Enterprise App Management | Microsoft Intune | Patch My PC

On February 1st, 2024, Microsoft released the long-promised Enterprise App Management (EAM) feature as part of the Microsoft Intune Suite or as a standalone add-on. As a bunch of patching nerds with an admitted dose of self-interest, we’ve kept a close eye on what the product team was building. We were excited to dive into the first release and want to share what we found.

What is Enterprise App Management?

This new add-on for Microsoft Intune provides a stream of third-party applications that IT admins can use to deploy software updates to their users and devices. This stream is based on a catalog that was built and maintained by Microsoft. Additionally, Microsoft will host the binaries so that they can automate the creation of Intune applications further. IT admins worldwide spend excessive time duplicating their industry peers’ work, packaging, and deploying the same third-party applications. This work never ends; IT admins must constantly monitor for individual updates released by software vendors. Enterprise App Management is Microsoft’s latest effort to reduce the application management effort required of IT teams. Several solutions exist for Intune patch management, and it seems that Microsoft is finally entering the space with this new services add-on.

What Applications Are in the Catalog?

The first question many IT admins ask when reviewing a third-party patching product is how large the application catalog is. The size of the Intune application catalog is a proxy for how many applications might match their environment and, thus, the amount of time the solution will save them.

As of release, the Enterprise App Management catalog has 94 unique Windows applications, which are listed below. Note that Microsoft has committed to drastically increasing this number in the near future as well as including MacOS apps, so this list is likely outdated by the time you read this.

• 7-Zip [Igor Pavlov]
• Amazon AWS Tools for Windows [Amazon Web Services Developer Relations]
• Amazon Corretto 16 [Amazon]
• Amazon Kindle [Amazon]
• Android Studio 2022 [Android]
• Android Studio 3 [Android]
• Android Studio 4 [Android]
• Araxis Merge [Araxis] (2 Configurations)
• Artweaver Free [Boris Eyrich Software]
• Atomi Systems ActivePresenter [Atomi Systems, Inc.]
• Audacity [Audacity]
• Beyond Compare [Scooter Software, Inc.]
• Blender [Blender Foundation] (15 Configurations)
• BlueJeans 2 [Blue Jeans] (2 Configurations)
• Brady Workstation [Brady Corporation]
• Burp Suite Community Edition [PortSwigger]
• Burp Suite Professional Edition [PortSwigger]
• Calibre [Kovid Goyal]
• Cisco Jabber 14 [Cisco Systems, Inc.]
• Cisco Webex Meetings [Cisco Webex LLC]
• Cisco WebEx Recorder and Player [Cisco Webex LLC]
• Cisco WebEx Recording Editor [Cisco Webex LLC]
• Cisco Webex Teams [Cisco Systems, Inc.]
• Citrix Receiver [Citrix]
• Citrix Workspace app [Citrix]
• Citrix Workspace app LTSR [Citrix]
• CMake [2BrightSparks Ptd Ltd] (8 Configurations)
• Dell Command Update (Windows Universal Application) [Dell, Inc.]
• Docker Desktop [Docker Inc.]
• draw.io Desktop [draw.io]
• Duo Desktop [Duo Security Inc.]
• Eclipse Temurin JDK with Hotspot 11 (LTS) [Eclipse Foundation]
• Eclipse Temurin JDK with Hotspot 19 [Eclipse Foundation]
• Eclipse Temurin JRE with Hotspot 11 (LTS) [Eclipse Foundation]
• Eclipse Temurin JRE with Hotspot 19 [Eclipse Foundation]
• Egnyte Connect [Egnyte, Inc.]
• Egnyte WebEdit [Egnyte, Inc.]
• Evernote [Evernote]
• Foxit PDF Editor 11 [Foxit Software]
• Foxit PDF Editor 12 [Foxit Software]
• Foxit PDF Reader [Foxit Software]
• Frame App [Nutanix Inc.]
• Free Countdown Timer [Comfort Software Group]
• Google Chrome for Business [Google]
• Google Drive [Google]
• Inkscape [Inkscape]
• JAM Software TreeSize Free [JAM Software GmbH]
• KeePass Password Safe (Classic Edition) [Dominik Reichl]
• KeePassXC [KeePassXC]
• Lansweeper [Lansweeper]
• Lenovo Quick Clean [Lenovo Software]
• LogMeIn GoToMeeting IT Installer [LogMeIn]
• Microsoft .NET Runtime 6.0 [Microsoft]
• Microsoft Azure CLI [Microsoft]
• Microsoft Azure Storage Explorer [Microsoft]
• Microsoft Power BI Desktop [Microsoft]
• Microsoft PowerShell Core [Microsoft] (6 Configurations)
• Microsoft Skype for Desktop [Microsoft]
• Microsoft Surface Diagnostic Toolkit for Business [Microsoft]
• Microsoft Visual C++ 2008 Redistributable [Microsoft]
• Microsoft Visual C++ 2015-2022 Redistributable [Microsoft]
• Microsoft Visual Studio Code [Microsoft]
• Mozilla Firefox [Mozilla] (37 Configurations)
• Mozilla ThunderbirdMozilla] (29 Configurations)
• Nessus Agent 10 [Tenable, Inc.]
• Notepad++ [Don Ho]
• NVIDIA GeForce Experience [NVIDIA]
• OpenShot Video Editor [OpenShot Studios]
• OpenVPN [OpenVPN Technologies, Inc.]
• Oracle Java Runtime Environment Version 8 [Oracle]
• Parallels Client 18 [Parallels International GmbH]
• Piriform CCleaner [Piriform Ltd]
• Poll Everywhere [Poll Everywhere]
• Poly Lens Desktop App [Plantronics]
• Python 3.10 [Python Software Foundation]
• Python 3.11 [Python Software Foundation]
• QNAP Qsync [QNAP]
• R for Windows [R Core Team]
• Rarlab WinRAR [Rarlab] (27 Configurations)
• Remote Help [Microsoft]
• Royal TS 5 [code4ward.net e.U.]
• Royal TS 6 [code4ward.net e.U.]
• Royal TS 7 [code4ward.net e.U.]
• ScreenToGif [Nicke Manarin]
• Simon Tatham Putty [Simon Tatham]
• SyncBackFree [2BrightSparks Ptd Ltd]
• TeamSpeak client [TeamSpeak Systems]
• TechSmith Snagit 2019 [TechSmith Corporation]
• TechSmith Snagit 2020 [TechSmith Corporation]
• TechSmith Snagit 2021 [TechSmith Corporation]
• TechSmith Snagit 2023 [TechSmith Corporation]
• TechSmith Snagit 2024 [TechSmith Corporation]
• TightVNC [TightVNC]
• TortoiseSVN [TortoiseSVN]

How Does Microsoft’s Intune Patch Management Work

The initial release of the Enterprise App Management tool for Intune is focused primarily on utilizing their updated catalog to pre-populate the application creation wizard. It’s important to understand that EAM creates a regular Intune Win32 application; this is not a new app model. Any existing frustrations you may have with the existing app model (e.g., closing in-use apps and updating available apps) will not be solved by this new add-on.

Let’s walk through the process of deploying a new application for the first time.

Creating the Initial Application

In the Microsoft Intune portal, you navigate to Apps > Windows and click the Add button. This will open the ‘Select App Type’ flyout where you select ‘Enterprise App Catalog app’:

This will begin the Add Application wizard where you click on ‘Search the Enterprise App Catalog’ to .. well … search the enterprise app catalog.

 This will trigger the search flyout where you can browse and search the catalog for the application you want to deploy:

 To begin creating the application, simply select the desired application and click Next. You will then be asked to select the specific configuration you wish to deploy. Most apps in the catalog only have a single configuration but some, like Firefox, have multiple languages, versions, or editions to select from:

Once the application and configuration are selected the rest of the process follows the familiar workflow for adding a non-catalog application except that all of the metadata and detection rules are pre-populated for you:

While the Microsoft Enterprise App Management service pre-populates the data, you can modify or customize the application in any way you see fit. If you need to change the command line, add an Icon (currently not pre-populated), or add additional detection rules you can do so.

Deploying the Application

Enterprise Application Management does not create deployments for the applications you create. Reviewing the workflow above, you will notice that, unlike other application sources, the Intune EAM wizard does not include a section for assigning the application. You will have to first complete the wizard, refresh the page waiting for the application to be created, and then edit the application properties to assign it to the desired users and devices.

