Patch my pc integration with intune

Steps

  • Prerequisite for setup
  • Create Enterprise Application, Client Secret, and Configure API Permissions in Microsoft Entra ID
  •  Integrate Microsoft Entra ID Enterprise Application with Patch My PC Application
  • Deployment of Applications for Monthly Patching
  • Maintenance of Applications and Updates Imported Into Intune from Patch My PC

Prerequisite For Setup

  • Make sure you have active license or licenses for PatchMyPC application. PatchMyPC application should be installed on the computer or server; typically, it is installed on the SCCM server. 
  • Make sure you have someone available who has Global Administrator credentials for Microsoft Entra ID to help grant authorization to the API permissions during the creation of the   Enterprise application for PatchMyPC. 
  • Make sure you have access to the Intune tenant. Intune Administrator role should be sufficient to access and review the applications and updates that are imported from PatchMyPC. 

Create Enterprise Application, Client Secret, and Configure API Permissions in Microsoft Entra ID

Create Enterprise Application

  • Log into the Microsoft Entra ID portal with your Global administrator role; http://portal.azure.com/. An account with Cloud Application Administrator role can be used to create the application and select the API permissions but after that the Global administrator role will be needed to “Grant Admin Consent for the organization“.
  • In the search App Registration and click New Registration
  • Name (PatchMyPC-Intune Integration App)>>>Supported Account Types (Accounts in this organizational directory only)>>>>Redirect URI (No need to enter any information)>>>click Register to register the application.

Configure API Permissions

  • In the left pane of the PatchMyPC-Intune Integration screen, click on API Permissions, click Add Permission and then search for and click on Microsoft Graph under the Microsoft APIs tab.
  • Within the Microsoft Graph API screen>>>What type of permissions does your application require? (Application Permssions)>>>search for and select these permissions; DeviceManagementApps.ReadWrite.All, DeviceManagementConfiguration.Read.All, DeviceManagementManagedDevices.Read.All, DeviceManagementRBAC.Read.All, DeviceManagementServiceConfig.ReadWrite.All, and GroupMember.Read.All and then click Add Permissions to add the selected permissions. Note that, User.Read Delegated permission is added by default to all Enterprise applications. 
  • Once the API permissions have been added, they will indicate Not granted for SkoaNowTechnologies under the Status column, with an account which has Global administrator role, click on Grant Admin Consent for SkoaNowTechnologies  to change it to Granted for SkoaNowTechnologies.

Create Client Secret

  • After creating the API permissions, select Certificates and Secrets from the left pane of the screen and under Client Secrets, click on New Client Secret>>>Description (PatchMyPC-Intune Integration)>>>Expires (24 months)>>>click Add to create the Client Secret indicating the Client Secret Description, Expires, Value, and Secret ID. 
  • Copy the Client Secret Value immediately to a Notepad or other Word document and save it to a secured location. It needs to be copied immediately because it is shown once and as soon as the screen refreshes or you log out and log back in, the Client Secret value will be truncated and you would not be able to use it unless you delete it and create a new one.    
  • Copy and save the Application (Client) ID together with the client secret value in the same document and these are what you will use to integrate the Microsoft Entra ID Enterprise application with PatchMyPC application.  

Integrate Microsoft Entra ID Enterprise Application with Patch My PC Application

  • This allows you to integrate the PatchMyPc-Intune Enterprise Application in Microsoft Entra ID with PatchMyPc application using the Client Secret Value and Application (Client) ID.
  • Navigate to the computer or server and open Patch My PC Publishing Service application, click on Intune Apps tab and check-mark the Enable creation of Win32 Applications in Microsoft Intune and then click on Options button.
  •  Friendly Name (PatchMyPc-Intune App Integration) >>>Authority (https://login.windows.net/skoanowtechnologies.com)>>>Application ID (Application ID of enterprise application created in Microsoft Entra ID)>>>Application Secret (Client Secret Value created in Microsoft Entra ID)>>>Certificate (You can ignore)>>>Digitally Sign the detection method script and enforce signature checking on the application in Intune (ignore this; otherwise enable it and click Browse and select the WSUS or other signing certificate)>>>enable the Update Enrollment Status Page associations with new application when an updated application is created>>>enable Copy the assignments from previously created applications or updates when an updated application is created >>>enable Delete the assignments from previously created applications when an updated application is created>>>Update application dependencies from previously created applications when an updated application is created (ignore this; otherwise enable it if you have a lot of applications which have dependencies)>>>Copy the requirements from previously created applications or updates when an updated application is created (ignore this; otherwise enable it if you have a lot of applications which have requirements)>>>enable Delete any previously created applications when an updated application is published (Retain up to [2] previously created applications)>>>enable Delete any previously created updates when a new update is published (Retain up to [2] previously created updates)>>>under Microsoft Graph API Settings, it should already have Authentication URL (https://graph.microsoft.com) and Graph base URL (https://graph.microsoft.com/beta).
  • After complete the configuration, click the Test button and make that you have a green check-mark on all the API permissions that were created in PatchMyPC-Intune enterprise application in Microsoft Entra ID; DeviceManagementApps.ReadWrite.All, DeviceManagementConfiguration.Read.All, DeviceManagementManagedDevices.Read.All, DeviceManagementRBAC.Read.All, DeviceManagementServiceConfig.ReadWrite.All, and GroupMember.Read.All. It will indicate a red X if any of the required API permissions are missing.
  • Now click OK to go back to the main screen for Intune Apps. Select all the desired applications that you want to be published into Intune when new updates become available. Click Apply and click Save and Close to complete the process. Check to make sure that the configurations made under Intune Apps are replicated for the Intune Updates tab as well, otherwise go ahead and make the changes there as well. 

Deployment of Applications for Monthly Patching

  • Based on the setup of your individual or organizational setup, create three Microsoft Entra ID security groups; one for Test group (Intune Monthly Patch – Test Group),  Pilot group (Intune Monthly Patch – Pilot Group) and Production group (Intune Monthly Patch – Production Group).
  • On Patch Tuesday (Second Tuesday of every month), deploy the updates to the Intune Monthly Patch – Test Group. This may be deployed the same time that the windows updates from the update ring is deployed. 
  • For the third Tuesday of the month, deploy the updates to the devices in the Intune Monthly Patch – Pilot Group.
  • If there is no negative impact on the devices in the Test and Pilot groups, then on the fourth Tuesday/Thursday, deploy the updates to the Intune Monthly Patch – Production Group. 
  • If any of the updates have been superseded, based on your organizational setup, you can ignore them since they have not been tested or you can include the superseded updates in the pilot group to test and then include them in the production group if there is no negative impact.

Maintenance of Applications and Updates Imported Into Intune from Patch My PC

  • If the Patch My PC integration is not deleting the superseded applications and updates as desired, you may have to delete them manually to ensure that you are able to maintain a clean and streamlined catalog of applications and updates.
  • Based on the setup for application dependency and requirements setup for Patch My PC integration, you have to check to ensure that the dependencies and requirements for the various applications are set as desired; either by the Patch My PC integration or manually.