Intune Patch My PC – Full Guide – Part 3

Intune Patch My PC – Full Guide – Part 3

This article will describe how to setup Intune Patch My PC. This will be a full guide! Because it was such a long blog post, I divided it in parts. Every part will be released day after day. Situation:

  • Azure AD Joined Intune managed devices

Target:

  • Implementing Patch My PC for 3rd party applications and 3rd party applications update management

Patch my PC’s mission is to simplify how enterprises create, manage, update, and deploy third-party applications within System Center Configuration Manager. Our solution is used by over 1,600 enterprises worldwide, helping to maintain applications on over 5 million devices. They also have a public preview running for integration with Intune. In my blog post we will go over this and set it up. You can find more info about Patch my PC on their website. Requirements for running Patch My PC Publishing service:

  • Microsoft .NET Framework 4.5
  • Supported Operating Systems
    • Windows Server 2008
    • Windows Server 2008
    • Windows Server 2012
    • Windows Server 2012
    • Windows Server 2016
    • Windows Server 2019
    • Windows 10 (x64) – Microsoft Intune only

Prerequisites for running Patch My PC Publishing service:

  • When using Windows Server operating systems, WSUS should be installed and configured.
  • If using Windows 10 client for Microsoft Intune only
    • Optional feature RSAT: Windows Server Updates Services Tools should be pre-installed

Be sure to check out the new updates blog post from Patch My PC also: https://patchmypc.com/third-party-patch-management-for-microsoft-intune

 

1. Configure the Patch My PC publishing Service

  • So, in our previous post (Intune Patch My PC – Full Guide – Part 2) we stopped at the moment where we completed our app registration in Azure AD. So let’s pick up here.
  • We copied our Application ID and Secret Password somewhere safe, we will need this in the following steps.
  • Go back to the Patch My PC Publishing Service and click on the ‘Intune Apps’ tab. Click the checkbox Automatically create Win32 application in Microsoft Intune.
  • Next, click the ‘Options’ button.

  • Copy your Tenant name (if you don’t know where to find it, go to endpoint.microsoft.com, click on ‘Tenant administration’, and you’ll find it under the ‘Tenant status’ blade.

  • Now we have all we need (Tenant name, Application ID & Application Secret Key). Paste them correctly in the Patch My PC Publishing Service. click ‘Test’ to validate we can successfully connect to your Intune tenant.
  • If all went well you’ll get the message that you’re ‘Succesfully connected to Intune’.

  • By default, the PowerShell detection method scripts are not code-signed. Optionally, you can Browse to the local computer’s personal certificate store and choose a code-signing certificate.
    • I’ll not get into detail into this now, but this will follow in a later blog post.

  • If a code-signing certificate is not configured, the Win32 application in Microsoft Intune will configure the ‘Detection Rules’ settings ‘Enforce script signature check and run script silently’ = ‘No’.
  • If a certificate is selected, this setting will be ‘Yes’. If code-signing is enabled, clients will need to trust the certificate to install applications successfully.
  • The option to ‘Copy the assignments from previously created applications when an update application is created.’ will automatically deploy any new version of an application to the same group(s) from the previous version.
    • Example: if Google Chrome 78 was created and assigned to an Azure AD Group and Google Chrome 79 is published later, it will be assigned to the same groups automatically.

  • The option to ‘Delete the assignments from previously created application when an updated application is created.’ will automatically remove any assignments for an older version of an application.

  • The option to “Delete any previously created applications when an updated application is created.” will automatically delete any older versions of an application when a newer application is created.

  • The ‘Run Intune Application Manager Utility’ can be used to perform bulk deletion of application assignments or deletion of applications in Microsoft Intune.

  • Click on ‘OK’ when you’re done.

 

2. Application deployment options with Patch My PC for Intune

  • In the ‘Intune Apps’ tab, you can enable products for Win32 application publishing to Microsoft Intune.
  • Right-clicking ‘All Products’, ‘Vendors’, or ‘Products’ will allow you to set custom options.

