Share via

Enterprise support for patching user‑level installed applications

Admin Diego Melica 0 Reputation points
2026-04-01T07:22:44.3966667+00:00

We are looking to understand whether Microsoft currently offers, or has on the roadmap, an enterprise-supported solution to centrally patch applications installed in user context (per‑user installs), such as Google Chrome (user-level) and Visual Studio Code, within Microsoft Intune / Microsoft 365.

Specifically, we are interested in knowing:

  • Whether Microsoft provides native capabilities to detect, update, and report on user‑level application installations
  • If this scenario is officially supported or recommended by Microsoft for large enterprise environments
  • What Microsoft’s strategic direction is for third‑party application patching beyond system‑level installs

This information is important for us to decide whether to rely on Microsoft-native tooling or continue using third‑party patching solutions.

Microsoft Security | Intune | Application management
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Admin Diego Melica 0 Reputation points
    2026-04-01T07:37:49.6833333+00:00

    This represents a significant limitation, especially considering that many software vendors are increasingly offering applications that can be installed by end users without requiring administrative privileges on the device.

    0 comments
  2. Q&A Assist
    2026-04-01T07:23:04.56+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    Microsoft-native capabilities for application patching in Intune and Microsoft 365, as described in the context, focus on:

    1. Windows, Microsoft 365 Apps, Edge, Teams, and some packaged apps
    2. System-managed app types (Win32, MSIX, Store apps) rather than arbitrary per‑user installs such as user‑level Chrome or VS Code

    From the provided information, the following can be stated.

    1. Native capabilities to detect, update, and report on applications
    • Windows Autopatch is positioned as the native, enterprise-supported solution for automatic patching of:
      • Windows
      • Microsoft 365 Apps for enterprise
      • Microsoft Edge
      • Microsoft Teams
      This is explicitly called out as part of Intune integration:
      • “Windows Autopatch is a cloud based service. It keeps software current… Windows Autopatch uses Microsoft Intune to manage patching for Intune-enrolled devices or devices using co-management (Intune + Configuration Manager).”
      • It provides update management and reporting for Windows, Microsoft 365 Apps, Edge, and Teams, including service level objectives and device eligibility for Microsoft 365 Apps.
    • For Microsoft 365 Apps for enterprise, Windows Autopatch:
      • Aims to keep at least 90% of eligible devices on a supported Monthly Enterprise Channel version.
      • Uses Intune policies named Windows Autopatch Microsoft 365 Update Policy - <group name> - <ring name>.
      • Does not support pausing or rolling back individual components of an Office update.
    • For other applications, Intune provides:
      • Support for multiple Windows app types (including Win32 apps) and the ability to deploy and update them via Intune app deployment.
      • Supersedence for Win32 apps: “supersedence enables you to update and replace existing Win32 apps with newer versions of the same app or an entirely different Win32 app.” This is a general mechanism for packaging and updating apps that are deployed via Intune as Win32 (.intunewin) packages.
      • Microsoft Store app integration, where Intune “automatically keeps the apps up to date when a new version becomes available” for Store-delivered applications.
    • Enterprise App Management (part of Intune Suite) is described as:
      • “a secure, prepackaged catalog of apps” for first-party and non-Microsoft applications.
      • Providing a “comprehensive view of all apps that need an update from a single, easy-to-use screen,” and simplifying packaging and update tracking for Windows applications.

    The context does not describe any specific, native detection and patching capability targeted at arbitrary per‑user (user-context) installs such as user-level Chrome or VS Code that are not deployed and managed via Intune’s supported app types or catalog. The described capabilities are oriented around:

    • Windows Autopatch for Microsoft products (OS, Microsoft 365 Apps, Edge, Teams)
    • Intune app management for supported Windows app types
    • Enterprise App Management catalog for first- and non-Microsoft apps, where those apps are in the catalog and deployed/managed via Intune
    1. Official support/recommendation for large enterprise environments
    • Windows Autopatch is explicitly presented as an enterprise solution for automatic patching of Windows, Microsoft 365 Apps for enterprise, Microsoft Edge, and Microsoft Teams, integrated with Intune and requiring specific enterprise licenses (Business Premium, A3+, E3+, F3, etc.).
    • For application patching more broadly, the Essential Eight guidance in the context recommends:
      • Using Intune application deployment to apply patches within one month of release for non–Office productivity, non-browser, non-email, non-PDF, and non-security products.
      • Removing unsupported applications using Intune’s application management.
    • Enterprise App Management is positioned as the strategic Intune-based solution to “simplify the lifecycle of managing first party and non-Microsoft applications” and “ensure that all apps are kept up to date from the Intune admin center,” but it is scoped to Windows applications in the catalog and requires an additional Intune Suite license.

    The context does not state that Microsoft officially supports or recommends centrally patching arbitrary user-context installs (like user-level Chrome/VS Code) outside these mechanisms. Instead, the recommended enterprise pattern is:

    • Use Intune-supported app types and deployment methods (Win32, Store, etc.).
    • Use supersedence and Enterprise App Management for updating those managed apps.
    • Use Windows Autopatch for Microsoft 365 Apps, Edge, Teams, and Windows.
    1. Strategic direction for third‑party application patching

    From the provided material, Microsoft’s strategic direction for third‑party and non-Microsoft application patching in the Intune/Microsoft 365 ecosystem is reflected in:

    • Enterprise App Management:
      • A catalog-based, Intune-integrated solution for first-party and non-Microsoft Windows applications.
      • Focused on reducing packaging effort and centralizing update visibility and deployment.
    • Intune Win32 app supersedence:
      • A built-in mechanism to update or replace existing Win32 apps deployed via Intune.
    • Integration with Windows Autopatch and Windows Update for Business for Microsoft products.

    The context does not extend this strategy explicitly to unmanaged, user-context installations of applications that are not deployed and tracked via Intune-supported mechanisms. The emphasis is on:

    • Managing supported Windows app types via Intune
    • Leveraging Enterprise App Management for cataloged apps
    • Using Autopatch for Microsoft workloads

    Based on the provided information, decisions about replacing third‑party patching tools should consider that Microsoft’s native strategy is centered on Intune-managed app deployments (including catalog-based Enterprise App Management) and Autopatch for Microsoft products, rather than on discovering and patching arbitrary user-level installs that fall outside those management paths.

    References:

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.