Completely automate third-party patching via Microsoft Intune
The problem every Intune admin runs into
If you manage devices through Microsoft Intune alone, you already know about the gap. Intune handles Microsoft updates well, however it doesn't really handle anything else.
Intune can't automatically detect or deploy security updates for Adobe Reader, Chrome, or Java. You end up doing it manually, and most of what you do is a work-around.
So you repackage installers as Win32 apps, or you write scripts that pull from vendor download pages, and maybe you let users handle their own updates through Microsoft Store. None of this scales well, and the gap between OS patches and third-party patches keeps widening on your fleet. That's usually why your security team keeps flagging old versions of Chrome, Adobe, and Java in their scans.
What admins actually deal with
The repackaging treadmill
Intune handles Microsoft Store apps automatically, and driver updates work through update rings. For the rest of the enterprise software stack (Reader, Java, Chrome, 7-Zip, VLC, Zoom, and the usual suspects), you're picking between three flawed approaches.
The first is repackaging as Win32 apps. Every time a vendor releases a new version, you download the installer, wrap it, write detection logic, test it, and push it through Intune. For a fleet running 30 or 40 third-party apps, this eats two to three hours of someone's week—every week. If you fall behind because of a project or an incident, the unpatched window stretches out, and the only person tracking that is you.
The second is custom scripts. A PowerShell script pulling installers from vendor URLs and running them silently looks elegant until something changes: the URL, the installer format, or the silent install flag. Scripts fail quietly, and you find out during an audit that 200 endpoints have been running an old version for six weeks.
The third is user self-service. The theory is that users will install their own updates, but they won't. You'll find Chrome from two months ago, Acrobat versions with public CVEs against them, and Java installs that should have been retired last quarter.
The frustration isn't usually with Intune itself. It's that Intune doesn't ship the orchestration layer for third-party patches, and the work-arounds turn into a part-time job for whoever drew the short straw.
Visibility gaps
Microsoft System Center Configuration Manager (SCCM) users have Windows Server Update Services (WSUS) sitting in the middle of patch management, plus third-party catalogs that show what's available before deployment. Standalone Intune talks to Windows Update for Business directly. There's no equivalent layer for third-party patches.
You only realize what's missing or vulnerable after manual audits or when something breaks.
Scaling
Cloud-first teams picked Intune partly to avoid on-premises infrastructure. Third-party patching ends up being the awkward exception. You either accept the technical debt of inconsistent patching, or you bolt on tooling that brings back some of the complexity you were trying to get rid of.
Manual repackaging is fine when you're small. It turns into a full-time job somewhere around 500 endpoints with 30 or 40 apps. Past a few thousand endpoints, it stops being feasible. The patches aren't slow at that point. They're not happening.
Certificate trust
Some vendor installers need their signing certificates added to the device trust store before the update will run cleanly. Without a way to handle that automatically, you get silent install failures and per-device cleanup work nobody on the team has time for.
Why the gap exists
SCCM had two decades to grow up around Windows patching. It evolved with WSUS, learned to consume third-party catalogs, and built out deployment rules for almost every edge case.
Intune was built differently. It's a cloud-first management platform, optimized for what cloud-first companies usually run, which is mostly Microsoft and Store apps. That cloud-native simplicity is the point, but it's also why third-party patch orchestration isn't there. Closing the gap means adding a tool that knows how to do it.
How ManageEngine Patch Connect Plus fills the gap
ManageEngine Patch Connect Plus sits between vendor patch releases and your Intune environment. It does the parts Intune doesn't, and most of the value is in what it removes from your week.
It builds the inventory you didn't have
Patch Connect Plus scans your Intune-managed endpoints and figures out what's installed, at what version, and where. You don't maintain a list. You see Reader, Chrome, Java, and the rest as they actually are across your fleet, including the ones you forgot were installed.
Most teams are surprised by what this turns up. That alone is useful before you deploy a single patch.
It catches patches when vendors release them
When Adobe, Oracle, Google, or one of the other major vendors ships a patch, Patch Connect Plus picks it up. You're not subscribed to a dozen vendor mailing lists. You're not refreshing the Chrome enterprise page every Tuesday morning.
If a critical Chrome CVE drops at 9am, the patch is in your console within hours. You review it, approve it, and it goes into your existing Intune deployment policies.
Setup is roughly five minutes
You authenticate to your Intune environment through the Microsoft Graph API, pick which apps you want managed, and define deployment rings. That's the setup. The system runs itself after that.
You don't open the Patch Connect Plus console again unless you're adding apps to the list. Those five minutes are most of the time you'll spend on it.
Win32 packaging without the packaging
For apps you haven't already created in Intune, Patch Connect Plus builds the Win32 package for you. You don't write detection rules, figure out silent install flags, or test installer parameters against five different vendor formats.
You pick I want to patch Adobe Reader. The package shows up in your Intune environment ready to deploy. Same for Chrome, Java, 7-Zip, and the rest of the standard list.
Published into Intune, not around it
Patches go into your Intune environment through the same channels you already use. There's no second console to learn and no parallel infrastructure. When you open Intune, the third-party patches sit alongside the Microsoft ones. You assign them to existing groups, apply your existing compliance policies, and watch deployment in the same reports.
Admins who know Intune don't have anything new to learn. The third-party patches just show up in the workflow they already have.
Compliance reporting that holds up in audits
You get a view of patch status across the fleet: which devices are missing the latest Reader version, which Chrome installs are behind, and which apps have open CVEs against deployed versions.
When the security team asks whether you're patched against a specific CVE, you pull the report. Audit conversations get shorter.
Certificate handling
For patches that need vendor certificates trusted before they'll install, Patch Connect Plus pushes the certificates to the device trust store ahead of the install. Deployments stop failing silently for trust reasons.
What this looks like in practice
You turn on Patch Connect Plus and select your standard apps: Reader, Chrome, Java, 7-Zip, VLC, or whatever your list is.
Patch Connect Plus creates the Win32 packages in your Intune environment in the first week, and your deployment rings line up with whatever patch SLA you already use.
After that, the loop runs itself. A vendor ships a patch, Patch Connect Plus picks it up, the package goes to Intune, and your existing policy moves it through Ring 1 (your team), Ring 2 (pilot users), and then Ring 3 (everyone else). You check the dashboard once a week to see compliance numbers and chase a few stragglers.
That's the whole job. Third-party patching ends up looking a lot like Windows updates already do, which is mostly invisible until something needs your attention.
Where this matters most
The math changes for most teams around the 500-endpoint mark with 30 or 40 apps in scope. Three admins spending 10 hours a week on repackaging drops to two or three hours of approvals and monitoring. That's most of a working day back per admin per week, which is enough time to actually move on the security work that keeps slipping.
At a few thousand endpoints, the math stops being about hours and starts being about whether the work was getting done at all. At that scale, manual patching of 50+ apps isn't a slow process; it's an aspiration nobody's hitting.
What admins notice after a few weeks
A few things come up consistently from teams running Patch Connect Plus on Intune.
Time spent on patch packaging drops, which is the obvious one. Compliance numbers on third-party apps go up, which is the one security cares about. High-severity CVEs get patched faster, which is the one that matters when something actually goes wrong. User complaints about old software get rarer, and audit conversations about patch management get a lot shorter.
None of these are dramatic by themselves. The shift is that third-party patching moves from the thing we should be doing to the thing that's actually getting done, which is usually the whole point.
Getting started
If you manage third-party software through Intune and the repackaging cycle is eating your week, ManageEngine Patch Connect Plus removes most of it. Setup is short, and the change in patch posture usually shows up inside the first month.
Visit the ManageEngine Patch Connect Plus product page to see the full details on the Intune integration.
FAQ
Do I need an on-premises server for this?
No. Patch Connect Plus talks to Intune through the Microsoft Graph API. The integration is fully cloud-to-cloud.
Does it work with my existing Intune groups and compliance policies?
Yes. Patches deploy through standard Intune assignments. You're not replacing anything you've already configured.
What about apps it doesn't recognize?
You can upload custom apps and define detection rules manually. The built-in coverage handles most of the common enterprise stack: Adobe products, Chrome, Firefox, Java, 7-Zip, VLC, Zoom, Slack, Notepad++, and other similar apps.
Is it useful for audits?
Yes. The deployment and compliance reports cover what the GDPR, HIPAA, PCI-DSS, and ISO 27001 conversations usually ask for.
If repackaging installers is consuming the part of your week you'd rather spend on actual security work, this is the gap ManageEngine Patch Connect Plus closes.