# Intune Third Party Patching

Chrome, Adobe Reader, Zoom, 7-Zip, Notepad++, Firefox — none of these get updates from Intune out of the box. Third-party apps turn into a manual repackaging backlog that never really clears. Patch Connect Plus extends Intune to close that gap, and your existing setup stays exactly as it is.

## Key Takeaways

#### What you need to know in 30 seconds

- #### Intune ships native updates for Windows, Office, Edge and drivers.
  Third-party apps like Chrome, Adobe and Zoom are not covered by default.
- #### The manual workaround is a second job.
  Download, repackage, detect, upload, assign — every app, every month.
- #### Patch Connect Plus closes the gap.
  1200+ supported apps, published into Intune as Win32 apps automatically.
- #### Intune stays your console.
  Assignments, compliance and reporting continue to run through Intune.
- #### Updates land in 6-9 hours.
  From vendor release to your Intune environment, with no manual packaging.
- #### No SCCM required.
  Built for IT teams on Intune who can't justify a full SCCM deployment.

## Does Intune patch third-party applications?

No, the gap is larger than most teams realize.

Intune handles Microsoft's own stack well: Windows quality and feature updates via Windows Update for Business, Microsoft 365 Apps, Edge, and drivers. If it carries a Microsoft logo, you're covered.

Everything else is your problem. There is no built-in catalog of third-party applications in Intune. When Google ships a Chrome security update, nobody auto-packages it for your tenant. When Adobe drops an emergency Acrobat patch, you're more likely to hear about it from a CISA advisory than from your Intune console. Zoom, Slack, 7-Zip, Firefox, Java, VLC, Notepad++, TeamViewer — none of these have a native update path through Intune. Each one requires you to download the installer, package it as a Win32 app, write detection rules, test it, upload it, and assign it. Then do it again next month.

That's not a workflow. That's a second job.

**What Intune does support:** the deployment of custom Win32 apps that you package.  
**What it doesn't support:** automatic discovery, download, packaging and ongoing maintenance of third-party vendor releases. That missing layer is what the industry calls Intune third-party patching.

#### The Microsoft side of the line, and the other side

| Update Type | Handled natively by Intune? | What Most Teams Do today |
|---|---|---|
| Windows quality & feature updates | Yes | Windows Update for Business rings |
| Microsoft 365 Apps updates | Yes | Office update channels |
| Microsoft Edge | Yes | Edge update policies |
| Drivers & firmware | Yes | Driver update profiles |
| Google Chrome | Manual workflow | Available in EAM as addon |
| Mozilla Firefox | Manual workflow | Available in EAM as addon |
| Zoom | Manual workflow | Available in EAM as addon |
| Adobe Acrobat Reader | Manual workflow | Available in EAM as addon |
| Notepad++ | Manual workflow | Available in EAM as addon |
| 7-Zip | No | Manual Win32 repackaging, or a patching extension |
| Oracle Java | No | Manual Win32 repackaging, or a patching extension |
| VLC Media Player | No | Manual Win32 repackaging, or a patching extension |

## A gap in third-party patching is a gap in your attack surface

This is easy to dismiss as a minor inconvenience. It isn't. A large share of modern vulnerabilities lives in non-Microsoft software.

- #### The security cost
  Vendors ship browser zero-day fixes within hours. If your rollout takes two weeks because someone has to hand-build an IntuneWin package, that's two weeks of exposure across every managed device. Multiply by the browsers, PDF readers and comms apps your users run, and the open windows add up fast.
- #### The admin cost
  Manually repackaging third-party apps is repetitive, low-leverage work. Download the installer. Convert it to .intunewin with IntuneWinAppUtil. Write detection rules. Figure out install switches. Upload. Assign. Test. Repeat for forty apps, every month. A senior admin's week disappears into it.

> "Intune isn't bad at what it does. It was never built to be the source of truth for every software vendor out there. It was built to manage Microsoft."

#### Does Intune support third-party patching at all?

With effort, yes. You can package any Win32 installer yourself and push it through Intune as an update. Nothing stops you. The real question is whether you want to carry that workload for every app, every month, forever. Most teams do the maths and decide they would rather not.

## How to patch third-party applications using Intune

There are two realistic paths. One is a slog. The other is built for teams that want their weekends back.

- **Method 1 — Manual**

  ### Repackage every installer yourself

  Download the vendor installer. Convert it to .intunewin using Microsoft's IntuneWinAppUtil tool. Write detection rules. Figure out the correct install and uninstall switches. Upload to Intune. Set up dependencies. Assign to a pilot group. Test. Promote. And then do it all again for the next vendor release, which will land within days. Multiply that by the 40 or 50 third-party apps your endpoints actually run, and patching becomes a full-time role.

- **Method 2 — Recommended**

  ### Use Patch Connect Plus to publish updates into Intune automatically

  **Patch Connect Plus** is a dedicated third-party patching tool from ManageEngine. It's built for IT teams managing 500+ endpoints on Intune who can't justify a full SCCM deployment. It plugs into your existing Intune environment through an Azure AD app registration and publishes pre-packaged updates for 1200+ applications directly into the Intune console. You keep Intune as your deployment console; Patch Connect Plus quietly handles the vendor release tracking, packaging and detection logic upstream.

## Patch Connect Plus: an extension to Intune, not a replacement

The product plugs into Intune through an Azure AD app registration and publishes third-party app updates into your Intune environment as Win32 apps. Your workflow stays the same. Only the plumbing behind it changes.

Your admins keep working in the Intune console. Intune still owns assignments, rollout rings, compliance and reporting. What changes is the supply chain behind your third-party apps: your team stops chasing vendor release notes and repackaging installers, because Patch Connect Plus does that work upstream and hands the finished, tested package to Intune for deployment.

Think of it as giving Intune the third-party catalog it never shipped with. You don't switch tools, you just stop doing the repetitive part.

Built for IT teams managing 500+ endpoints on Intune who can't justify a full SCCM deployment.

- #### Intune keeps doing what Intune does
  - Updates appear in the Intune console as Win32 apps
  - Assignments use existing Intune groups and filters
  - Pilot rings, availability windows, deadlines all run through Intune
  - Compliance and install status reporting stay inside Intune
  - End users see updates via the Company Portal, same as today
- #### Patch Connect Plus does the upstream work
  - Handles vendor monitoring across 1200+ applications
  - Downloads and tests each installer
  - Packages the update with detection logic included
  - Pushes the finished package into Intune on your schedule
  - Cleans up superseded versions automatically

## How Intune third-party app updates flow end to end

Steps 1 to 3 are work you no longer do. Step 4 onwards is your existing Intune workflow.

1. **Vendor release detection**  
   The central repository polls vendor update channels and publishes new versions, usually within 6 to 9 hours of release.
2. **Binary download and testing**  
   Each installer gets fetched from the vendor source, signature-verified, and smoke-tested before it reaches any customer environment.
3. **Auto-publish to Intune**  
   For apps flagged for auto-publishing, Patch Connect Plus pushes the update into your Intune environment as a Win32 app update, with detection rules and install commands already populated.
4. **Assignment in Intune (manual or automated)**  
   Either assign the update yourself using Intune's native assignment model, or let Patch Connect Plus do it for you with an [Automate Updates Assignment task](https://www.manageengine.com/sccm-third-party-patch-management/kb/how-to-create-intune-automate-update-assignment-task.html).
5. **Reporting**  
   Install status flows back through Intune's reporting. For a cross-environment view, the Patch Connect Plus [deployment reports](https://www.manageengine.com/sccm-third-party-patch-management/sccm-reports.html) cover that too.