Getting Started
  • 📌Patch My PC Docs
  • 🔧Installation Guides
    • Advanced Insights & Patch Insights
      • Release Notes (Advanced Insights)
        • Release Notes (Inventory Extension)
      • Requirements
        • Certificate Requirements
        • Software Requirements
        • Network Requirements
      • Download and Install
        • SSL Certificate Configuration
        • Advanced Insights SQLite Database
        • IIS Configuration selection
        • Install Summary
        • Completion
      • Upgrading Advanced Insights
        • Upgrading to Advanced Insights 2.1 and later from 1.0.x and 2.0.x versions
      • Modify Advanced Insights
        • Modify SSL Certificate
        • Modify Network Port
        • Password reset
        • Modify IIS App Pool Identity
      • Uninstalling Advanced Insights
      • Backup and Restore of your Advanced Insights Configuration
      • SQL Permissions
      • Configuration Manager Permissions
      • First Use Experience
      • Proxy Support
      • Advanced Insights Inventory Extensions
        • Description
        • Custom Client Actions
        • WMI Class Definitions
      • External Services Dell Warranty API
      • External Services HP Warranty (Workforce Experience)
      • External Services Lenovo Warranty API
      • Microsoft Updates Inventory
      • Active Directory Integration & RBAC
      • Active Directory Group to Role Assignment
      • Azure AD (Entra ID) Authentication
      • Requirements for Remote Control
      • Launching Remote Control of a Client
      • Configuration Manager Console Extension
      • Custom Dashboards
        • Creating your first Custom Dashboard
        • Editing a Custom Dashboard
        • Sharing a Custom Dashboard
      • Dashboard Guides
        • Home Page
        • Resources
          • Collections
          • Devices
          • Users
        • Hardware
          • Displays
          • Batteries
          • Storage
          • Graphics Adapters
          • Wireless Adapters
        • Software
          • Applications
          • Client Inventory
          • Software Usage
          • Microsoft 365 Apps
          • ODBC Connections
          • Browser Extensions
        • Operating Systems
          • Dashboard
          • Windows 11 Readiness
          • Local Administrators
          • OS Uptime
          • User Profiles
        • Software Updates
          • Dashboard
          • Updates
          • Update Groups
          • Update Deployments
          • Windows OS
          • Computer Status
          • Microsoft Updates
          • Update Trend
        • Security and Compliance
          • BitLocker
      • Advanced Insights Log Collector
      • IIS Application Pool Identity
      • Two Factor Auth
      • Telemetry Data collected by Advanced Insights
    • Configuration Manager
      • Requirements
      • Download and Install
      • License Key
      • Certificate Configuration
      • Updates
      • ConfigMgr Apps
      • Sync Schedule
      • Alerts
      • Advanced
    • Intune
      • Requirements
      • Download and Install
      • License Key
      • Azure App Registration
      • Intune Apps
      • Intune Updates
      • Sync Schedule
      • Alerts
      • Advanced
    • WSUS Standalone
      • Requirements
      • Download and Install
      • License Key
      • Certificate Configuration
      • Enable Standalone WSUS Mode
      • Updates
      • Sync Schedule
      • Verify Third-Party Updates Appear in WSUS Console
      • Alerts
      • Advanced
    • On-Premises Publisher
      • Release Notes (Publisher)
        • Preview Releases (Publisher)
        • 1.x Releases (Publisher)
      • Reference (Publisher)
        • Telemetry Data collected by Patch My PC On-Premises Publisher
    • Patch My PC Cloud
      • Release Notes (Cloud)
      • Requirements (Cloud)
      • Onboard to Patch My PC Cloud
      • Deployments
        • Deployment Overview
        • Deploy an App
          • General Information (Deployments)
          • Configurations (Deployments)
            • Scripts (Deployments)
            • Install Parameters (Deployments)
            • Dependencies (Deployments)
            • Role Scope Tags (optional)
            • Extra Files (Deployments)
            • Categories (Deployments)
            • ESP Profiles (Deployments)
            • Return Codes (Deployments)
          • Assignments (Deployments)
          • Summary (Deployments)
        • Deploy the same App with multiple configurations
        • Create a Deployment Without Assignments
        • Use a Template in Deployments
        • Update Rings
          • Update Rings Overview
          • How Update Rings Are Created
          • How the Sync Schedule Affects Update Rings
          • How Update Rings Handle New Versions
          • How Update Rings Affect Dependencies
          • Create Update Rings
          • Edit Update Rings
          • View Update Rings
          • Check if an Update Ring has been created
          • Update an Update Ring
          • Convert Existing Deployments to Use Update Rings
          • Delete Update Rings
        • Monitor a Deployment
        • Manage Updates
          • Pause Updates
          • Resume Updates
          • Sync Now
        • Manage Deployments
          • View a Deployment's Properties
          • Edit a Deployment
