure extra settings:

  • Force close the application before installation
  • Skip installation when app is in use
  • Pre/post installation scripts for extra configuration

These settings are comparable to the ones you have with the Powershell App Deployment Toolkit.

By default, the publishing service only sync’s once a day, but you can invoke a manual synchronization at anytime in the ‘Sync Schedule’ tab.

After initiating the sync the applications will be created in INtune, this process takes about 5 minutes. If we check the portal a bit later, we can see that the applications are created:

After that you can go ahead and assign your applications to the required user/device groups for automated deployment.

Thoughts

This preview is truly a godsend and will help a lot of organizations who are migrating to the cloud. At 3$ per device per year, this is a really cheap solution which will save you lots of time.

I do have a small whishlist for the features I would like to see in the finished product:

  • Application prefix/suffix
    • Allow us to specify a prefix or suffix that will be added to the name of every application in Intune that is created. This way we can easily see what applications are created by the service
  • Do not require WSUS
    • Most organizations will use this in conjunction with SCCM, but more and more organizations are shifting to a full cloud environment where WSUS isn’t used. We can work around the requirements of WSUS, but it would be nice if we don’t have to.
  • Provide a SaaS version
    • This feature request is probably the hardest, but it would be nice that this could all be managed from a web portal without the need to install the publishing service on a VM

I would recommend everyone to try this preview in a test lab so you can choose if this is the right product for you.

Let me know if you have any thoughts about the preview! What is on your feature wishlist?

Update August 2020: PatchMyPC released another update which enables full automated patch management with Intune. This update pushes updates for applications to users who have installed the software, even if this application has been pushed as ‘available’. Check out all the information here.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: