{"id":4501,"date":"2022-12-19T08:40:07","date_gmt":"2022-12-19T16:40:07","guid":{"rendered":"https:\/\/SUMMALAI.COM\/?p=4501"},"modified":"2022-12-19T08:40:09","modified_gmt":"2022-12-19T16:40:09","slug":"how-to-integrate-patchmypc-with-microsoft-intune","status":"publish","type":"post","link":"https:\/\/SUMMALAI.COM\/?p=4501","title":{"rendered":"How to Integrate PatchMyPC with Microsoft Intune"},"content":{"rendered":"\n<p>This article covers integrating the Patch My PC Publisher with your <strong>Intune tenant<\/strong>. We will go over creating an <strong>app registration<\/strong> in your <strong>Azure AD<\/strong> environment and configuring the Graph API permissions required for the Publisher to automatically create, update and assign <strong>Win32 applications<\/strong> in your Intune tenant; as well as configuring the tenant authority, application ID and application secret within the Publisher.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"step-1-registering-the-patch-my-pc-application-in-azure-ad\">Step 1: Registering the Patch My PC Application in Azure AD<a href=\"https:\/\/docs.patchmypc.com\/installation-guides\/intune\/azure-app-registration#step-1-registering-the-patch-my-pc-application-in-azure-ad\"><\/a><\/h2>\n\n\n\n<p>In order for our service to have permissions to your Intune tenant for application management, start by navigating to your environment\u2019s <a href=\"https:\/\/portal.azure.com\/#blade\/Microsoft_AAD_IAM\/ActiveDirectoryMenuBlade\/RegisteredApps\">Azure AD portal<\/a>, head to <strong>App registrations,<\/strong> and click <strong>New registration<\/strong> in the top left of the main pane.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/1712629442-files.gitbook.io\/~\/files\/v0\/b\/gitbook-x-prod.appspot.com\/o\/spaces%2F-MX7dvS0r_4fc0AikgJS%2Fuploads%2F2uTc8vQqOksUbnoSoNWi%2Fimage.png?alt=media&amp;token=a9009893-c8a2-426c-843b-a07aafb7ffe6\" alt=\"\"\/><\/figure>\n\n\n\n<p>Give your app registration a relevant name such as \u201cPatch My PC \u2013 Intune Connector\u201d. Configure the account types based on your tenant requirements. For the Redirect URI, leave it to the default unless you have specific requirements for configuring the Redirect URI. Then click <strong>Register<\/strong>.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/1712629442-files.gitbook.io\/~\/files\/v0\/b\/gitbook-x-prod.appspot.com\/o\/spaces%2F-MX7dvS0r_4fc0AikgJS%2Fuploads%2FRlJ0mSqqlt3sfuUbLyNz%2Fimage.png?alt=media&amp;token=fd803f41-d4a4-4617-973c-c911824c6e10\" alt=\"\"\/><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"step-2-configure-api-permissions-for-the-new-application\">Step 2: Configure API Permissions for the New Application<a href=\"https:\/\/docs.patchmypc.com\/installation-guides\/intune\/azure-app-registration#step-2-configure-api-permissions-for-the-new-application\"><\/a><\/h2>\n\n\n\n<p>After you register a new application, we will need to delegate certain permissions in order for the Patch My PC Publisher to create and update Win32 applications in your Intune tenant, as well as view Azure groups and create assignments for the applications automatically.<\/p>\n\n\n\n<p>Once the new app is registered, navigate to the <strong>API permissions<\/strong> node in the left column of the newly created app\u2019s page. In the <strong>API permissions<\/strong> page, click the button to <strong>Add a permission<\/strong>, then in the right pane that appears, select the <strong>Microsoft Graph<\/strong> API.