          • Recreate a Deployment
          • Sort Deployments
          • Delete a Deployment
      • Events (Cloud)
        • Events Overview
        • Search for an Event
        • Filter Events
        • Export Events
        • Sort Events
        • Find more information about an Event
        • Change the number of Events per page
        • Navigate between pages of Events
        • Events Reference
          • General Events Reference
          • Security Events Reference
      • Discovery
        • Discovery Overview
        • Deploy an Unmanaged app
        • Manage Managed Apps
        • Refresh Discovery Data
        • Discovery Managed Apps Reference
      • Administration (Cloud)
        • Manage your Company
          • Enable Preview Features
          • Grant Patch My PC Support access to your portal
          • Delete your Company
          • Recover Your Company
          • Company Reference
        • Manage Users
          • Add a User
          • Using Entra ID Security Groups
            • Add an Entra ID Group
            • View an Entra ID Group's Membership
            • Modify an Entra ID Group
            • Remove an Entra ID Group
          • Modify a User
          • Delete a User
          • Manage Access Requests
            • Approve an Access Request
            • Reject an Access Request
          • Manage Invitations
            • Accept an Invitation
            • Copy an Invitation’s link
            • Resend an Invitation
            • Delete an Invitation
          • User Roles Reference
        • Manage your Environments
          • Manage Intune tenants
          • Manage your License
          • Rename your Environment
        • Manage Connections
          • Add a Connection
          • Verify the Publisher connection
          • Delete a Connection
        • Manage Branding
          • Add Branding
          • Modify Branding
          • Recreate Branding
          • Branding V2
            • Add Branding V2
            • Modify/Recreate Branding V2
            • Delete Branding V2
            • Managing Localizations V2
            • Default Language Notifications
        • Manage Notifications
          • Add a Notification
          • Create a Webhook notification
          • Create a Microsoft Teams Webhook Notification
          • Create a Slack Webhook Notification
          • Create an Email notification
          • Modify a Notification
          • Delete a Notification
          • Notifications Reference
            • Test a Microsoft Teams Webhook Notification
            • Test a Slack Webhook Notification
            • Test an Email Notification
          • Webhooks Reference
            • Create a Microsoft Teams Webhook
            • Create a Slack Webhook
        • Manage Naming Conventions
          • Configure Naming Conventions
          • Modify Naming Conventions
        • Manage the Sync Schedule
        • Manage Deployment Templates
          • Add a Template
          • Edit a Template
          • Configure a Default Template
          • Delete a Template
        • Delete the Patch My PC Cloud Enterprise Application
      • Binary Free Apps
        • Binary Free Apps Overview
        • Deploy a Binary Free App
        • Manage New Version Notifications for a Binary Free App
        • Update a Binary Free App
      • Custom Apps
        • Custom Apps Overview
        • Custom Apps Requirements
        • Onboard to Custom Apps
        • Create a Custom App
          • Upload the Primary Installer
          • Extra Folders or Files (Custom Apps)
          • General Information (Custom Apps)
          • Configuration (Custom Apps)
          • Detection Rules (Custom Apps)
          • Summary (Custom Apps)
        • Publish a Custom App
        • Modify a Custom App
        • Update a Custom App
        • Delete a Custom App
        • Custom Apps Reference
          • Add a Folder Structure to a Custom App
          • Find properties for EXE-Based Installers
          • Uninstall a Custom App
      • Intune Apps
        • Intune Apps Overview
        • Intune Apps Requirements
        • Onboard to Intune Apps
          • Onboard to Intune Apps for Custom Apps users
        • Feature Comparison with Publisher
      • macOS Support
        • Filter by OS
        • Deploy a macOS app
      • Managed Service Provider
        • Managed Service Provider Overview
        • Managed Service Provider Requirements
        • License the Managed Service Provider Feature
        • MSP App Sets
          • Create an App Set
          • Edit an App Set
          • Delete an App Set
        • MSP Custom Apps
          • Create an MSP Custom App
          • View all MSP Custom Apps
          • Deploy an MSP Custom App
          • Edit an MSP Custom App
          • Update an MSP Custom App
          • Delete an MSP Custom App
        • Managed Service Provider Administration
          • Manage MSP Companies
            • Add a Company to Manage (Cloud MSP)
            • Choose a Company to Manage (Cloud MSP)
            • Remove a Company from being Managed (Cloud MSP)
          • Manage MSP Users
          • Manage MSP Deployments
          • Manage MSP Events
          • Manage MSP Notifications
        • Non-Replicating MSP Settings
      • Troubleshooting (Cloud)
        • Onboarding
