Intune Patch My PC – Full Guide – Part 2

Intune Patch My PC – Full Guide – Part 2

This article will describe how to setup Intune Patch My PC. This will be a full guide! Because it was such a long blog post, I divided it in parts. Every part will be released day after day. Situation:

  • Azure AD Joined Intune managed devices


  • Implementing Patch My PC for 3rd party applications and 3rd party applications update management

Patch my PC’s mission is to simplify how enterprises create, manage, update, and deploy third-party applications within System Center Configuration Manager. Our solution is used by over 1,600 enterprises worldwide, helping to maintain applications on over 5 million devices. They also have a public preview running for integration with Intune. In my blog post we will go over this and set it up. You can find more info about Patch my PC on their website. Requirements for running Patch My PC Publishing service:

  • Microsoft .NET Framework 4.5
  • Supported Operating Systems
    • Windows Server 2008
    • Windows Server 2008
    • Windows Server 2012
    • Windows Server 2012
    • Windows Server 2016
    • Windows Server 2019
    • Windows 10 (x64) – Microsoft Intune only

Prerequisites for running Patch My PC Publishing service:

  • When using Windows Server operating systems, WSUS should be installed and configured.
  • If using Windows 10 client for Microsoft Intune only
    • Optional feature RSAT: Windows Server Updates Services Tools should be pre-installed

Licensing prices for Intune:

So for 2.5$ /device /year you have an Intune license for Patch My PC. And it’s more then worth it. 

If you want you can always try out a trial first:

Be sure to check out the new updates blog post from Patch My PC also:


1. Patch My PC publishing service setup

  • So, in our previous post (Intune Patch My PC – Full Guide – Part 1) we stopped at the moment where we connected with our Windows 10 VM. So let’s pick up here.
  • First thing we should to is make sure the requirements for Windows 10 are met, so we have to install the RSAT tools. This can easily done with a PowerShell (open as admin) command:
    • Add-WindowsCapability -Online -Name Rsat.WSUS.Tools~~~~

  • Download the latest MSI installer of the publishing service using the following URL:
  • Start the installation by double clicking on the downloaded MSI (make sure you have administrator rights)
  • Click on ‘Next’

  • Accept the license terms and click on ‘Next’ again

  • Check ‘Enable Microsoft Intune standalone mode’ and click on ‘Next’

  • Leave the folder location as-is and click on ‘Next’

  • Click on ‘Install’

  • Leave the ‘Launch Patch My PC Publishing Service’ checked and click on ‘Finish’


2. Activate Patch My PC for Intune with your license (or trial license)

  • If you have no license yet, you should ask your trial license so you can test the product. More info here:
  • If you have your license, copy it to URL (if you want to configure the publishing service in public trial mode, click the ‘Use Trial Mode’ checkbox) and click on ‘Validate URL’. Click on OK.


3. Create a ‘Patch My PC – Intune Management’ app registration in Azure AD

  • Navigate to the Azure Portal. Click on ‘Azure Active Directory’ and then click on ‘App Registrations’ and then on ‘New registration’

  • Give your app registration a name: ‘Patch My PC – Intune Management’. Configure the account types based on your tenant requirements. For this example, we will leave the default Single tenant option checked.
  • Please the Redirect URI default unless you have specific requirements for configuring the Redirect URI. Click on ‘Register’

  • Once created, click on the ‘API permissions’ node. Next, we will need to delegate the required permissions for Intune application management.

  • In the API permissions node, click on ‘Add a permission’. In the right pane click on ‘Microsoft Graph’

  • Click on ‘Application permissions’

  • In the Permission dialog, you will need to enable the following permissions:
    • Under the DeviceManagementApps toggle, enable:
      • DeviceManagementApps.Read.All
      • DeviceManagementApps.ReadWrite.All
    • Under the Group toggle, enable:
      • Group.Read.All
  • Click ‘Add permissions’

  • To approve the new permissions click, ‘Grant admin consent for <Org Name>’. Choose ‘Yes’ if prompted to consent for the required permissions. Note: To grant the permissions, you will need to be logged in to an Azure AD account with permissions to perform this task.

  • If all went well you’ll see ‘Grant consent successful’

  • Click the ‘Certificates & secrets’ node and click ‘New client secret’

  • Create a ‘Description’ name and choose a validity period that meets your companies needs. Click ‘Add’

  • Click the button to copy the secret key. Save the key value to a secure location for future use.

  • Next, click the ‘Overview’ node, and copy the ‘Application (client) ID’ and save it to a secure location along with the secret key value.




That’s it for Part 2. Tomorrow I’ll post part 3 where we’ll configure the Patch My PC publishing service and go over some options.


Happy testing!


More articles on Patch My PC: