Here at Patch My PC, we are application obsessed. True, if you were to look at our workspaces, you would find crazy monitor configurations, keyboards that defy description, and … for reasons still unclear … a proliferation of rubber ducks. However, our obsession with applications rises above all others because that’s what our customers are obsessed with. Ultimately, companies don’t want hardware, infrastructure, or operating systems; they just want the applications that drive their business forward. Therefore, their management tools are only effective to the extent that they can deliver applications the users need when they need them.
Intune is Microsoft’s cloud-based endpoint management solution that companies worldwide use to deliver applications to their devices. Microsoft has recently announced or released several improvements for Third-Party application management via Intune that, as application obsessives, we wanted to dive into and learn about in this blog post.
Microsoft Opens the Store to Win32 Apps
The Microsoft Store was initially released as the Windows Store to deliver Universal Windows Platform (UWP) applications. It was built to be where independent software vendors (ISVs) could officially publish, sell, and advertise their applications. Over time Microsoft has included other types of content, such as games and fonts but continued to keep out the content that enterprises most needed: Win32 apps. That is, applications delivered with traditional MSI or EXE installers. Excluding these types of apps limited the value of the Store as many software vendors lack the skill or determination to re-engineer their apps or installation methods to meet the Store restrictions. As our own packaging experts will attest: the actual installer is often an afterthought for most vendors.
In May of 2022, Microsoft announced that this restriction was globally removed, and all software vendors were now free to publish their MSI or EXE-based installers to the Store. The floodgates were now open!
Microsoft Deprecates the Store for Business and Education
To provide enterprise control for the public Microsoft Store, organizations could use the Microsoft Store for Business (MSfB) or Microsoft Store for Education (MSfE) to only deliver a curated set of apps to their users. Both tools became widely adopted and were integrated into Intune to allow administrators to manage both Stores from the same tool they used to manage other non-Store apps.
In July 2021, Microsoft announced that both Microsoft Store for Business and Education would be deprecated on March 31, 2023. While Microsoft has pushed that date back indefinitely, the Intune integrations with both Stores will start being removed on April 30, 2023, and completely shut down by September 15, 2023 (here).
Microsoft Integrates Intune with Windows Package Manager (Winget)
In 2020 Microsoft announced Windows Package Manager (WPM) to relatively little fanfare. Windows Package Manager was designed to mimic package managers available in nearly every Linux distribution that make it easy to install and update applications from a trusted repository. Part of WPM is a command-line tool and software libraries called Winget which facilitate interacting with the application repositories. There are several repositories available: the Microsoft Store repository representing official software vendor packages, private repositories maintained by third parties, and a community repository that allows submissions for any app from anyone (here).
Long after announcing deprecation of the Microsoft Store for Business and Education Microsoft eventually announced that Intune would integrate Windows Package Manager/Winget to deliver Microsoft Store apps from the official Microsoft Store repository to the Customer Portal. Note that Intune’s Windows Package Manager integration currently only supports Windows Store apps. Support for private repositories is planned, but no plans exist to integrate Intune with Windows Package Manager’s community application repository. Once installed, the Intune Management Extension (IME) will periodically update managed applications to the latest version.
What are the Limitations?
While all the above is exciting to us application nerds, certain limitations should be considered before adoption.
When you initially deploy a Microsoft Store app with Intune, you can configure installation deadlines to control the rollout. Once deployed, however, there is no control over version or update timing. The Intune Management Extension will continually update the applications to their latest randomly and uncontrollably. You cannot keep apps at a specific version nor revert the applications to an earlier release if a new release causes issues.
Intune’s Windows Package manager integration excludes age-restricted or paid Store applications, which will not be returned in searches. In the example below, the HEVC Video Extensions application is available in the Store for $0.99 but is not returned as a search result.
You can work around this limitation however by searching for the Microsoft store app’s ID. While this workaround is currently valid there’s been no commitment from Microsoft that this is ‘by design’ and will not be removed at a later date.
The Microsoft Store is intended to contain applications officially published by the vendor that owns the application. However, as the 7-Zip example shows above, that’s not the case: Zeeis is not the owner of 7-zip. In fact, there are multiple 7-Zip applications in the Store, all of which are unofficial, not guaranteed to be what they say they are, and certainly not guaranteed to be updated in a timely fashion, if at all. When an application is officially published into the Store by the vendor you are still dependent upon them for updating the Store app in timely manner to stay current. There is no meaningful Service Level Agreement here.
Intune Suite: Advanced App Management
In addition to Store integration, Microsoft has been working to create its own Third-Party Patching service to be included in the Intune Suite ($120/user/year). This service will be based on an Enterprise App Catalog containing an unspecified number of applications verified and hosted by Microsoft. This new service is integrated directly into Intune and will deliver applications using Intune’s existing Win32 application features, including supersedence. When importing and updating the application, you can review the application details and modify a subset of properties such as install command, uninstall command, and restart behavior.
The initial release of Advanced App Management will not support automatically updating applications. Instead, a pane in Intune, tentatively named Updates for Windows Advanced management apps, will list available updates for your managed applications.
You can drill down into the update from this screen to get additional information, including how many devices require it. Then, by clicking Update application, you can import the application update into Intune and manually deploy it. From then on, the update will act like any other Intune Win32 application.
Wait, isn’t Third-Party Patching Kind of Your Thing?
It is! Thank you for noticing. When we look at Microsoft’s latest attempts in this space, we find ourselves unconcerned and welcoming of our new competitor. At Patch My PC, we have the best team in the business obsessed with a singular goal: to simplify how enterprises create, manage, update, and deploy third-party applications. We provide a proper end-to-end automated solution for Third-Party applications and a level of customization and control not offered by the abovementioned solutions. Our game plan is simple: provide the absolute best solution at an affordable price backed by the best support possible. Call us crazy, and the rubber duck thing gives a certain credence to that label, but we think that’s a winning strategy.