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/1712629442-files.gitbook.io\/~\/files\/v0\/b\/gitbook-x-prod.appspot.com\/o\/spaces%2F-MX7dvS0r_4fc0AikgJS%2Fuploads%2FsOJ7rGMBAPPmm7WVf5MG%2Fimage.png?alt=media&amp;token=41b6c2a8-0824-4b31-9909-b7e923c6a831\" alt=\"\"\/><\/figure>\n\n\n\n<p>Then, you are prompted for what type of permissions your app requires select <strong>Application permissions<\/strong>. In the <strong>Select permissions<\/strong> table view, search for \u201c<strong>DeviceManagement<\/strong>\u201d and under those permissions, enable the following:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li><strong>DeviceManagementApps.ReadWrite.All<\/strong><ul><li>View and create applications in Intune<\/li><\/ul><\/li><li><strong>DeviceManagementConfiguration.Read.All<\/strong><ul><li>View properties and relationships of assignment filters<\/li><\/ul><\/li><li><strong>DeviceManagementManagedDevices.Read.All<\/strong><ul><li>View device inventory for the auto-publish feature<\/li><\/ul><\/li><li><strong>DeviceManagementRBAC.Read.All<\/strong><ul><li>View scopes to be assigned to applications<\/li><\/ul><\/li><li><strong>DeviceManagementServiceConfig.ReadWrite.All<\/strong><ul><li>Update Enrollment Status Page configurations<\/li><\/ul><\/li><\/ul>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/1712629442-files.gitbook.io\/~\/files\/v0\/b\/gitbook-x-prod.appspot.com\/o\/spaces%2F-MX7dvS0r_4fc0AikgJS%2Fuploads%2FkQtE1oDP1ZHPV8AkVYyR%2Fimage.png?alt=media&amp;token=d4da6e3c-7150-4f33-a5bc-9a06c76170d5\" alt=\"\"\/><\/figure>\n\n\n\n<p>Then, search for \u201cGroupMember\u201d, and under Group permissions, enable:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li><strong>GroupMember.Read.All<\/strong><ul><li>View Azure AD groups to enable automatic application deployment<\/li><\/ul><\/li><\/ul>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/1712629442-files.gitbook.io\/~\/files\/v0\/b\/gitbook-legacy-files\/o\/assets%2F-MX7dvS0r_4fc0AikgJS%2F-ManEa8mwnUk1oEFiz5_%2F-ManEnkoc3w5xPcEZxhg%2Fimage.png?alt=media&amp;token=65915d34-1031-4b19-a359-d3019109ca8a\" alt=\"\"\/><\/figure>\n\n\n\n<p>App Registration Permissions<\/p>\n\n\n\n<p>Click <strong>Add permissions<\/strong>.<\/p>\n\n\n\n<p>To approve the new permissions, click <strong>Grant admin consent for<\/strong>. Choose <strong>Yes<\/strong> if you are prompted to consent for the required permissions. You must be logged into an Azure AD account with permissions to perform this task.<\/p>\n\n\n\n<p>Note: Granting admin consent may require one of the following roles: <a href=\"https:\/\/docs.microsoft.com\/en-us\/azure\/active-directory\/roles\/permissions-reference#global-administrator\">Global Administrator<\/a> or <a href=\"https:\/\/docs.microsoft.com\/en-us\/azure\/active-directory\/roles\/permissions-reference#privileged-role-administrator\">Privileged Role Administrator<\/a>.<\/p>\n\n\n\n<p>The result is shown below.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/1712629442-files.gitbook.io\/~\/files\/v0\/b\/gitbook-x-prod.appspot.com\/o\/spaces%2F-MX7dvS0r_4fc0AikgJS%2Fuploads%2FycPBeuEoAGX9BqEZy41N%2Fimage.png?alt=media&amp;token=36b651e4-8e5c-47c9-ab2a-88bdd4588e8a\" alt=\"\"\/><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"step-3-getting-the-client-secret-and-application-id\">Step 3: Getting the Client Secret and Application ID<a href=\"https:\/\/docs.patchmypc.com\/installation-guides\/intune\/azure-app-registration#step-3-getting-the-client-secret-and-application-id\"><\/a><\/h2>\n\n\n\n<p>Now, we must add a client secret, a string that our app will use to prove its identity when requesting a token. Navigate to the <strong>Certificates &amp; secrets node<\/strong> in the left column, and click the button to add a <strong>New client secret<\/strong>. Decide on a description and expiration date (in months) that best suits your organization\u2019s needs, then click <strong>Add<\/strong>.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/1712629442-files.gitbook.io\/~\/files\/v0\/b\/gitbook-x-prod.appspot.com\/o\/spaces%2F-MX7dvS0r_4fc0AikgJS%2Fuploads%2FrNECtI2m0yaKfp0Vh1ss%2Fimage.png?alt=media&amp;token=d4dd7341-a34a-4352-898c-9f3f20713779\" alt=\"\"\/><\/figure>\n\n\n\n<p>Copy the <strong>Value <\/strong>for the Client Secret you created. Save this value to a secure location, you will enter the value under <strong>Application Secret <\/strong>in the <strong>Intune Options <\/strong>of the Publisher.