          • “Need admin approval” message when onboarding
          • “Permissions requested” dialog box not shown during Onboarding
        • App Catalog
          • Why is the "Delete" option greyed out for an app?
        • Binary Free Apps
          • “Unable to verify the file you are trying to upload”
        • Branding
          • Why don’t I see the “Branding” node in the portal?
        • Company
          • "Error - Claim Ownership Failed"
          • "Tenant recovery has been disabled for this account"
          • Why can’t I access my Company?
          • Why can’t I Delete my Company?
        • Custom Apps
          • General Custom Apps Troubleshooting
        • Dependencies
          • Why is an app not shown in the “App Dependencies” dropdown?
        • Deployments
          • “500 Internal Server Error” when adding an assignment - why?
          • “A deployment with the same name <deployment_name> already exists”
          • Browser Crashes when uploading a large number of files using the Patch My PC Cloud portal
          • “Group not found” shown for an Assignment of a successful deployment
          • "These settings are locked after deployment to prevent installation issues"
          • Troubleshooting an Intune Apps Deployment
          • "TypeError: Failed to fetch" error when trying to upload a Pre or Post Script
          • Why do I see a yellow exclamation mark ("!") beside a deployment?
          • Why is the “Deploy” button greyed out?
          • Why is “Edit” Unavailable for a Deployment?
        • Discovery
          • Why don’t I see the “Discovery” node in the portal?
          • Why is the “Edit” button disabled beside a Managed App?
        • Environments
          • “Intune connection with the same Id found in another environment”
          • “Need admin approval” message when connecting to Intune
          • Why don't I see the ellipsis to edit my Environment or License?
        • Events
          • Why don’t I see the “Events” node in the portal?
        • Intune
          • What happens if the Patch My PC Cloud Enterprise App is deleted?
        • Licensing
          • "Your license doesn't match the specified SKU"
          • “Your trial has expired”
          • “Your trial license expires in xx days”
        • Managed Service Provider
          • “Customer has active connections. Please disconnect them first in order to delete the company”
          • “Error - Intune connection with the same Id found in another environment!”
          • "Unable to disconnect this customer as they do not have a user with the Full Admin..."
        • Notifications
          • Why don’t I see the “Notifications” node in the portal?
        • Sign in
          • “The service is currently unavailable in the <region_code> region”
        • Update Rings
          • "Error - Editing is not allowed until all rings are created after the configured delay."
        • Users
          • “Unable to change the role of this group as it was not found in Entra ID” error
          • Why don’t I see the “Users” node in the portal?
          • Why is the “Add Group” button unavailable?
          • Why is the “Add Group” button unavailable on the “Available Groups” page?
          • “You currently have only one user with Access Management privileges”
      • Reference (Cloud)
        • About the Patch My PC Code-Signing Certificate
          • Using a Custom Configuration Policy
          • Using a script
        • App Catalog Icon Reference
        • Email Reference
          • Example Access Request Email
          • Example Access Approved Email
          • Example Access Rejected Email
          • Example Account Recovery Email
          • Example Binary Free App Update Email
          • Example Binary Free App Successfully Updated Email
          • Example Invitation Email
          • Example Updates Report Email
        • Entra ID Reference
          • Create an App Registration in Entra ID
          • Delete an App Registration in Entra ID
        • Intune Reference
          • Check App Categories
          • Check Detection Rules
          • Check ESP Profiles
          • Check Return Codes
          • Check Scope Tag Assignments
        • Permissions Reference
          • Permissions required for Patch My PC Cloud
          • Permissions required for Intune Apps
        • Telemetry Data collected by Patch My PC Cloud
        • Unsupported File Names and Extensions
      • Product Limits (Cloud)
      • Glossary (Cloud)
      • Contacting Support
    • Product Reference
      • Language Support in Publisher and PMPC Cloud
  • 💁‍♂️ Get Help
    • Open a Support Case
    • Live Demo, Setup & Review Calls
      • Book a Live Demo
      • Book a Guided Setup Call
      • Book an Environment Review Call
    • Log Reference Guide
    • MEM Patching Optimizer
      • Requirements
      • Download and Install
      • Running Tests
      • Updates
    • Return on Investment Tool
  • 🔁Release History
    • Advanced Insights Releases
      • Inventory Extension Releases
    • Patch My PC Cloud Releases
    • Publisher Releases
      • Publisher 1.x Releases
      • Preview Releases
    • ROI Tool Releases
  • 🤝Resources
    • Patch My PC Website
    • Download Installer
    • FAQ
    • Homepage
    • Roadmap
    • UserVoice
    • About Us
Powered by GitBook

