Scenario 5: Mixed Environment (ConfigMgr, WSUS and Intune)

Applies to: Patch My PC Publisher

Overview

Use this scenario when the Publisher is used to publish third party applications and updates in a mixed environment that includes ConfigMgr, Windows Server Update Services (WSUS), and Intune. This configuration is typically intended for organizations transitioning between management platforms or managing multiple platforms simultaneously.

In this scenario, a Software Update Point (SUP) site system role that leverages WSUS is used as the update publishing endpoint for the Publisher. The Publisher publishes third-party update metadata and binaries directly to the WSUS instance associated with the top-level SUP in the ConfigMgr environment.

ConfigMgr uses the SUP to synchronize third-party update metadata from WSUS. After synchronization, ConfigMgr orchestrates update approval, deployment and reporting.

The same Publisher instance can also be used to publish third-party applications and updates to Intune.

After completing the configuration steps in this section, the Publisher will be ready to publish third-party applications to both ConfigMgr and Intune and third-party updates to both WSUS and Intune.

Checklist

Before configuring the Publisher, ensure the following information is identified and validated:

General Items

• You have started a trial and/or have a valid license key.

• The Publisher installation location has been identified.

• Publisher core requirements are met.

Platform Checklist (WSUS)

• Publisher platform requirements are met.

Platform Checklist (ConfigMgr)

• Publisher platform requirements are met.

• The SUP site system role has been considered and is configured.

• The location and the name of the ConfigMgr site database has been identified.

• The SMS Provider location has been identified.

Platform Checklist (Intune)

• Publisher platform requirements are met.

Installation and Configuration Steps

The following steps are suitable for getting the Publisher up and running in most environments and are recommended to be completed before selecting products to enable for publishing and applying product customizations.

1. After the core, WSUS, ConfigMgr and Intune platform requirements have been met, and the Publisher installation location is identified, download and install the Publisher.

2. Open the Publisher console and go to the General tab. Enter your license key or start a trial.

3. Click the Validate button to validate the licence.

4. On the General tab still, confirm that a valid code signing certificate is selected or create/select one.

5. On the General tab still, configure log retention to keep a minimum of 10 logs and set the maximum log size to 10 megabytes.

6. Go to the Updates tab, right-click the All Products node in the product tree and enable and configure, the Manage Installation Logging customization option. This ensures detailed installation logs are generated on client devices when third-party applications are installed. This helps with troubleshooting if issues occur during installation.

7. Go to the ConfigMgr Apps tab and configure the Scan ConfigMgr Database for Supported Products form control.

8. On the ConfigMgr Apps tab still, right-click the All Products node in the product tree and enable and configure, the Manage Installation Logging customization option.

9. On the ConfigMgr Apps tab still, click the Options button. Configure the SMS Provider connection by specifying the SMS Provider server and validating connectivity.

10. On the same Options page, configure the source folder used for application content. Ensure the folder is accessible to the ConfigMgr site server and distribution points.

11. On the same Options page, review the Application Creation Options section:

    1. Disable the option to allow applications to be installed from the Install Application task sequence action unless it is required for your environment.

    2. Configure a default folder in the Applications node so applications published by the Publisher are centralized and easy to manage.

    3. Leave the default options enabled to update existing application metadata, deployment types, detection methods, and content when new application versions are published.

    4. Configure application retention to keep at least 1 previous version to support rollback scenarios using supersedence.

12. Review Content Distribution Options and confirm applications are automatically distributed to the appropriate distribution points if required.

13. Go to the Intune Apps tab, check Enable creation of Win32 applications in Microsoft Intune and the Options form will open.

14. Enter a Tenant Friendly name.

15. From the information gathered when creating the Entra ID App Registration, complete the Authority URL, enter the Application (Client) ID and select the credential (Enter an App Secret or select a Client Authentication certificate). For more information, see Authentication Settings.

16. On the same Options page, review the Application Options section:

    1. Consider enabling the Update application dependencies... and Copy the requirements... options

    2. Configure application retention to keep at least 1 previous version to support rollback scenarios using supersedence.

    3. Consider enabling Allow available uninstall.

17. Click Test Connection to verify the app registration is configured correctly.

18. On the Intune Apps tab still, right-click the All Products node in the product tree and enable and configure, the Manage Installation Logging customization option. This ensures detailed installation logs are generated on client devices when third-party applications are installed. This helps with troubleshooting if issues occur during installation.

19. Go to the Intune Updates tab and check Enable creation of Win32 updates in Microsoft Intune.

20. Click OK to close the options form that opens.

21. On the Intune Updates tab still, right-click the All Products node in the product tree and enable and configure, the Manage Installation Logging customization option. This ensures detailed installation logs are generated on client devices when third-party applications are installed. This helps with troubleshooting if issues occur during installation.

22. Go to the Sync Schedule tab to confirm the schedule aligns with your operational requirements.

23. Go to the Alerts tab to configure email or webhook notifications if publishing and operational notifications are required.

24. Go to the Advanced tab and review:

    1. Configure proxy settings if your environment requires outbound internet access through a proxy.

    2. Configure a Local Content Repository path for binary free applications.

    3. Consider enabling the option to Store encryption information locally to allow extraction of Win32 .intunewin files later.

25. Go to the About tab and review the self-update settings for the Publisher. If your organization has strict change control, disable automatic self updates. In most environments this is not recommended, as new versions include bug fixes and new features.

26. Click Apply to save the settings.

After completing these steps, the Publisher is configured and ready to publish third-party applications to both ConfigMgr and Intune and third-party updates to both WSUS and Intune.

The next step is to Customize and publish applications and updates.