Intune Third-Party Patching Automation | PatchMyPC | Review

0
Intune Third-Party Patching Automation

PatchMyPC released a solution for Intune third-party patching automation using Win32 application management. Let’s see what are features of this solution and how to set this up.

Updated on 10th Aug 2020 with PatchMyPC’s Intune Update Tab!

Introduction

One of the challenging questions during modern management discussion is third-party patching. SCCM has options to integrate with other vendor solutions or SCUP to provide automation for 3rd party patching.

What about the options for Intune Third-Party Patching Automation? PatchMyPC Publishing Service for Intune shall help you to fulfill the above-mentioned gap.

Infrastructure Required

You can either use Windows 10 virtual machine in Azure or a Server to host the PatchMyPC publishing service for Intune.

NOTE! – Probably we shall have some SAAS or PAAS solutions from PatchMyPC and other vendors to support true modern management without any infra requirements.

In this post, I use Windows 10 virtual machine hosted in Azure to host PatchMyPC publishing tool for Microsoft Intune.

Install – RSAT – Windows Server Updates Services Tools

The first step is to Install the “RSAT – Windows Server Updates Services Tools” feature on Windows 10.

  • Settings -> Search “Feature
  • Select “Manage Optional Features
  • Click +Add a Feature
  • Click InstallRSAT – Windows Server Updates Services Tools
RSAT - Windows Server Updates Services Tools - Intune Third-Party Patching Automation
RSAT – Windows Server Updates Services Tools – Intune Third-Party Patching Automation

NOTE! – Restart Windows 10 virtual machine before proceeding with the next steps.

Install PatchMyPC Publishing Service for Intune

Let’s go through the download & installation steps in this section.

  • Download the PatchMyPC Publishing Service setup file.
  • Double click on MSI to start the installation process.
  • On UAC screen click YES.
  • Click NEXT to continue.
  • Click on Accept the license screen and click on NEXT button to continue.

NOTE! – For Intune only cusotmers, let’s DISABLE the components and presequensite checks related to WSUS and ConfigMgr from Enable Intune Standalone Mode page.

  • Click on Enable Microsoft Intune Standalone Mode
Enable Microsoft Intune Standalone Mode - Intune Third-Party Patching Automation
Enable Microsoft Intune Standalone Mode – Intune Third-Party Patching Automation
  • Select Installation Folder and click NEXT to continue.
  • Click on the FINISH button to launch the tool.

Configure

Now let’s configure PatchMyPC Publishing service tool for Intune third-party patching automation.

  • Enter the catalog URL from PatchMyPC.
    • If you already purchased a license or have a 30-day full trial, you can paste the catalog URL and click on the Validate URL button.
    • Or you can click on the USE TRIAL mode checkbox to enable the quick trial features with a limited number of updates.
  • Click on Subscription Validation Succeeded screen to continue.
3rd Party Patching catalog URL - Intune Third-Party Patching Automation
3rd Party Patching catalog URL – Intune Third-Party Patching Automation
  • Click on Intune App button to configure Intune automatic publishing options
  • Click on OPTIONS to continue the configuration
Intune App Options - Patch My PC - Publishing Settings
Intune App Options – Patch My PC – Publishing Settings

Connect to Intune & Azure AD

Now, let’s fill all the details required for the PatchMyPC publishing tool to connect with Intune. This connection helps to create | publish third-party patches to Intune without any user interaction.

NOTE – You need to have appropriate access to Intune and Azure AD to continue the following steps. I think it’s better to get in touch with tenant admin 1. check for Azure AD permissions, 2. Intune Permissions (Full Intune Admin?).

  • Enter the MDM Authority URL
    • https://login.windows.net/mytenant.onmicrosoft.com (something similar to that). How to find out your Intune tenant domain name details?
  • Enter the application ID – For this, you need to create an Azure Application.
  • Enter Application Secret – You need to create a new application secret from Azure portal.
Intune Options to connect to Azure AD and Intune
Intune Options to connect to Azure AD and Intune

Enter MDM Authority URL

  • You can log in to Intune portal – https://devicemanagement.microsoft.com
  • Navigate via Tenant Administration – Tenant Status.
  • Copy the Tenant Name.
  • Replace the “mytenant.onmicrosoft.com” from the following URL “https://login.windows.net/mytenant.onmicrosoft.com” with the original tenant name you have copied.
Intune  Tenant Administration - Tenant Status
Intune Tenant Administration – Tenant Status

Azure AD Application ID

Let’s create an Azure AD application to provide appropriate access for the PatchMyPC publishing tool to create Win32 application (third-party patches) in Intune.

  • Log in to the Azure portal with appropriate access as mentioned above.
  • Navigate via Azure ADApplication Registrations Tab
  • Click on New Registration to create new Azure AD application
New Registration to create new Azure AD application - Intune Third-Party Patching Automation
New Registration to create new Azure AD application – Intune Third-Party Patching Automation
  • Enter the name of the Azure AD application “Intune 3rd Party Patching – PatchMyPC”
    • The user-facing display name for this application (this can be changed later).
  • Supported account types
    • Who can use this application or access this API?
      • Accounts in this organizational directory only (MyTenantName (Default Directory) only – Single-tenant)
Supported account types - Intune Third-Party Patching Automation
Supported account types – Intune Third-Party Patching Automation
  • Enter the application ID – Copy Application (Client) ID – 3329600a-f41f-4be2-9302-2c06eb818d5e (something similar to this).
Copy Application (Client) ID  -  Enter the application ID
Copy Application (Client) ID – Enter the application ID

Assign Permissions

Let’s assign permissions to the Azure AD application created above.