Links

  • Feedback or comments?
  • Main Website

© Patch My PC 2011 - 2025

On this page
  • Step 1: Registering the Patch My PC Application in Azure AD
  • Step 2: Configure API Permissions for the New Application
  • Step 3: Configuring a Certificate or Client Secret
  • Option 1: Creating a Self-Signed Certificate
  • Option 2: Creating a Client Secret
  • Step 4: Configuring the Patch My PC Publisher to Connect to the Intune Tenant
  • Authority
  • Application ID
  • Certificate / Application Secret
  • Test Authentication, Connectivity and API Permissions

Was this helpful?

Export as PDF
  1. Installation Guides
  2. Intune

Azure App Registration

PreviousLicense KeyNextIntune Apps

Last updated 6 months ago

Was this helpful?

Applies to: On-premises Publisher

This article covers integrating the Patch My PC Publisher with your Intune tenant. We will go over creating an app registration in your Azure AD environment and configuring the Graph API permissions required for the Publisher to automatically create, update and assign Win32 applications in your Intune tenant; as well as configuring the tenant authority, application ID and application secret within the Publisher.

Topics covered in this article:

Step 1: Registering the Patch My PC Application in Azure AD

In order for our service to have permissions to your Intune tenant for application management, start by navigating to your environment’s , head to App registrations, and click New registration in the top left of the main pane.

Give your app registration a relevant name such as “Patch My PC – Intune Connector”. Configure the account types based on your tenant requirements. For the Redirect URI, leave it to the default unless you have specific requirements for configuring the Redirect URI. Then click Register.

Step 2: Configure API Permissions for the New Application

After you register a new application, we will need to delegate certain permissions in order for the Patch My PC Publisher to create and update Win32 applications in your Intune tenant, as well as view Azure groups and create assignments for the applications automatically.

Once the new app is registered, navigate to the API permissions node in the left column of the newly created app’s page. In the API permissions page, click the button to Add a permission, then in the right pane that appears, select the Microsoft Graph API.

