Chrome, Adobe Reader, Zoom, 7-Zip, Notepad++, Firefox — none of these get updates from Intune out of the box. Third-party apps turn into a manual repackaging backlog that never really clears. Patch Connect Plus extends Intune to close that gap, and your existing setup stays exactly as it is.
Third-party apps like Chrome, Adobe and Zoom are not covered by default.
Download, repackage, detect, upload, assign — every app, every month.
1200+ supported apps, published into Intune as Win32 apps automatically.
Assignments, compliance and reporting continue to run through Intune.
From vendor release to your Intune environment, with no manual packaging.
Built for IT teams on Intune who can't justify a full SCCM deployment.
No, the gap is larger than most teams realize.
Intune handles Microsoft's own stack well: Windows quality and feature updates via Windows Update for Business, Microsoft 365 Apps, Edge, and drivers. If it carries a Microsoft logo, you're covered.
Everything else is your problem. There is no built-in catalog of third-party applications in Intune. When Google ships a Chrome security update, nobody auto-packages it for your tenant. When Adobe drops an emergency Acrobat patch, you're more likely to hear about it from a CISA advisory than from your Intune console. Zoom, Slack, 7-Zip, Firefox, Java, VLC, Notepad++, TeamViewer, none of these have a native update path through Intune. Each one requires you to download the installer, package it as a Win32 app, write detection rules, test it, upload it, and assign it. Then do it again next month.
That's not a workflow. That's a second job.
What Intune does support: the deployment of custom Win32 apps that you package. What it doesn't support: automatic discovery, download, packaging and ongoing maintenance of third-party vendor releases. That missing layer is what the industry calls Intune third-party patching.
| Update Type | Handled natively by Intune? | What Most Teams Do today |
|---|---|---|
| Windows quality & feature updates | Windows Update for Business rings | |
| Microsoft 365 Apps updates | Office update channels | |
| Microsoft Edge | Edge update policies | |
| Drivers & firmware | Driver update profiles | |
| Google Chrome | Manual workflow | Available in EAM as addon |
| Mozilla Firefox | Manual workflow | Available in EAM as addon |
| Zoom | Manual workflow | Available in EAM as addon |
| Adobe Acrobat Reader | Manual workflow | Available in EAM as addon |
| Notepad++ | Manual workflow | Available in EAM as addon |
| 7-Zip | Manual Win32 repackaging, or a patching extension | |
| Oracle Java | Manual Win32 repackaging, or a patching extension | |
| VLC Media Player | Manual Win32 repackaging, or a patching extension |
This is easy to dismiss as a minor inconvenience. It isn't. A large share of modern vulnerabilities lives in non-Microsoft software.
Vendors ship browser zero-day fixes within hours. If your rollout takes two weeks because someone has to hand-build an IntuneWin package, that's two weeks of exposure across every managed device. Multiply by the browsers, PDF readers and comms apps your users run, and the open windows add up fast.
Manually repackaging third-party apps is repetitive, low-leverage work. Download the installer. Convert it to .intunewin with IntuneWinAppUtil. Write detection rules. Figure out install switches. Upload. Assign. Test. Repeat for forty apps, every month. A senior admin's week disappears into it.
"Intune isn't bad at what it does. It was never built to be the source of truth for every software vendor out there. It was built to manage Microsoft."
With effort, yes. You can package any Win32 installer yourself and push it through Intune as an update. Nothing stops you. The real question is whether you want to carry that workload for every app, every month, forever. Most teams do the maths and decide they would rather not.
There are two realistic paths. One is a slog. The other is built for teams that want their weekends back.
Download the vendor installer. Convert it to .intunewin using Microsoft's IntuneWinAppUtil tool. Write detection rules. Figure out the correct install and uninstall switches. Upload to Intune. Set up dependencies. Assign to a pilot group. Test. Promote. And then do it all again for the next vendor release, which will land within days. Multiply that by the 40 or 50 third-party apps your endpoints actually run, and patching becomes a full-time role.
Patch Connect Plus is a dedicated third-party patching tool from ManageEngine. It's built for IT teams managing 500+ endpoints on Intune who can't justify a full SCCM deployment. It plugs into your existing Intune environment through an Azure AD app registration and publishes pre-packaged updates for 1200+ applications directly into the Intune console. You keep Intune as your deployment console; Patch Connect Plus quietly handles the vendor release tracking, packaging and detection logic upstream.
The product plugs into Intune through an Azure AD app registration and publishes third-party app updates into your Intune environment as Win32 apps. Your workflow stays the same. Only the plumbing behind it changes.
Your admins keep working in the Intune console. Intune still owns assignments, rollout rings, compliance and reporting. What changes is the supply chain behind your third-party apps: your team stops chasing vendor release notes and repackaging installers, because Patch Connect Plus does that work upstream and hands the finished, tested package to Intune for deployment.
Think of it as giving Intune the third-party catalog it never shipped with. You don't switch tools, you just stop doing the repetitive part.
Built for IT teams managing 500+ endpoints on Intune who can't justify a full SCCM deployment
Steps 1 to 3 are work you no longer do. Step 4 onwards is your existing Intune workflow.