Installation Reporting

Generally speaking, once the application is created, it behaves like any other Win32 application within Intune. As such, the application will report installation status the same way any other Win32 application does:

Updating Existing Applications

Once you’ve deployed the applications from Intune, you will be faced with what to do when new versions are released. Enterprise App Management handles updates in one of two ways.

Self-Updating Applications

Some applications within the catalog are considered self-updating. These applications have a built-in update mechanism that will be left enabled. The applications will automatically update themselves outside Microsoft Intune or the IT admin’s control. The self-update mechanisms will download content directly from the vendor, so you must ensure that your network configuration allows access to these download locations. The app selection wizard will notify you when you select a self-updating app:

Note that Microsoft Intune will report self-updating applications installed as long as they meet a minimum version requirement. You can see this at work by reviewing the Detection Rules:

Non Self-Updating Applications

Applications that do not self-update require that IT teams create and deploy each update app manually. The Enterprise App Management service includes a new blade in Microsoft Intune Apps called ‘Updates for Windows (Win32) catalog apps’. This blade will list catalog applications deployed in your environment that have newer versions available. The IT admin must regularly monitor this blade to review available updates to create and deploy the latest version as a new application. The IT admin can do this by clicking on the ellipsis (three dots) and selecting ‘Update app.’

When they do so, they will be brought through the same ‘Add App’ wizard shown above, with the addition of a supersedence section pre-populated with the previous catalog app(s). Note that you will still need to separately deploy this application by adding assignment post-creation. If you deployed the initial application as available, you are responsible for implementing a method for updating existing installations. A standard solution is to create two versions of the application: one that is available and another that is required but with an additional requirement that ensures the previous version is installed.

How Does this Compare with Patch My PC?

While we are certainly biased, we believe that Patch My PC’s solutions deliver significant value beyond the current functionality of Microsoft Intune’s Enterprise App Management.

Pricing

While possibly not the most important factor, many of our customers and potential customers will immediately notice a stark pricing disparity. Microsoft Intune’s EAM is available standalone for $24/user/year or part of the Intune Suite for $120/user/year. By comparison, our Enterprise Plus SKU is priced at $3.5/device/year. One caveat here is that Patch My PC has a minimum starting price of $2,499 where-as Microsoft has no minimum. Organizations with less than 100 or so devices would have lower licensing costs. Though, as we will see below, that is very unlikely to equate to actual money saved.

Catalog Size

The second highest concern for most potential customers is the software update catalog, particularly the number of applications in it. In theory, the more extensive the catalog, the higher the number of apps you deploy. We caution against comparing these numbers without understanding how they are calculated. One early vendor in this space boasted 20k apps in their catalog; sounds amazing until you realize that this was the total number of updates they had published, not the number of unique applications. Many applications have separate x86 and x64 builds as well as MSI and EXE installers which instantly takes one app and makes it four. Some apps will have system installers versus user installers (ex. JetBrains ReSharper). Other apps will have multiple different versions currently in support (ex. Node.js). Throw in separate installers for languages and suddenly Firefox has 36 separate products, 72 if you include the Extended Support Release (ESR).

At Patch My PC we’re proud of our catalog and make it publicly searchable and even downloadable: Supported Products for ConfigMgr and Intune. As of writing, we have 1,383 individual products in our catalog representing all of the variants mentioned above which represent 969 unique products. It is worth noting that we have begun regularly removing deprecated applications from our catalog. Applications that have been abandoned by their authors or whose websites have been hijacked should not be deployed in an enterprise environment. It hurts our numbers, but it’s the right thing to do, so we do it.

By contrast, Microsoft’s solution currently has 94 unique products and 212 individual products once multiple configurations are accounted for. These numbers are not easy to come by either. There is no publicly available list, and the only official way to get them is to sign up for a trial.

It’s important to note that the Microsoft Intune EAM product team has said, and we have reason to believe, that they will drastically increase this number. How much and how fast is unknown at this time and they are rather tight-lipped about it.

