Application Management and Patching
Open-Source Third-Party Patching Solutions: What Admins Should Know
Third-party patching remains a challenge for many IT administrators. While Microsoft patches Windows and its own apps, it doesn’t—outside of Intune’s Enterprise Apps—offer a straightforward way to patch popular third-party tools such as Zoom, Chrome, Adobe Reader, or 7-Zip. If you’re looking to close the gap without adding cost, open-source patching solutions offer a flexible alternative.
In this post, we’ll look at several open-source patching tools that pair well with Intune and ConfigMgr, outline their pros and cons, and explain how to integrate each one.
Why Admins Should Explore Open-Source Tools
Open-source solutions may not offer the polish of enterprise products, but they can provide:
- Cost savings: Free to use, with no licensing costs
- Customization: Flexibility to mold to your patching workflow
- Transparency: Full access to source code for auditing or debugging
- Community support: A passionate group of IT pros contributing updates, scripts, and fixes
That said, they’re not plug-and-play. In many cases, you’ll need scripting skills and the time to maintain what you build. For many teams, that trade-off is worth it.
Open-Source Patching Tools That Work with ConfigMgr and Intune
Chocolatey Community Edition
- Use case: Package and deploy third-party apps via ConfigMgr or Intune scripts
- Integration highlights:
- Easily script Chocolatey installs and updates using ConfigMgr deployments or Intune Win32 apps
- Can be wrapped into task sequences or run via scheduled remediation scripts
- Considerations:
- No native reporting unless integrated into your own log collection/monitoring
- Most secure automation features (like package internalization) are gated behind Chocolatey for Business
Winget (Windows Package Manager)
- Use case: Lightweight app deployment and updates for Windows 10/11 devices
- Integration highlights:
- Script winget install or winget upgrade commands via Intune or ConfigMgr
- Works great for on-demand deployments or semi-automated maintenance tasks
- Considerations:
- Still maturing—missing granular controls and reporting
- Requires enabling App Installer and repository access in enterprise settings
WSUS Package Publisher
- Use case: Extend WSUS/SUP in ConfigMgr to include third-party patches
- Integration highlights:
- Allows publishing custom third-party updates into WSUS and making them available in ConfigMgr Software Updates
- Uses your existing code-signing certs and update workflows
- Considerations:
- Manual effort required to build and maintain update packages
- Best suited for environments with strong WSUS/SUP usage
Custom Scripting with Ninite or PSAppDeployToolkit
- Use case: Quick and dirty patching via ConfigMgr/Intune deployments
- Integration highlights:
- Use Ninite’s CLI installer or build packages using PSAppDeployToolkit
- Deploy via ConfigMgr applications or Intune Win32 packages
- Considerations:
- Ninite is not open-source (free but limited)
- Toolkit-based approaches can get complex over time
Deployment Tips
For ConfigMgr:
- Create applications using Chocolatey or winget commands
- Use task sequences to install/upgrade third-party apps during imaging
- Leverage compliance settings or CI/Baselines to detect outdated versions and remediate
For Intune:
- Package Chocolatey or winget scripts using the Win32 content prep tool
- Deploy scripts using the Remediation feature in Endpoint Analytics
- Schedule updates using PowerShell and leverage device compliance policies for visibility
Limitations to Consider
Open-source tools are not turnkey third-party patching solutions. You’ll likely find little to no:
- Native reporting: You’ll need to build your own dashboards/log collection
- Centralized version tracking: Unlike commercial tools, you’ll track app versions manually
- Support: Updates break, community packages change, and no SLA exists
This makes them best suited for orgs that have:
- A strong scripting background
- Time and resources to test patch packages
- Low regulatory compliance needs (or strong spending controls)
When to Move Beyond Open-Source Patching
If your organization needs features like automated deployment and updates, advanced install parameters, pre-packaged catalog of apps, and simplified deployments, it may be time to look at paid solutions. For one, Application Manager by Recast automates and simplifies third-party patching inside both ConfigMgr and Intune. Take a look at the quick video intro below.
Final Thoughts: Open-Source Third-Party Patching Solutions
Open-source patching tools can be a valuable addition to any ConfigMgr or Intune admin’s toolkit, especially for teams on tight budgets. While not as polished as enterprise solutions, these tools get the job done. And let’s be honest, it’s a heck of a lot better than manually packaging and deploying every app by hand.
If you’re willing to put in the time to test, tweak, and build reporting, you can achieve significant patching coverage using tools like Chocolatey, winget, and WSUS Package Publisher, all while staying inside the Microsoft management ecosystem you already know.
When you’re ready to level-up from DIY scripts to a turnkey catalog, Application Manager picks up the heavy lifting with pre-tested packages, automated deployments, and detailed reporting—all inside ConfigMgr and Intune.
