Software
Applies to: Patch My PC Publisher
Overview
The Publisher can be installed on either a Windows client or Windows Server operating system (see Core Requirements) when publishing applications and updates solely to Microsoft Intune. However, even in Intune-only scenarios, particularly when the Publisher is installed on a Windows client operating system, specific WSUS components are still required. These components provide the WSUS API functionality needed to process and deserialize the update catalog format usedby Patch My PC.
Tip
Some organizations have strict security or operational requirements that mandate the use of the Publisher instead of Patch My PC Cloud, or require separation of duties between Intune and ConfigMgr/WSUS administration teams. In these cases, it is fully supported to deploy a separate instance of the Publisher dedicated solely to Intune publishing, even if another Publisher instance already exists for WSUS or ConfigMgr.
This approach aligns with least-privilege principles, allowing permissions, credentials, and administrative access to be scoped specifically to the Intune publishing workflow.
Important
The Publisher does not need to be installed on each device receiving applications or updates from Intune.
The Publisher is used only to publish applications and updates into Intune. Once published, delivery, installation, and enforcement on client devices is handled entirely by the Intune Management Extension (IME), which is already automatically installed on Intune-managed Windows devices.
Installing the Publisher on individual client devices is not required and provides no benefit for application or update deployment.
Windows Server Operating System
If the Publisher is already being used with ConfigMgr and/or WSUS, and the same Publisher instance will also be used for Intune, the software requirements for ConfigMgr or WSUS will already satisfy the WSUS API component requirements to publish to Intune.
If the Publisher is being used exclusively for Intune, a full WSUS role installation is not required. In this case, only the WSUS API components must be installed to allow Publisher to process update metadata and interact with WSUS libraries used during publishing. The steps below explain how to install the required components for this scenario.
Install the WSUS UpdateServices API
Open an elevated PowerShell window.
Run the following command:
To confirm the UpdateServices API is installed, run:
The feature should show as Installed.
Windows Client Operating System
When installing the Publisher on a Windows 11 device, which is typical for Intune-only publishing scnearios, the WSUS RSAT tools must be installed. A full WSUS role installation is not required. If the RSAT tools are not installed, you will see the following messaage when installing the Publisher.
The steps below explain how to install the required components for this scenario.
Install WSUS RSAT Tools
Open an elevated PowerShell window.
Run the following command:
To confirm the WSUS RSAT tools were installed successfully, run:
The output should show the capability state as Installed.
Note
It is typicall for the download and installation of the WSUS RSAT tools to take ~15 minutes. Review C:\Windows\Logs\CBS\CBS.log and C:\Windows\Logs\DISM\dism.log for the download and installation progress.
Last updated
Was this helpful?