Automate application deployment and patching with Patch My PC and Intune

This month Patch My PC announced general availability of Win32 application management for Microsoft Intune with their tooling.
Patch My PC is well-know for their third-party application management solution integrated with Microsoft Endpoint Manager Configuration Manager. These deployment and management features are now expanded to Microsoft Intune.

With a few clicks you create Win32 applications in Patch My PC and deploy them to Microsoft Intune. Patch My PC keeps the installs automatically up to date, therefor you always deploy the latest versions of an application.

In this blog post we`ll walk through the installation and configuration of Patch My PC and have a look at how this looks like in Microsoft Intune.

Install Patch My PC

Patch My PC for Microsoft Intune can be installed on a Windows Server OS or on Windows 10. To keep it simple I used a Windows 10 stand-alone VM.

On Windows 10 the RSAT: Windows Server Updates Services is a requirement which can be installed using PowerShell command:
Add-WindowsCapability -Online -Name Rsat.WSUS.Tools~~~~0.0.1.0

The installation file for Patch My PC can be downloaded from the Patch My PC site.

The installation is pretty straight forward, just clicking a few times next. But make sure to set a check mark at Enable Microsoft Intune standalone mode. This makes sure the tooling for Configuration Manager integration is not installed.

Activate Patch My PC

This first thing we do is activating Patch My PC. This is done by entering the Catalog Information URL from which all the applications information is downloaded.
Instead of entering an URL, you can also start in Trial Mode by setting a check mark at Use Trial Mode.

Connect Patch My PC with Intune

The second step is connecting Patch My PC to Microsoft Intune. Patch My PC uses the Graph API for the connection, therefor we need to create a new App Registration in Azure Active Directory with these permissions:
DeviceManagementApps.Read.All
DeviceManagementApps.ReadWrite.All
Group.Read.All

  • Sign-in to the Azure portal
  • Browser to Azure Active DirectoryApp Registrations
  • Click New registration
  • Give the App registration a Name
  • Check Accounts in this organizational directory only
  • Click Register
  • Browse to the API permissions tab
  • Click Add a permission
  • Click Application permissions
  • Scroll down to the DeviceManagementApps section
  • Check DeviceManagementApps.Read.All
  • Check DeviceManagementApps.ReadWrite.All
  • Scroll to the Group section
  • Check Group.Read.All
  • Click Add permissions
  • Click Grant admin consent
  • Click Yes if prompted
  • Browse to the Certificates & secrets tab
  • Click New client secret
  • Enter a Description
  • Choose the validity period
  • Click Add
  • Copy the secret key by clicking on the copy button
  • Save the key secure, to use it later
  • Browse to the Overview tab
  • Copy the Application (client) ID
  • Save the ID with the secret key
  • Switch back to Patch My PC
  • Open the Intune apps tab
  • Check Automatically create Win32 applications in Microsoft Intune
  • Click Options
  • Enter your (Intune) Tenant name, in this example mempowered.eu after the existing URL
  • Paste in the Application ID and Application Secret
  • Click Test
  • Here you find some more options, for now I leave it default.
  • click OK

Setup alerts in Microsoft Teams

You can configure Patch My PC to send alerts via mail (SMTP) or via Microsoft Teams. I prefer the Microsoft Teams options. This is done by adding an Incoming Webhook connector to a Teams channel.

  • Click on the three dots next to the channel name to open the menu
  • Choose Connectors
  • Search for Webhook
  • Click Add to a Team (or Configure)
  • Give the Connector a Name
  • Upload an Image (Optional)
  • Copy the URL
  • Switch back to Patch My PC
  • Open the Alerts tab
  • Check Send Microsoft Teams reports
  • Paste the URL
  • Click Test
  • Click OK

The alerts are set. If everything works as expected a test message is published in the Teams Channel.

Publish a Win32 application to Intune

Let`s have a look at how we can publish a Win32 application to Microsoft Intune with Patch My PC.

  • Browse to the Intune apps tab
  • Click the magnifying glass to search for an application
  • Check the application you want to deploy
  • Right click the application for more options
    Here you have several options such as Delete desktop shortcut created by application or you can add Custom pre/post update install scripts
  • Click Manage assignments

Fr

From this screen you can directly assign the application to an Azure AD group or all users/ all devices. Patch My PC can read all the Azure AD groups, so we have one place to deploy and assign applications.

  • Click Add assignments
  • Check one of the Azure AD groups
  • Click OK (twice)
  • Browse to the Sync Schedule tab
  • Click Run Publishing Service Sync to start a syn to Intune manually

Switch to the Microsoft Endpoint Manager (Intune) console. As you can see no apps are deployed (yet!).

If you wait a few minutes and refresh, more and more Win32 apps are added to Intune.

If we open the properties of Edge, we can see the app is already assigned to the Azure AD group which I assigned using Patch My PC.

When updates are released for an application, those are published automatically to Intune. The assignment is removed from the old version and the assignment is applied to the new version of the application.
Depending on the choice made in Patch My PC, old versions of the applications are automatically removed from Intune, or just un-assigned.

If we open our Microsoft Teams channel, we see the alerts from Patch My PC.

And the end-result are Win32 applications automatically installed on the Windows 10 client devices.

Conslusion

If you manage a lot of Intune devices and a lot of different applications, this is really a great tool to keep them up-to-date.
I think $2,5 per year/ per device is not to expansive as you see how much time it can save an Intune admin.

This is just the first release for Intune which is General Available, but it works pretty well. I found one small thing (bug) related to automatic group assignment, where it didn`t assign the group to the latest version. Patch My PC already fixed it in the latest (preview) release, in just a couple of days after reporting the issue. Great support!

If you`re interested, just start a trial yourself via the patchmypc.com website.

Any ideas and feature requests can be submitted via the ideas portal.

Happy testing and keep safe!




Be the first to comment

Leave a Reply

Your email address will not be published.


*