Then, you are prompted for what type of permissions your app requires select Application permissions. In the Select permissions table view, search for “DeviceManagement” and under those permissions, enable the following:

  • DeviceManagementApps.ReadWrite.All

    (View and create applications in Intune)

  • DeviceManagementConfiguration.Read.All

    (View properties and relationships of assignment filters)

NOTE: The DeviceManagementConfiguration.Read.All permission is not needed if you are on the deprecated Intune Essentials subscription.

  • DeviceManagementManagedDevices.Read.All

    (View device inventory for the auto-publish feature)

  • DeviceManagementRBAC.Read.All

    (View scopes to be assigned to applications)

  • DeviceManagementServiceConfig.ReadWrite.All

    (Update Enrollment Status Page configurations)

Then, search for “GroupMember”, and under Group permissions, enable:

  • GroupMember.Read.All

    • View Azure AD groups to enable automatic application deployment

Click Add permissions.

To approve the new permissions, click Grant admin consent for. Choose Yes if you are prompted to consent for the required permissions. You must be logged into an Azure AD account with permissions to perform this task.

The result is shown below.

Step 3: Configuring a Certificate or Client Secret

A certificate is considered more secure than a client secret for authentication to the new app registration as it is something you have (private key) rather than something you know (password). A client secret is the easiest configuration method but is considered less secure.

Option 1: Creating a Self-Signed Certificate

Self-signed certificates with long expiry dates may use outdated hash and cipher suites that may not be strong enough as industry standards and best practices change. For this reason, choose short expiry dates or purchase a certificate signed by a well-known certificate authority.

The following are the current requirements for using certificate-based authentication that apply to both purchased and self-signed certificates:-

  • A 2048-bit key length. While longer values are supported, the 2048-bit size is highly recommended for the best combination of security and performance.

  • Uses the RSA cryptographic algorithm. Azure AD currently supports only RSA.

  • The certificate is signed with the SHA256 hash algorithm (Entra ID also supports certificates signed with SHA384 and SHA512 hash algorithms).

  • The certificate is valid for only one year.

Follow the steps below to create a self-signed certificate using the New-SelfSignedCertificate and Export-Certificate PowerShell cmdlets:-

Create the Certificate

Open a PowerShell window on the same computer where the Patch My PC Publisher is installed. Be sure to elevate the prompt by choosing Run as Administrator.

Copy the following code snippet to and paste into the elevated PowerShell window.

$subjectName = 'PatchMyPCIntuneConnector'
$certStore = 'LocalMachine'
$validityPeriod = 12

$newCert = @{
    Subject = "CN=$($subjectName)"
    CertStoreLocation = "Cert:\$($certStore)\My"
    HashAlgorithm = 'sha256'
    KeyExportPolicy = 'NonExportable'
    KeyUsage = 'DigitalSignature'
    KeyAlgorithm = 'RSA'
    KeyLength = 2048
    KeySpec = 'Signature'
    NotAfter = (Get-Date).AddMonths($($validityPeriod))
    TextExtension = @("2.5.29.37={text}1.3.6.1.5.5.7.3.2")
}
$cert = New-SelfSignedCertificate @newCert

Verify the certificate was created successfully in the Local Machine Personal Certificate Store by running certlm.msc.

Export the Public Key

We need to export the Public Key and upload it to the new app registration for the Patch My PC Intune connector. Follow the steps below:-

Open PowerShell window on the same computer where the Patch My PC Publisher is installed. Be sure to elevate the prompt by choosing Run as Administrator.

Copy the following code snippet to and paste into the elevated PowerShell window.

$subjectName = 'PatchMyPCIntuneConnector'
$certFolder = "C:\temp\certs"
New-Item -Path $certFolder -ItemType Directory -Force | Out-Null
$certExport = @{
Cert = $Cert
FilePath = "$($certFolder)\$($subjectName).cer"
}
Export-Certificate @certExport

Verify the certificate was exported successfully in the C:\temp\certs folder.

If you receive the message "The system cannot find the path specified" (as shown below), please ensure the credentials used to launch the PowerShell session have permission to create a folder at C:\temp or specify a new path for the $certFolder variable where you do have permission to create the folder.

Browse to the C:\temp\certs folder, select the certificate that was exported earlier, click Open and then click Add.