Catalog Velocity

While catalog size is the figure most potential customers focus on, the velocity of the catalog is equally important. How often is the catalog released, and how quickly are the latest versions of applications updated? The largest catalog in the world isn’t worth a lot if it takes weeks for the latest security updates to appear in it. At the time of writing, Microsoft has not publicly provided any documentation or SLA to clarify this. However, we can glean information from the current state of their catalog. Here’s a small sample of applications from Microsoft’s catalog as of Feb 12, 2024 compared to the most recent versions available for those applications:

• Citrix Workspace App
  • Catalog version: 23.9.1 (Oct 31)
  • Latest version: 23.11.1 (Feb 2)
• Google Chrome for Business
  • Catalog version: 119.0.6045.160 (Nov 23)
  • Latest version: 121.0.6167.161 (Feb 6)
• Mozilla Firefox
  • Catalog version: 121.0.1 (Jan 9)
  • Latest version: 122.0.1 (Feb 6)
• .NET Runtime 6.0 (x64)
  • Catalog version: 6.0.25 (Nov 14)
  • Latest version: 6.0.26 (Jan 9)
• Zoom Client for Meetings (x64)
  • Catalog version: 5.17.29988 (Jan 8)
  • Latest version: 5.17.31030 (Jan 23)

It seems clear that it currently takes weeks, possibly months, for Microsoft to update the catalog with the latest version of a given application. Further, when EAM was publicly released on Feb 1st, it was released with outdated applications. In the case of the .NET Runtime 6.0 tool, the latest security release from within Microsoft itself is still unavailable a month after release.

By comparison, each of the applications listed above had its latest version published in our catalog on the day the update was released. In some cases, like Google Chrome, we’ve published multiple updates for a given application, while Microsoft has released none.

At Patch My PC, we take this seriously. It’s what we do. As such, we are clear and upfront about both our release cadence and how quickly we update apps. Here’s what our FAQ has to say about it:
“Our goal is to release updates the same day the vendor releases the update. We generally release our catalog between 1:00 – 5:00 PM (Eastern Standard Time). You can review a full list of past catalog releases at catalog release history.

If a security update is released later in the afternoon, we often release two catalogs in a scenario where the update is a high-security risk. More minor non-security updates released later in the afternoon will be updated the following business day.”

Features

As shown above, the main feature of EAM is that it pre-populates the Microsoft Intune App creation wizard. The application management process is still very manual; with the IT team responsible for managing and monitoring each application and software update. Patch My PC offers solutions that fully automate the process of updating existing applications. We can even detect currently unmanaged applications and automatically deploy updates for them to ensure that your environment stays secure.

Our Publisher offers a litany of application customizations that you can automatically apply to apps and their updates. Popular features include custom pre/post scripts to handle complex installation requirements. Need to include an MSI transform or license file? We’ve got you covered. Want a better user experience when updating an in-use application? Yea, we do that. Would you like granular control over when updates are deployed instead of apps self-updating whenever they feel like it? We got you fam. This just scratches the surface, for a more comprehensive list of features head over to our feature comparison page. Critically, these customizations are automatically applied to each new version of the application that we deploy. Want to add a custom installation parameter to the install or uninstall command-line? Great, do it one time and go find better ways to spend your time.

Support

We take particular pride in providing world-class technical support to our customers. We want every interaction our customers have with us to spark joy. Our founder and many others have years of experience in the systems management space. We’ve lived that life, understand the pressures, and want to do all we can to make patching third-party applications a non-issue for you.

Values

Our mission statement is:

“We exist to improve lives, through customer-obsessed innovation. This encompasses making an impact on the lives of our customers, our team members, and the communities in which we live.”

We believe, possibly naively, that if we can deliver on this promise to our customers and ourselves, then success will follow.

In Conclusion

Microsoft saw a persistent gap for their customers and, after years of development, has released the first iteration of their Application Patch Management solution. While their initial offering is incomplete, they will continue to improve it. Here at Patch My PC, we welcome the competition and are confident that our current solutions offer significant value above and beyond those of Microsoft.

We continue investing heavily in driving those solutions forward and continually seek to improve our customers’ lives and help secure their organizations. We feel strongly that this is a winning strategy.

Discover how PMPC can instantly resolve your Intune patch management headaches.