  • Click on API Permissions
  • Click on + Add a Permission
  • Click on Microsoft Graph from All Apps
  • Click on Application Permissions
assign permissions to the Azure AD application
assign permissions to the Azure AD application
  • Search “DeviceManagement
  • Select the followings:
    • DeviceManagementApps.Read. All
    • DeviceManagementApps.Read Write.All
  • Search “Groups
  • Select the followings:
    • Group Read App
  • Click on Add Permissions
Add Permissions - Intune Third-Party Patching Automation
Add Permissions – Intune Third-Party Patching Automation
  • Now let’s approve the new permissions.
  • Click on Grant admin consent for “mytenantname” button.
  • Choose Yes if prompted to consent for the required permissions.
Grant admin consent for "mytenantname"
Grant admin consent for “mytenantname

Enter Application Secret

  • Click on the Certificates & secrets node.
  • Click +New client secret.
  • Enter the Description as you want
  • Select NEVER under Expires options
  • Click on ADD button
Click on the Certificates & secrets node - Intune Third-Party Patching Automation
Click on the Certificates & secrets node – Intune Third-Party Patching Automation – Enter Application Secret
  • Copy the Application Secret code (save this unique number for future use)
Copy the Application Secret code
Copy the Application Secret code

Connect to Graph API

Let’s connect to the PatchMyPC publishing tool for Intune with Graph API | Intune. You already have all the following details from the above sections.

  • Enter the MDM Authority URL
  • Enter the application ID
  • Enter Application Secret
  • Click on the TEST button to confirm the connectivity
  • Click on OK button to continue on Successfully connected to Intune dialogue box
PatchMyPC Publishing Service Successfully connected to Intune
PatchMyPC Publishing Service for Intune Successfully connected to Intune

NOTE! – I’m going to use the default options from the above screen.

  • Enabled – “Copy the assignments from previously created applications when an update application is created” option.
  • Enabled – “Delete the assignments from a previously created application when an updated application is created.” option.
  • Click OK to save the configurations.

Publish Third-Party Patches to Intune Automatically

Let’s select the third-party applications you want to patch and publish those applications via the PatchMyPC publishing tool.

Automatically Create Win32 Applications in Microsoft Intune - Intune Third-Party Patching Automation
Automatically Create Win32 Applications in Microsoft Intune – Intune Third-Party Patching Automation
  • Select the application you want to patch with Microsoft Endpoint Management Intune.
    • Chrome
    • Mozilla Firefox
    • Notepad++
    • Adobe
  • Click on OK button to continue.
  • Let’s launch the PatchMyPC publishing service tool
  • Click on SYNC SCHEDULE button
  • Click on the RUN PUBLISHING SERVICE SYNC button to start the publishing activity.

NOTE! – This action shall initiate the Intune Win32 Application creation process in the Intune console.

RUN PUBLISHING SERVICE SYNC - Intune Third-Party Patching Automation
RUN PUBLISHING SERVICE SYNC – Intune Third-Party Patching Automation

Verification Process

You can monitor and verify the process – “Intune Third-Party Patching Automation” via PatchMyPC.log location in the installation folder.

Creating new Intune application: Google Chrome 80.0.3987.132 (x64)
Starting download for: https://dl.google.com/chrome/install/GoogleChromeStandaloneEnterprise64.msi
Finished downloading file: [https://dl.google.com/chrome/install/GoogleChromeStandaloneEnterprise64.msi] Average speed: 28.02 MB/s (57 MB)
Successfully downloaded the update
Copying ScriptRunner
Creating application for: Google Chrome (x64) using source path C:\windows\TEMP\PMP-rzyozikb
Starting download for: https://upload.wikimedia.org/wikipedia/commons/thumb/a/a5/Google_Chrome_icon_(September_2014).svg/512px-Google_Chrome_icon_(September_2014).svg.png
Creating PowerShell detection script.
Sending application to Intune server.
Win32LobApp created: id=9f1c308b-e609-4993-89a0-2cf0d7fb3ef8
ContentVersion created: id=1
ContentFile created: id=f2f24a7b-2f09-466b-9741-45df598491f2
Upload done
File committed
App committed
Application sent to Intune server.
Processing Intune application 3/5
Creating new Intune application: Mozilla Firefox 74.0 (x64 en-GB)
Application sent to Intune server - Intune Third-Party Patching Automation
Application sent to Intune server – Intune Third-Party Patching Automation

Assignment of Applications

PatchMyPC publishing tool comes with an excellent RIGHT-CLICK option to create assignments.

  • Click on Intune Apps
  • Right-click on applications (all products)
  • Select Assignments
Automatic Application Assignments - Manage Assignments
Automatic Application Assignments – Manage Assignments
  • There are 3 (Three) categories in Manage Assignment window
  • Available for Enrolled Devices
  • Required (I’m going to use this option as example)
    • Click on Add assignments
    • Select Azure Groups using search options
    • You can also either select to deploy either to All Users or All Devices
  • Uninstall
3 (Three) categories in Manage Assignment window  - Intune Third-Party Patching Automation
3 (Three) categories in Manage Assignment window – Intune Third-Party Patching Automation

Results

Let’s see the creation of Win32 Application in Intune and the installation of this application on Windows 10 device.

  • Win32 Application created
Win32 application Created - Intune Third-Party Patching Automation
Win32 application Created – Intune Third-Party Patching Automation
  • Installation on Windows 10 Device
Installation Win32 Application Completed - Intune Third-Party Patching Automation
Installation Win32 Application Completed – Intune Third-Party Patching Automation

Video Experience

New Features

PatchMyPC released new features for their product for 3rd party patching recently. You can check more details below.

Intune Third-Party Patching Automation | PatchMyPC | Review 1

Resources

LEAVE A REPLY

Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.