Applies to: On-premises Publisher

Before Getting Started

Here are a few important resources below to get you started.

Free 30-day trial

Free Setup Call with an Engineer

Video Installation Guide

If you prefer using a video guide, you can watch the video version below.

Continue Guide

Next up, start with the requirements

Applies to: On-premises Publisher

Catalog Information - License Key

When the publisher first launches, you will be required to provide a license key. If you have not yet purchased and received your license key, we provide two additional free options for testing our product.

The first option is to enable the This limited trial mode does have some restrictions including a limited number of products as covered in the link above. We encourage you to from our website. When you receive your full-trial or customer license email, it will contain your 20 character license key.

Applies to: On-premises Publisher

Downloading the Newest Version

You can always download the latest MSI installer of the publishing service using the following URL:

https://patchmypc.com/publishingservice-download

Run the Installation

Start the installation by double clicking the downloaded MSI.

Welcome Screen

Once the installation starts you'll be greeted by the welcome screen in our installer wizard, click next.

End-User License Agreement

The next step will be to accept the EULA. Make sure you select the "I accept the terms in the Agreement" and hit next.

Enable Intune Standalone Mode

When installing the product we provide an option called Intune Standalone mode. If you do NOT intend to use the product with Configuration Manager, ensure the option is checked and select next.

Select Installation Folder

By default, we install the publisher service in C:\Program Files\Patch My PC\Patch My PC Publishing Service\ This location is where we store all of the products configuration information.

Ready To Install

You are now ready to install the product! Click Install, and grab a drink of water.

Completed

Once the publisher has finished installing, just hit the finish button to close the install wizard.

Applies to: On-premises Publisher

When installing the Publisher for an Intune-only configuration, ensure you meet the following requirements:

Software:

• 4.6.2 or above

• An Internet connection

• The relevant

• Appropriate disk space depending on the number of products enabled

• Windows Server 2012, Windows Server 2016, Windows Server 2019, Windows Server 2022, Windows Server 2025

  • When using Windows Server, only the WSUS API component needs to be installed, not full WSUS.

Hardware:

The Publisher is a lightweight Windows application with a GUI frontend and a Windows service backend. The hardware requirements can be found below.

• CPU: 2 CPU or more

• Memory: 8GB of RAM or more

• Disk Space: 80GB of disk space or more

  • The amount of disk space required will depend on the number of selected products.

Applies to: On-premises Publisher

Scheduling Daily Publish

By default, we recommend the Publisher sync runs on a daily basis. The sync schedule only controls when updates or applications are published to your environment. Keep in mind this will also affect assignment scheduling if you use the manage assignments feature.

When Patch My PC releases these new updates, the sync schedule is what automates the publication process.

You can also manually start the sync and publication process at any time by selecting the Run Publishing Service Sync option.

Intune Application Manager

After the sync, you can view the published products with the This feature will provide you with a live view of all Win32 apps currently in your Intune tenant.

It can help you:

• Export a list of your Intune Win32 apps to .csv, so you can use our to report on third party patching in Intune

• Manage live assignments for all of your existing Win32 apps in Intune

• Multi-select and delete Intune Win32 apps or their assignments

The utility can be found within the Publisher in either the Intune Apps or Intune Updates tab, on the right-hand side as a cloud icon with a magnifying glass:

Below is an example screenshot of what the utility looks like in a tenant with some Win32 apps. This is a live view of all Win32 apps currently in your tenant.

Applies to: On-premises Publisher

Feature Enablement

To enable products to publish, check the "Enable creation of Win32 applications in Microsoft Intune" checkbox.

Once the option is selected, you'll be able to enable other products. When first getting started with the product, it is recommended that you only choose one or two products to reduce the impact on the first sync and to validate your implementation quickly. We have found that Notepad++ and 7-Zip tend to be great initial use case tests.

To find and enable these products, you can search the list of products using Ctrl + F or by clicking on the magnifying glass in the lower right corner.

When you select the search button a dialogue will open, type in one of our example products and hit enter, or click OK.

Once you have found the product you want to patch, click the checkbox for your architecture choice and click Apply.

Applies to: On-premises Publisher

Feature Enablement

To enable products to publish, check the "Enable creation of Win32 updates in Microsoft Intune" checkbox.

Once the option is selected, you'll be able to enable other products. When first getting started with the product, it is recommended that you only choose one or two products to reduce the impact on the first sync and to validate your implementation quickly. We have found that Notepad++ and 7-Zip tend to be great initial use case tests.

To find and enable these products, you can search the list of products using Ctrl + F or by clicking on the magnifying glass in the lower right corner.

When you select the search button a dialogue will open, type in one of our example products and hit enter, or click OK.

Once you have found product you want to patch, click the checkbox for your architecture choice and click apply.

At this time you have completed the basic setup steps and are ready to continue to your first sync!

Applies to: On-premises Publisher

Local Content Repository

Certain require the content to be downloaded ahead of time into a known folder. This typically is related to specific vendors who's content can only be downloaded after logging in or paying for the software.

The products that need to be downloaded and stored locally are listed below.

Applies to: On-premises Publisher

To keep you informed when new applications and updates have been published, we provide three different ways to get notifications in your environment:

Applies to: On-premises Publisher

This article covers integrating the Patch My PC Publisher with your Intune tenant. We will go over creating an app registration in your Azure AD environment and configuring the Graph API permissions required for the Publisher to automatically create, update and assign Win32 applications in your Intune tenant; as well as configuring the tenant authority, application ID and application secret within the Publisher.