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/1712629442-files.gitbook.io\/~\/files\/v0\/b\/gitbook-x-prod.appspot.com\/o\/spaces%2F-MX7dvS0r_4fc0AikgJS%2Fuploads%2FKzJPmIvp8kB9ZPUDh8Bw%2Fimage.png?alt=media&amp;token=e055d7f9-52c2-4a77-a62d-7290aaa1067a\" alt=\"\"\/><\/figure>\n\n\n\n<p>Application Secret for the Publisherap<\/p>\n\n\n\n<p>Then, navigate to the <strong>Overview<\/strong> node, and copy the <strong>Application (client) ID<\/strong>. Save this value to a secure location along with your secret key value.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/1712629442-files.gitbook.io\/~\/files\/v0\/b\/gitbook-legacy-files\/o\/assets%2F-MX7dvS0r_4fc0AikgJS%2F-MY6LQUH-umekEPxNl_P%2F-MY6UeG9tSdOGZKicGD1%2Fapplication-client-id.png?alt=media&amp;token=a3168933-b8c7-405a-a3f9-431f53479f58\" alt=\"\"\/><\/figure>\n\n\n\n<p>Application ID for the publisher<\/p>\n\n\n\n<p>You may receive an error similar to <strong>\u2018An error occurred while connecting to Intune: AADSTS7000215: Invalid client secret is provided.\u2019<\/strong> within the PatchMyPC.log file. If you receive this error please <strong>repeat step 3 above<\/strong> to create a new secret, or review your existing secret configuration within the Publisher to ensure you are using the correct value.<\/p>\n\n\n\n<p>In addition to the client secret, certificate-based authentication is also available in the Patch My PC Publisher. For more information, see the Microsoft documentation for more information: <a href=\"https:\/\/docs.microsoft.com\/en-us\/azure\/active-directory\/develop\/howto-create-self-signed-certificate\">Create a self-signed public certificate to authenticate your application<\/a>.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"step-4-configuring-the-patch-my-pc-publisher-to-connect-to-the-intune-tenant\">Step 4: Configuring the Patch My PC Publisher to Connect to the Intune Tenant<a href=\"https:\/\/docs.patchmypc.com\/installation-guides\/intune\/azure-app-registration#step-4-configuring-the-patch-my-pc-publisher-to-connect-to-the-intune-tenant\"><\/a><\/h2>\n\n\n\n<p>If you do not know your Intune tenant domain, navigate to the <a href=\"https:\/\/devicemanagement.microsoft.com\/#blade\/Microsoft_Intune_DeviceSettings\/TenantAdminMenu\/tenantStatus\">tenant status page<\/a> in your Intune tenant, and look at the property for <strong>Tenant name<\/strong>.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/1712629442-files.gitbook.io\/~\/files\/v0\/b\/gitbook-legacy-files\/o\/assets%2F-MX7dvS0r_4fc0AikgJS%2F-MY6LQUH-umekEPxNl_P%2F-MY6V3XG0tiUugLEj8hY%2Ftenant-status.png?alt=media&amp;token=e559948a-597c-4f30-89ad-4120c2538085\" alt=\"\"\/><\/figure>\n\n\n\n<p>Tenant status page<\/p>\n\n\n\n<p>Now, it is time to go to the <strong>Patch My PC Publisher<\/strong> and input the <strong>Authority<\/strong>, <strong>Application ID<\/strong>, and <strong>Application Secret<\/strong> into the <strong>Intune Options<\/strong> window of the Publisher.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/1712629442-files.gitbook.io\/~\/files\/v0\/b\/gitbook-x-prod.appspot.com\/o\/spaces%2F-MX7dvS0r_4fc0AikgJS%2Fuploads%2FItLy8eR6AaBjIrg9uiUE%2Fimage.png?alt=media&amp;token=f3f74231-1941-4355-8159-70fa75ede628\" alt=\"\"\/><\/figure>\n\n\n\n<p>In addition to the client secret, certificate-based authentication is also available in the Patch My PC Publisher. For more information, see the Microsoft documentation for more information: <a href=\"https:\/\/docs.microsoft.com\/en-us\/azure\/active-directory\/develop\/howto-create-self-signed-certificate\">Create a self-signed public certificate to authenticate your application<\/a>.