Hey folks, recently enough I have been working on a project in Intune where we had a requirement to support third party patching from Intune. Now, those who are from MECM/SCCM background they are well aware that how with security updates, we also have to support third party patching. There are lot of ways to achieve this, previously it started with SCUP(System Center Updates Publisher) then SCCM has integrated third party catalog support within itself too.
Many has tried to automate this process with third party tools too, there are many apps & tools available on the horizon but today we are going to talk about Manage Engine’s – Patch Connect Plus. Many of us might have configured it earlier with our SCCM infrastructure to support third party patching but what I am going to discuss here is how you can set it up with Intune.
There are already many article on this but here’s my take on the tool and hope this helps you too if you are stuck somewhere. I have tried to include as much details as possible.
Let’s see what are the basic requirements or pre-requsites for this.
1. Azure Active Directory P1/P2
2. Intune Subscription
3. Manage Engine Patch Connect Plus setup
4. Global Administrator/Cloud Application Administrator access on Azure AD and Enterprise Admin Access on-premise
Patch Connect Plus Installation
First of all, I am working with Free trial version here, but things are almost same except the license part in production full version scenario.
You can open the below link to download Patch Connect Plus or to get any details:
I have downloaded the trial version and triggered the installation as an admin on the server from the msi.
As you can see Installshield wizard appears for installation, got hrought the wizard step by step and complete it.
NOTE: if you have any other choice of port you can change it here.
Click on the Finish button to complete the installation and launch Patch connect plus.
After few seconds you will see your default browser will open a Web Console of Patch Connect Plus and as we can see below, for the first time login the default username and password is Admin.
NOTE: you can change login password and uername later from Admin tab > Credential Manager
Patch Connect Plus Configuration with Azure AD
When you login to patch connect plus console you will see that it asks for the initial setup like below, you can go step by step on each page and set it accordingly like proxy settings, sccm settings and others.
Since, I am concerned with Intune settings so I skip all and move to setup Patch Connect Plus with Intune and open Intune Settings.
So, in the above picture we can see that we have requirement for Application ID, Tenant ID and Client Security key which we can only get when we create a new App registration in Azure. Let’s jump into the Azure portal.
On the Azure portal, go to Azure Active Directory and open it. On your AAD console you will find App registrations click on it.
It will open a page like below, click on New registration to register a new App.
A new page will open where you would need to Enter the name of the app like below and select Supported account types. I have only one organisational directory so I select Single Tenant. You can select multi-tenant based on your requirement for supported account types.
I am keeping Redirect URI as blank there is no real need to set it up as you can see it’s optional. Click on Register to move ahead.
After you click on Register you will see the successful message on the corner and below page will open.
You can see the highlighted areas on the page which shows we get our Application ID and Tenant ID from here. Copy it and save it for future use.
Next, we would need to provide API permissions for this app for MS Graph.
Go to the API permissions page and click on Microsoft Graph
A blade opens from your right, select Application permissions and provide the below mentioned permissions accordingly, screenshots also provided for the same so that you don’t have any confusions:
1.DeviceManagementApps.Read.All 2.DeviceManagementApps.ReadWrite.All 3.DeviceManagementConfiguration.Read.All 4.DeviceManagementConfiguration.ReadWrite.All 5.DeviceManagementManagedDevices.Read.All 6.Device ManagementManagedDevices.ReadWrite.All
Once you have provided all the permissions you can see the details like below and in notifications you can see successfully saved permissions.
In this way applications are authorised to call APIs as you can see below, next step is to Grant Admin Consent for your tenant and you should have green ticks like below. If you have amber exclamation select and grant admin consent else you will face errors when you configure Patch Connect Plus.
Next, we would be creating Client Secret and we will try to get our last required component Client Secret Key for patch connect plus.
Go to Certificates & secrets and open Client Secrets, click on New client secret
On the blade from the right, enter Description and Select Expiry Period.
From the drop down you can see that there are lot of choices for Expiry period. You can also select for custom period.
Once you have created the Client Secret Key you need to copy its value and save it in a safe place, you can’t afford to lose this key, if you lose you have to generate a new Client Secret Key and repeat this process and make changes in Patch Connect Plus too.
Now, we have our all 3 required components which is required to setup Patch Connect Plus.
We have our Application ID, Tenant ID and Client Security Key.
Patch Connect Plus Initial Setup
Let’s now go back to the Patch Connect Plus Console and enter all these value like below:
Select other options as per your requirement and click on Next. It will move to next setup of alerts but will show a green pop up at the top for few seconds that Intune Setup has been completed successfully.
Setup your official mail id and confirm the checkbox to complete the initial setup.
Publishing Third-Party Updates to Intune
If everything went well and you have no issues with the setup and configuration you will see the screen like below.
You can check few details in this page like Published Updates, Available Updates, Last intune deployment sync time and others.
Let’s try to select one update and click on Publish Updates to test if it works perfectly.
Select the patch and click on Publish Updates.
It will ask for your confirmation to publish, click yes
Check the progress at the top and select Click Here.
We can see that its status is in progress. Lets wait for it to complete and meanwhile lets login to Intune portal > go to Apps > Windows Apps.
After the publish is complete, you can see a new Win32 app here which starts with – Updates For. This is the same patch which we published from Patch Connect Plus.
If you want to publish multiple patches together you can select the check-boxes besides and click on Publish Now.
And that is how simply your Third-party patching has been automated. It’s very simple to configure very easy to use and saves lots of effort and time.😎
In case if you want to change any settings in future you can go to Admin tab and select Intune settings.
If you require more details on this tool, there is a great documentation by Manage Engine itself on their page below:
Also, you can get a quote and compare editions.