🧩 Detailed Guide — Keeping Intune Apps Up to Date
Managing app updates in Microsoft Intune can quickly become complex, especially in larger environments with dozens of line-of-business, third-party, and Microsoft Store applications. The Reddit thread on this topic revealed a wide range of tools, strategies, and workflows that administrators use to keep their Intune apps current, secure, and compliant.
Below is a detailed breakdown of those approaches and practical insights you can apply.
🔧 1. Commonly Used Tools
Patch My PC
This is the most frequently recommended tool for automating third-party application updates in Intune. It integrates directly with Intune to publish and update apps, handle supersedence automatically, and provide compliance reporting. Admins value it for its simplicity and consistent reliability — but it comes at a cost that some small organizations find high.
Other Tools and Options
- Robopack – A free alternative (up to 100 devices) that can automatically package and update common apps.
- Action1 – Cloud-based patch management for remote devices.
- Chocolatey – Open-source package manager for Windows; often used with scripts or ConfigMgr integration.
- PDQ Connect / PDQ Deploy – Preferred by many on-prem admins; some use it in hybrid environments.
- WinGet-based Automation – PowerShell scripts leveraging the Windows Package Manager (WinGet) for free, flexible updates.
Each tool differs in automation depth, reporting, and cost. Patch My PC leads in enterprise-grade integration, while Robopack and WinGet scripts appeal to smaller or script-driven environments.
⚙️ 2. Automation Strategies
Most admins automate wherever possible, but they organize apps by update sensitivity:
- Critical apps (e.g., browsers, security tools, Office apps) are automated using Patch My PC or Robopack.
- Standard productivity apps are updated on a defined schedule or after validation in a test group.
- Low-risk or niche apps may remain manual but tracked through an internal app catalog.
To minimize disruption, staged rollouts are common:
- Test group (IT or pilot devices)
- Production group (wider user base after validation)
- Cleanup phase (remove old versions and deprecate outdated entries)
Some admins even treat app updates like DevOps pipelines — tagging versions, using Git for script storage, and maintaining rollback capability.
🧰 3. Manual and Semi-Automated Approaches
For environments that can’t justify full automation tools, many rely on manual packaging workflows supported by reminders and version tracking:
- Using Intune supersedence to replace old app versions automatically.
- Retaining only the latest 2–3 versions of each app to reduce storage and confusion.
- Scheduling monthly or quarterly reviews to check vendor websites or RSS feeds for new versions.
- Tracking apps affected by security vulnerabilities (CVEs) to ensure urgent patching.
Admins also maintain internal SharePoint or Excel lists as mini “update catalogs,” listing app name, publisher, current version, update frequency, and source URL.
💸 4. Cost Considerations
Smaller organizations often find Patch My PC too costly when managing a few hundred devices. In such cases:
- Robopack offers basic automation for free up to 100 devices.
- Custom PowerShell or WinGet scripts can automate installs and updates without licensing costs.
- Chocolatey Community Packages can supplement missing apps but must be used cautiously, verifying sources for integrity.
For larger enterprises, Patch My PC or Action1 provides better scalability, audit logging, and compliance assurance — crucial for regulatory requirements.
🔒 5. Best Practices
- Automate where possible – Reduces human error and ensures consistency.
- Use trusted vendor sources – Always verify signatures or use APIs for package retrieval.
- Version control – Keep changelogs, track supersedence, and tag versions in Intune.
- Staged rollouts – Deploy updates gradually to limit risk.
- Regular cleanup – Remove unused or outdated app versions to maintain a clean environment.
- Testing workflow – Validate app behavior and compatibility before company-wide release.
Admins also recommend using Intune reporting and Update Compliance dashboards to monitor update success and failure trends.
🧩 6. Handling Non-Automatable or Custom Apps
For proprietary or niche applications that can’t be auto-updated:
- Maintain manual tracking through vendor API checks or scripts that ping version endpoints.
- Use WinGet-AutoUpdate or custom PowerShell modules to check installed versions and fetch updates.
- Host internal update sources in Azure Storage or SharePoint for controlled delivery.
- Schedule periodic reviews to verify certificate validity, dependencies, and compatibility.
💡 7. Combining Strategies for a Hybrid Model
Many admins adopt a hybrid model:
- Use Patch My PC or Robopack for mainstream apps.
- Manage custom or internal apps manually through a structured review schedule.
- Employ WinGet or Chocolatey scripts for missing or unsupported software.
- Rely on Intune’s supersedence feature to automate version replacement once updates are packaged.
This approach balances automation with control, ensuring critical apps stay current while specialized tools remain stable.
🧭 Summary
Most Intune admins aim for a consistent, secure, and auditable app update process. The best results come from:
- Automating standard apps using verified tools.
- Implementing structured manual updates for custom apps.
- Tracking versions like code with proper documentation and cleanups.
- Leveraging secure APIs or vendor feeds to reduce risk.
