Skip to main content

Third-Party Apps Are the Patching Gap: Close It with Intune Win32 Deployments

Nick Ross4 min read

TL;DR

  • Vulnerabilities in third-party applications routinely bypass EDR and antivirus, because exploiting an unpatched app does not require dropping malware the tools can catch.
  • Microsoft Intune can deploy and update third-party software fleet-wide, with automatic updates for Microsoft Store apps and a heavier maintenance cost for Win32 packages.
  • A Win32 deployment needs five things configured correctly: the .intunewin package, install and uninstall commands, requirements, detection rules, and return codes.
  • Deployment rings let you stage an update to a test group before the broad rollout, the same way you would phase OS patches.
  • Intune can push the latest version of an app and remove older versions at the same time, which is how you retire vulnerable legacy installs.

An EDR agent can watch a process. It cannot patch the outdated PDF reader that process just exploited. That distinction is why third-party software vulnerabilities keep showing up as the entry point in incidents at organizations that, on paper, have a full security stack: the attacker never had to drop malware, they just walked through an application nobody updated.

This post covers the deployment half of the problem: using Microsoft Intune, alongside the vulnerability data Microsoft Defender gives you, to push and update third-party applications across every workstation under management. If you have not yet set up the scanning side, start with finding vulnerabilities on devices with Defender, then come back here to fix what it finds.

Why does third-party software slip past the rest of the stack?

Software vulnerabilities, especially in third-party applications, are attack vectors that bypass other security toolsets like Endpoint Detection and Response (EDR) and antivirus. They serve as entry points for attackers to gain unauthorized access to devices, compromise user accounts, and escalate from there.

The reason MSPs struggle with this category is not awareness. It is logistics: every vendor ships on its own update cycle, installers behave differently, and the fleet is never uniform. Manual patching does not scale past a handful of machines, so the apps drift out of date quietly.

What does Intune actually buy you here?

Diagram of Intune application management capabilities

Microsoft Intune goes beyond one-time software installs. Paired with the visibility from Microsoft Defender, it gives you:

  • One console for every app. Centralized management improves both security and governance, because the inventory and the deployment tooling live in the same place.
  • Automatic deployment and updates. Once an application is packaged and configured, Intune handles deployment automatically, and apps sourced from the Microsoft Store update themselves. Win32 apps carry a heavier maintenance cost, which we get into below.
  • Day-one configuration. With Windows Autopilot, new devices enroll, receive their apps, and land in a secure state before the user ever signs in.

Three moves that turn deployments into remediation

Intune remediation workflow for vulnerable software

The goal is reducing the risk posed by outdated or vulnerable third-party software, and Intune gives you three levers:

  1. Automate the initial deployment. Every app Intune installs is an app you control, instead of one a user downloaded from a search result.
  2. Ship updates like OS patches. Software updates for third-party apps deploy through Intune the same way operating system patches do. Deployment rings control when each user group receives the update, so a bad installer hits the test group, not the whole client.
  3. Retire legacy versions. Intune can deploy the latest version of an app and remove previous versions in the same motion, so users always run the most current, most secure build.

The Win32 workflow, start to finish

Step 1: Wrap the installer into a .intunewin package

Before a Win32 app can deploy through Intune, the installer has to be packaged with the Intune Win32 App Packaging Tool, which wraps it into a .intunewin file Intune can consume.

  • Download the Win32 App Packaging Tool from the Microsoft site if you do not have it already.
  • Run the tool and point it at your installer:
    • Select the source folder containing the app's installer (the .exe or .msi).
    • Select the output folder for the packaged file.
  • The tool produces the .intunewin file you will upload to Intune.

Step 2: Upload the package to Intune

Step 3: Commands, requirements, detection rules, return codes

This is where deployments succeed or fail, so slow down here:

  • App information. Provide the Name, Description, Publisher, and Category. You can also upload an App Icon and specify the Version.
  • Install and uninstall commands. Define both. The install command is typically the silent installer invocation, such as setup.exe /quiet or msiexec /i app.msi /quiet. The uninstall command is required too, so Intune can remove the app cleanly when needed.
  • Requirements. Set any conditions a device must meet before installing, such as operating system version or available disk space.
  • Detection rules. Tell Intune how to recognize that the app is already installed: MSI product codes, file existence, registry keys, and similar checks all work.
  • Return codes. Specify which codes indicate success or failure. The defaults work for most applications, but you can customize them when an installer reports unusually.

Step 4: Assign groups and stage the rollout

  • Open Assignments and choose which device or user groups receive the app. The options are Required, Available for enrolled devices, or Uninstall.
    • Required installs automatically on the selected devices.
    • Available for enrolled devices publishes the app to the Company Portal for users to install on demand.
  • Use deployment rings for phased rollouts: a test group first, then the broader population once the test group is clean.

Step 5: Watch the rollout and chase the failures

  • In the Intune Admin Center, go to Apps > All Apps, select your app, and open Device install status to see which devices installed successfully and which errored.
  • For failures, the Intune Management Extension logs on the affected device show what went wrong.
  • Restarting the Intune Management Extension service on a device forces it to check in again and retry the installation.

A full video walkthrough of this process using Google Chrome as the example app is available here: Deploying Chrome with Intune, step by step (opens in new tab).

Where this fits in the bigger picture

Deployment is one layer of secure application management. The companion pieces are an approved software inventory that defines what should exist on the fleet, and continuous vulnerability scanning through Defender that tells you which of those apps need attention this week. Together they turn third-party patching from a fire drill into a routine: scan, prioritize, package, deploy, verify.

Frequently asked questions

Do Microsoft Store apps and Win32 apps update the same way in Intune?

No. Apps deployed from the Microsoft Store can update automatically once configured, while Win32 apps carry a heavier maintenance cost. Each new version means repackaging the installer, updating detection rules, and redeploying.

What is the difference between Required and Available assignments?

Required installs the app automatically on every device or user in the assigned group. Available for enrolled devices publishes the app to the Company Portal, where users choose whether to install it. There is also an Uninstall assignment for removing the app from a group.

An app deployment is failing on some devices. Where do you look first?

Open Apps, then All Apps in the Intune Admin Center, select the app, and check Device install status for errors. The Intune Management Extension logs on the affected device show the detail, and restarting the Intune Management Extension service forces the device to check in again.

Know which app versions are exposed before you package a fix

CloudCapsule surfaces vulnerable software across every Microsoft 365 tenant you manage and turns the findings into reports your clients can act on. 250+ controls, about 60 seconds per tenant.

Run a free scan
Nick Ross

Written by

Nick Ross

CEO · Microsoft MVP · Founder, T-Minus 365

Nick is not just a CEO, he's a respected thought leader and influencer in the MSP space. Tens of thousands of MSPs learn through his YouTube channel, T-Minus365. Nick has been honored as a three-time Microsoft MVP for his educational content; his expertise and influence are the backbone of our mission, ensuring that you are in the best hands when it comes to security.

Nick joined Pax8 in 2017, where he would ultimately oversee product management for PSA and Microsoft integrations. Following his tenure at Pax8, Nick has continued to demonstrate his leadership prowess as an executive at various MSPs, culminating in his most recent role at Sourcepass.

Nick holds a Bachelor's Degree in Business Management from Florida State University, as well as a Minor Degree in Entrepreneurship. In his free time, Nick is an avid hiker, reader, and fitness-junkie.

Keep reading