Schedule Demo

PATCH MY PC DOCS

Knowledge Base

We’re here to help if needed

Catalog Releases
Open Support Case

Patch My PC Publisher Intune API Reference

This knowledge base article provides an overview of the various features of Patch My PC and their interactions with external APIs, including Microsoft Graph API and Patch My PC’s own API. The article details specific actions taken by each feature, associated endpoints, and required permissions.

Topics covered in this article:

More InformationNote 1: Some URLs in this article might differ depending on your geographical location, for example Azure Storage endpoints. For a full list of endpoints required for Patch My PC Publisher, please refer to https://patchmypc.com/list-of-domains-used-for-downloads-in-patch-my-pc-update-catalog

Note 2: A spreadsheet containg the references in this KB can be found at https://patchmypc.com/wp-content/uploads/2024/10/Publisher-Graph-Endpoints-and-API-Permissions-for-Intune.xlsx

API Permision Reference

 

DeviceManagementApps.ReadWrite.All

Reason(s):

  • List and Manage Applications
    This permission allows Patch My PC to query and list Win32 applications in your Intune tenant, manage applications, and perform actions such as creating or deleting assignments.
  • Add or Update Applications
    Required for adding new Win32 applications, updating them with new content versions, or deleting them when they fall outside of the retention chain specified by the publisher.
  • Batch Operations
    Enables performing batch requests such as deleting multiple Win32 applications in bulk or assigning multiple applications at once.
  • Upload Application Content
    Necessary to obtain a storage URI from Intune for uploading content for new or updated applications.
  • Assignment Management
    Used when adding or removing application assignments or managing the group assignments related to applications.

 

DeviceManagementConfiguration.Read.All

Reason(s):

  • Retrieve Assignment Filters
    This permission allows Patch My PC to read assignment filters from Intune, which are used to target specific devices or users when deploying or updating applications.

 

DeviceManagementManagedDevices.Read.All

Reason(s):

  • Request and Download Reports
    This permission allows Patch My PC to request reports for discovered applications (AppInvRawData) and poll the service to check if the report is ready.
  • Display Discovered Apps
    It enables Patch My PC to download and display generated reports that contain details of managed devices in your Intune environment.
  • Enumerate Groups for Assignments
    Necessary for querying the Intune device inventory and retrieving device data to support application assignment and other management operations.

 

DeviceManagementRBAC.Read.All

Reason(s):

  • Role Scope Tag Management
    This permission is needed to retrieve and manage role scope tags, ensuring that administrative roles and permissions are applied consistently across application assignments, device configurations, and user roles. It helps restrict certain actions based on role-based access control (RBAC) policies.

 

DeviceManagementServiceConfig.ReadWrite.All

Reason(s):

  • ESP Profile Management
    Required for Patch My PC to update and manage Enrollment Status Page (ESP) profiles, ensuring that newly added Win32 applications are correctly flagged as blocking apps during device provisioning.

 

GroupMember.Read.All

Reason(s):

  • Populate Groups for Assignments
    This permission allows Patch My PC to read Entra ID group information when creating or managing application assignments. It fetches group data for assignment targeting and filtering, ensuring that only authorized users or devices receive the intended applications.

    API Reference

     

    Supported Products and Catalog Download

     

    Licence Validation/Telemetry

    • Product: Publisher
    • Tab: General
    • Feature: Licence validation
    • Button/Option: Validate
    • Endpoint(s):
    • Method: CONNECT
    • Graph API Permission: None

     

    Oauth Assertion / Get App Registration Permissions

    • Product: Publisher
    • Tab: Intune Apps
    • Feature: Options
    • Button/Option: Test
    • Endpoint(s):
    • Method: POST
    • Graph API Permission: None

     

    MSAL Token Request

     

    Request Report for Discovered Apps (AppInvRawData)

     

    Poll the Service to See if the Report is Ready

     

    Download the Generated Report to Display Discovered Apps

     

    List Win32 Apps in the Intune Tenant (Paginated)

     

    AppInstallStatusAggregate Report is Returned after Querying the List Win32 Apps in the Intune Tenant

     

    Assignment(s) Deleted from Win32 App(s)

     

    Batch DELETE Request Posted to Intune to Delete Application(s)

    • Product: Publisher
    • Tab: Intune Apps/Updates
    • Feature: Intune application manager
    • Button/Option: Delete Application
    • Endpoint(s):
    • Method: POST
    • Graph API Permission: DeviceManagementApps.ReadWrite.All

     

    Groups Returned to Populate EntraID Group Form (Top 99 or Filtered Results)

    • Product: Publisher
    • Tab: Intune Apps/Updates
    • Feature: Assignments
    • Button/Option: Add assignment
    • Endpoint(s):
    • Method: GET
    • Graph API Permission: GroupMember.Read.All

     

    Supported Products, Catalog, and Application Icon Download(s)

    • Product: Publisher
    • Tab: Sync Schedule
    • Feature: Sync
    • Button/Option: Run Publishing Service Sync
    • Endpoint(s):
    • Method: CONNECT
    • Graph API Permission: None

     

    Licence Validation/Telemetry (Sync)

    • Product: Publisher
    • Tab: Sync Schedule
    • Feature: Sync
    • Button/Option: Run Publishing Service Sync
    • Endpoint(s):
    • Method: CONNECT
    • Graph API Permission: None

     

    MSAL Token Request (Sync)

     

    Oauth Assertion / Get App Registration Permissions (Sync)

    • Product: Publisher
    • Tab: Sync Schedule
    • Feature: Sync
    • Button/Option: Run Publishing Service Sync
    • Endpoint(s):
    • Method: POST
    • Graph API Permission: None

     

    Enumerate Groups for Assignment(s) for New/Updated Application(s)

     

    Create New Win32 Application(s)

     

    Obtain Storage URI from New Win32 Application Request to Prepare for Intunewin Content Upload

    • Product: Publisher
    • Tab: Sync Schedule
    • Feature: Sync
    • Button/Option: Run Publishing Service Sync
    • Endpoint(s):
    • Method: CONNECT
    • Graph API Permission: DeviceManagementApps.ReadWrite.All

     

    Add File Encryption Information to New Win32 Application(s)

     

    Update Win32 Application(s) with New Content Version

     

    Delete Any Win32 Application That Falls Outside of the Retention Chain

     

    Update ESP Profiles in Intune to Add Win32 Application(s) as Blocking App(s)

     

    Test Connection (Cloud)

    • Product: Publisher
    • Tab: Cloud
    • Feature: Test Connection
    • Button/Option: Test Connection
    • Endpoint(s):
    • Method: CONNECT
    • Graph API Permission: None

     

    Custom App List Downloaded

    • Product: Publisher
    • Tab: Intune Apps/Updates
    • Feature: Refresh the list of products
    • Button/Option: Refresh the list of products
    • Endpoint(s):
    • Method: CONNECT
    • Graph API Permission: None

     

    Get ESP Profiles from Intune

     

    Get Filters from Intune

     

     Get Scope Tags from Intune

    Published On October 20, 2024