Verify the public key is listed correctly in the app registration.

Option 2: Creating a Client Secret

A client secret, a password string that our app will use to prove its identity when requesting a token. Navigate to the Certificates & secrets node in the left column, and click the button to add a New client secret. Decide on a description and expiration date (in months) that best suits your organization’s needs, then click Add.

Microsoft recommends a client secret of no longer than 6 months

Copy the Value for the Client Secret you created. Save this value to a secure location, you will enter the value under Application Secret in the Intune Options of the Publisher.

Step 4: Configuring the Patch My PC Publisher to Connect to the Intune Tenant

Navigate to the Overview node of the app registration, and copy the Application (client) ID. Save this value to a secure location along with your secret key value.

Now, it is time to go to the Intune Options window of the Publisher Patch My PC Publisher to configure the following:-

Authority

The Authority value is a URL made up from the Microsoft authentication endpoint and your tenant name. The newer Microsoft authentication endpoint should be used:- https://login.microsoftonline.com

Referring to the screenshot above, replace tenantname.onmicrosoft.com with the Tenant name you found in the tenant status page of your Intune tenant. The construct of the URL should look something like https://login.microsoftonline.com/<<Tenant name>> The complete Authority value should look similar to this example below:- https://login.microsoftonline.com/tenantname.onmicrosoft.com

Application ID

Paste the Application ID that you recorded earlier.

Certificate / Application Secret

If you chose to use a Certificate for authentication, click the certificate option and browse the Local Machine store for the correct certificate and click Ok.

If you chose to use a Client Secret for authentication, click the Application Secret option and enter the Client Secret value you recorded earlier.

Test Authentication, Connectivity and API Permissions

Click Test to view the Intune Connection Status and validate that the Publisher can connect to your Intune tenant. If the listed permissions all have a green checkmark under Enabled, you can now begin to publish applications to your Intune tenant.

A full Intune API reference KB article for the Publisher can be found at

Note: Granting admin consent may require one of the following roles: or .

More guidance on why a certificate should be used instead of a client secret can be found at

Choose either or from the steps below to create an authentication credential for use with the new app registration. We strongly recommend using .

Certificate-based authentication is the preferred authentication method when connecting to an Azure App Registration. This document will focus on creating a self-signed certificates for use with the Patch My PC Publisher: .

In the browser, navigate to the App registration created in and select the Certificates & secrets node in the left column. Select the Certificates and click Upload certificate.

If you have already followed the instructions for Option 1, you do not need to create a client secret. Instead, go to

You may receive an error similar to ‘An error occurred while connecting to Intune: AADSTS7000215: Invalid client secret is provided.’ within the PatchMyPC.log file. If you receive this error please repeat above to create a new secret, or review your existing secret configuration within the Publisher to ensure you are using the correct value.

If you do not know your Intune tenant domain, navigate to the in your Intune tenant, and look at the property for Tenant name.

(depending on whether you followed Step 3 option 1 or option 2)

If the associated tenant is on GCC High, the changes below are required: Authority: Authentication URL: Graph Base URL:

🔧
https://patchmypc.com/patchmypc-publisher-api-reference
Global Administrator
Privileged Role Administrator
https://learn.microsoft.com/en-us/azure/active-directory/develop/security-best-practices-for-app-registration#certificates-and-secrets
Create a self-signed public certificate to authenticate your application
tenant status page
https://login.microsoftonline.us
https://graph.microsoft.us
https://graph.microsoft.us/beta
Option 1
Option 2
Option 1
Step 1
Step 4
option 2
Authority
Application ID
Certificate or Application Secret
Azure AD portal
Step 1: Registering the Patch My PC Application in Azure AD
Step 2: Configure API Permissions for the New Application
Step 3: Configuring Certificates & Secrets
Option 1: Creating a self-signed Certificate
Create the Certificate
Export the Public Key
Option 2: Creating a Client Secret
Step 4: Configuring the Patch My PC Publisher to Connect to the Intune Tenant
Test authentication, Connectivity and API Permissions