Topics covered in this article:

• Step 1: Registering the Patch My PC Application in Azure AD

Step 1: Registering the Patch My PC Application in Azure AD

In order for our service to have permissions to your Intune tenant for application management, start by navigating to your environment’s , head to App registrations, and click New registration in the top left of the main pane.

Give your app registration a relevant name such as “Patch My PC – Intune Connector”. Configure the account types based on your tenant requirements. For the Redirect URI, leave it to the default unless you have specific requirements for configuring the Redirect URI. Then click Register.

Step 2: Configure API Permissions for the New Application

After you register a new application, we will need to delegate certain permissions in order for the Patch My PC Publisher to create and update Win32 applications in your Intune tenant, as well as view Azure groups and create assignments for the applications automatically.

Once the new app is registered, navigate to the API permissions node in the left column of the newly created app’s page. In the API permissions page, click the button to Add a permission, then in the right pane that appears, select the Microsoft Graph API.

Then, you are prompted for what type of permissions your app requires select Application permissions. In the Select permissions table view, search for “DeviceManagement” and under those permissions, enable the following:

• DeviceManagementApps.ReadWrite.All

  (View and create applications in Intune)

• DeviceManagementConfiguration.Read.All

  (View properties and relationships of assignment filters)

• DeviceManagementManagedDevices.Read.All

Then, search for “GroupMember”, and under Group permissions, enable:

• GroupMember.Read.All

  • View Azure AD groups to enable automatic application deployment

Click Add permissions.

To approve the new permissions, click Grant admin consent for. Choose Yes if you are prompted to consent for the required permissions. You must be logged into an Azure AD account with permissions to perform this task.

The result is shown below.

Step 3: Configuring a Certificate or Client Secret

A certificate is considered more secure than a client secret for authentication to the new app registration as it is something you have (private key) rather than something you know (password). A client secret is the easiest configuration method but is considered less secure.

Choose either or from the steps below to create an authentication credential for use with the new app registration. We strongly recommend using .

Option 1: Creating a Self-Signed Certificate

The following are the current requirements for using certificate-based authentication that apply to both purchased and self-signed certificates:-

• A 2048-bit key length. While longer values are supported, the 2048-bit size is highly recommended for the best combination of security and performance.

• Uses the RSA cryptographic algorithm. Azure AD currently supports only RSA.

• The certificate is signed with the SHA256 hash algorithm (Entra ID also supports certificates signed with SHA384 and SHA512 hash algorithms).

Follow the steps below to create a self-signed certificate using the New-SelfSignedCertificate and Export-Certificate PowerShell cmdlets:-

Create the Certificate

Open a PowerShell window on the same computer where the Patch My PC Publisher is installed. Be sure to elevate the prompt by choosing Run as Administrator.

Copy the following code snippet to and paste into the elevated PowerShell window.

Verify the certificate was created successfully in the Local Machine Personal Certificate Store by running certlm.msc.

Export the Public Key

We need to export the Public Key and upload it to the new app registration for the Patch My PC Intune connector. Follow the steps below:-

Open PowerShell window on the same computer where the Patch My PC Publisher is installed. Be sure to elevate the prompt by choosing Run as Administrator.

Copy the following code snippet to and paste into the elevated PowerShell window.

Verify the certificate was exported successfully in the C:\temp\certs folder.

In the browser, navigate to the App registration created in and select the Certificates & secrets node in the left column. Select the Certificates and click Upload certificate.

Browse to the C:\temp\certs folder, select the certificate that was exported earlier, click Open and then click Add.

Verify the public key is listed correctly in the app registration.

Option 2: Creating a Client Secret

A client secret, a password string that our app will use to prove its identity when requesting a token. Navigate to the Certificates & secrets node in the left column, and click the button to add a New client secret. Decide on a description and expiration date (in months) that best suits your organization’s needs, then click Add.

Copy the Value for the Client Secret you created. Save this value to a secure location, you will enter the value under Application Secret in the Intune Options of the Publisher.

Step 4: Configuring the Patch My PC Publisher to Connect to the Intune Tenant

Navigate to the Overview node of the app registration, and copy the Application (client) ID. Save this value to a secure location along with your secret key value.

If you do not know your Intune tenant domain, navigate to the in your Intune tenant, and look at the property for Tenant name.

Now, it is time to go to the Intune Options window of the Publisher Patch My PC Publisher to configure the following:-

(depending on whether you followed Step 3 option 1 or option 2)

Authority

The Authority value is a URL made up from the Microsoft authentication endpoint and your tenant name. The newer Microsoft authentication endpoint should be used:- https://login.microsoftonline.com

Application ID

Paste the Application ID that you recorded earlier.

Certificate / Application Secret

If you chose to use a Certificate for authentication, click the certificate option and browse the Local Machine store for the correct certificate and click Ok.

If you chose to use a Client Secret for authentication, click the Application Secret option and enter the Client Secret value you recorded earlier.

Test Authentication, Connectivity and API Permissions

Click Test to view the Intune Connection Status and validate that the Publisher can connect to your Intune tenant. If the listed permissions all have a green checkmark under Enabled, you can now begin to publish applications to your Intune tenant.