<\/p>\n\n\n\n<p>If you would like to use certificate-based authentication, choose the radio option <strong>Certificate<\/strong> and browse out to select the certificate. The certificate needs to be in the local machine&#8217;s Personal store.<\/p>\n\n\n\n<p>Replace with the <strong>Tenant name<\/strong> you found in the <strong>tenant status page<\/strong> of your Intune tenant. Paste the <strong>Application ID<\/strong> and <strong>Application Secret<\/strong> that was saved from earlier. Click <strong>Test<\/strong> to view the <strong>Intune Connection Status<\/strong> and validate that the <strong>Publisher<\/strong> can connect to your Intune tenant. If the listed permissions all have a green checkmark under <strong>Enabled<\/strong>, you can now begin to publish applications to your Intune tenant.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/1712629442-files.gitbook.io\/~\/files\/v0\/b\/gitbook-x-prod.appspot.com\/o\/spaces%2F-MX7dvS0r_4fc0AikgJS%2Fuploads%2FAloPXnq3x4XWeBWwHJzu%2Fimage.png?alt=media&amp;token=1a46eab8-12e2-498d-8902-db55b9a42b47\" alt=\"\"\/><\/figure>\n\n\n\n<p>If the associated tenant is on GCC High, then the changes below are required: <\/p>\n\n\n\n<p>Authority: <a href=\"https:\/\/login.microsoftonline.us\/\">https:\/\/login.microsoftonline.us<\/a> <\/p>\n\n\n\n<p>Authentication URL: <a href=\"https:\/\/graph.microsoft.us\/\">https:\/\/graph.microsoft.us<\/a> <\/p>\n\n\n\n<p>Graph Base URL: <a href=\"https:\/\/graph.microsoft.us\/beta\">https:\/\/graph.microsoft.us\/beta<\/a><\/p>\n\n\n\n<p>\u200bRef: <a href=\"https:\/\/docs.patchmypc.com\/installation-guides\/intune\/azure-app-registration\">Azure App Registration &#8211; Getting Started (patchmypc.com)<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>This article covers integrating the Patch My PC Publisher with your Intune tenant. We will go over creating an app registration in your Azure AD environment and configuring the Graph API permissions required for the Publisher to automatically create, update and assign Win32 applications in your Intune tenant; as well as configuring the tenant authority, <a class=\"read-more\" href=\"https:\/\/SUMMALAI.COM\/?p=4501\">Read More<\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_bbp_topic_count":0,"_bbp_reply_count":0,"_bbp_total_topic_count":0,"_bbp_total_reply_count":0,"_bbp_voice_count":0,"_bbp_anonymous_reply_count":0,"_bbp_topic_count_hidden":0,"_bbp_reply_count_hidden":0,"_bbp_forum_subforum_count":0,"om_disable_all_campaigns":false,"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[1185,10,1197,11],"tags":[1427,1428],"class_list":["post-4501","post","type-post","status-publish","format-standard","hentry","category-autopilot-intune","category-microsoft","category-patchmypc","category-website","tag-integrate-patchmypc-with-microsoft-intune","tag-register-patch-my-pc-with-azure"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/SUMMALAI.COM\/index.php?rest_route=\/wp\/v2\/posts\/4501","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/SUMMALAI.COM\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/SUMMALAI.COM\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/SUMMALAI.COM\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/SUMMALAI.COM\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=4501"}],"version-history":[{"count":1,"href":"https:\/\/SUMMALAI.COM\/index.php?rest_route=\/wp\/v2\/posts\/4501\/revisions"}],"predecessor-version":[{"id":4502,"href":"https:\/\/SUMMALAI.COM\/index.php?rest_route=\/wp\/v2\/posts\/4501\/revisions\/4502"}],"wp:attachment":[{"href":"https:\/\/SUMMALAI.COM\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=4501"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/SUMMALAI.COM\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=4501"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/SUMMALAI.COM\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=4501"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}