  • I’ll go over these options one by one.
  • Auto close application processes before installation:
    • This option will configure the product’s self-updater to be disabled. This option will be only available on products where it’s supported.
    • If an application is running while the update is installed, the application will automatically be closed in the background, and the update installation will be performed.
    • If an application is running while an application is installed, the application will automatically be closed in the background, and the application installation will be performed.
    • This option can be helpful if you know a product may fail to update if the application is open, and you don’t want to close the application automatically.
    • Available At: All Products, Vendors, and Products
    • Applicable To: Software Updates, Applications
  • Skip installation when the application is in use:
    • This option will allow you to skip an update or application installation if the application process is in use.
    • If an application is running while the update is attempted, the update will be skipped and will retry during the next Software Updates Deployment Evaluation Cycle.
    • If an application is running while an application installation is attempted, the application will be skipped and will retry during the next Application Deployment Evaluation Cycle.
    • This option can be helpful if you know a product may fail to update if the application is open, and you don’t want to close the application automatically.
    • Available At: All Products, Vendors, and Products
    • Applicable To: Software Updates, Applications
  • Delete desktop shortcut(s) created by this application:
    • This option will automatically delete any public desktop shortcut(s) created by a product’s installer.
    • Available At: All Products, Vendors, and Products
    • Applicable To: Software Updates, Applications
  • Disable self-updater:
    • This option will disable the product’s auto-update feature if it exists.
    • Available At: All Products, Vendors, and Products
    • Applicable To: Software Updates, Applications
  • Manage installation logging:
    • This option enables logging during the installation of the update on the client device.
    • When enabled, the publishing service will create a directory (default path: C:\windows\ccm\logs\PatchMyPCInstallLogs) that will store the vendor’s installation log for that product, providing greater detail if troubleshooting is necessary. (There are additional checkbox options to enable verbose logging, prefix the log with the computer name of the client device, and to designate a backup location to store log files for failed installations).
    • Available At: All Products, Vendors, and Products
    • Applicable To: Software Updates, Applications
  • Modify command line:
    • This allows you to modify the command line by inserting additional arguments.
    • When enabled, a field will appear to insert additional arguments that will be appended to the existing silent command-line arguments for the product’s installation.
    • Available At: Products
    • Applicable To: Software Updates, Applications
  • Manage custom pre/post update installation scripts:
    • This option allows you to insert custom scripts that can be set to run either before or after the product installation.
    • When enabled, you can choose custom scripts by browsing out and selecting files to insert as a pre-update script or a post-update script. Each script inserted includes a field for arguments if necessary. You can also insert any additional files or folders that the script(s) may need access to.
    • Please note that if the product has already been published, you will need to republish the update.
    • Available At: Products
    • Applicable To: Software Updates, Applications
  • Manage MST transformation file:
    • For products that use an MSI based-installer, you can apply a Transforms file. A transform can modify information that is in any persistent table in the installer database.
    • Within the MST file dialog, you need to select the (.MST) file and optionally a (.CAB) file, if required.
    • Available At: Products that use MSI Based Installers
    • Applicable To: Software Updates, Applications

 

3. Sync schedule options

  • Click the ‘Sync Schedule’ tab and adjust the schedule as needed.
  • The scheduling time is when the publishing service will download the latest catalog metadata and autopublish applications for enabled products to Microsoft Intune.
  • The default schedule is Daily at 7 PM.
  •  

 

 

4. Alerts options

  • Optionally, you can enable Notifications in the ‘Alerts tab’.
  • To enable Email reports, configure your SMTP sending options.
  • You can also paste a Microsoft Teams webhook URL to receive publishing alerts in a Microsoft Teams channel.
  • Patch My PC recommends enabling alerts to receive notifications published products including Titles, Classification, Severity, CVE-ID’s, Catalog Expiration Details, and more!
  • We’ll configure all of these things in a later post in this series. Hang on!

 

That’s it for Part 3. Tomorrow I’ll post part 4 and we’ll start deploying applications!  

 

Happy testing!  

More articles on Patch My PC:

 

Related Posts