Third-party app patching for Intune. In your tenant, not theirs.

Automated packaging with hash verification, Autopatch ring integration, custom MSI uploads, and per-app rollback. All running inside your Azure tenant, never a vendor's cloud.

Start a free trial View Documentation

A different approach to third-party app patching

Most third-party app patching products for Microsoft Intune are vendor-hosted cloud services. They sit between your tenant and Microsoft Graph, processing your environment metadata, holding the credentials that deploy apps to your devices, and operating from infrastructure you don't control.

App Store for Intune is built differently. It deploys directly into your own Azure subscription. The packaging pipeline, the credentials, the deployment automation: all of it runs inside your tenant boundary. There is no external service to consent to, no vendor cloud to trust, no per-device pricing meter.

Underneath, the workflow you already know: a packaged .intunewin file, deployed via the standard Win32 app pipeline, with detection rules generated from the source manifest. PSADT v4 wraps every installer. Nothing exotic on the endpoint, just better packaging upstream.

Quick facts

Hosting model
Your Azure tenant, no vendor cloud
App sources
WinGet manifests + admin-uploaded MSIs
Packaging
PSADT v4 wrap + .intunewin conversion
Deployment
Microsoft Graph API → Intune Win32 apps
Ring strategy
Integrates with your existing Autopatch deployment rings
Architecture
.NET 8 + React on Azure App Service + SQL + Storage
Authentication
Microsoft Entra ID with RBAC

Your tenant. Your data. Your control.

Cloud-hosted application management tools typically operate by asking customers to grant their service broad Microsoft Graph permissions, for example DeviceManagementApps.ReadWrite.All and DeviceManagementServiceConfig.ReadWrite.All, so that the vendor's cloud can read and write to the customer's Intune app environment from outside the tenant.

App Store for Intune is different. It deploys directly into your own Azure subscription. The app identity lives in your tenant. Credentials never leave your environment. Your data stays under your governance, your compliance boundary, and your conditional access policies. There is no third-party processor to vet, no external trust bridge to maintain.

Cloud-hosted alternatives

  • Vendor cloud holds credentials and deploys to your tenant
  • Broad Graph API consent granted to an external service
  • Environment metadata processed by a third party
  • Per-device pricing, so costs scale linearly with device count

App Store for Intune

  • Runs in your Azure subscription
  • Credentials stay in your Key Vault
  • No external processor to consent to
  • Subscription pricing with a predictable annual cost as you grow

Read more: Who Holds the Keys to Your Kingdom?

How we use WinGet (and how we don't)

The Windows Package Manager (WinGet) repository at microsoft/winget-pkgs is a public Microsoft-curated catalog of over 12,000 Windows applications. Each manifest describes one application: the publisher, version, installer URL, installer type, silent-install switches, and an expected SHA-256 hash. Search the catalog →

App Store for Intune uses WinGet manifests as a catalog source, never as a runtime installer on the endpoint. The WinGet CLI is never invoked on your managed devices. Instead, at packaging time inside your Azure tenant, App Store does this:

  1. 1
    Fetch the manifest from the WinGet index.

    Verify the manifest's own SHA-256 hash against the index entry. The index itself is signed by Microsoft.

  2. 2
    Download the installer from the vendor's CDN.

    Direct from the publisher (Adobe, Mozilla, JetBrains, etc.), the same URL the WinGet CLI would use.

  3. 3
    Verify the installer's content hash against the manifest.

    If the downloaded bytes don't match the manifest's declared hash, the package is rejected before it ever reaches the wrap step.

  4. 4
    Wrap with PSADT v4 and convert to .intunewin.

    Standard PSADT packaging with per-installer-type silent switches. The entire installer payload is baked into the .intunewin, with no runtime download from the endpoint.

  5. 5
    Upload to Intune as a Win32 app and assign.

    Detection rules generated from the manifest's Apps and Features entries. Deployment uses Intune's standard Win32 install pipeline, the same delivery channel as anything else managed by Intune.

The net effect: WinGet gives us a catalog of what's available and where to get it; we deliver it through the same Win32 pipeline that already runs on every Intune-managed endpoint. There's no new agent, no WinGet runtime, no out-of-band installer execution.

Self-service catalog

What Company Portal should be

Intune's Company Portal lets users install apps you've already assigned to them. Useful, but limited. It can't handle requests, approvals, or apps you haven't pre-decided to deploy.

App Store for Intune extends that experience into a full request-and-approval workflow. Employees browse a branded catalog of available applications, submit requests for the ones they need, and the platform routes those requests through your approval process before deploying via Intune. IT keeps control. Users self-serve. The help-desk queue gets shorter.

Notifications and approvals flow through the tools your organization already lives in: Microsoft Teams and Outlook. Approvers don't need to log into a portal to act on a request.

What's included

  • Branded self-service catalog

    Your logo, your colors, your name. Looks like an internal tool, not a vendor product.

  • Configurable approval workflows

    Multi-stage approval with conditional rules. Route by application cost, category, platform, publisher, requester's department, or any combination.

  • Teams integration

    Approvers receive interactive request cards in Teams and can approve or reject without leaving the conversation.

  • Actionable Outlook emails

    Approval emails include inline Approve / Reject buttons. One click from inbox to deployed.

  • Real-time install status

    Requesters and admins see the same view: pending, downloading, installing, installed, failed.

Capabilities

Everything you'd expect from a modern third-party patching platform, plus the things you won't get anywhere else.

Autopatch ring integration

Roll updates through your existing Autopatch deployment rings (Pilot, First Wave, Broad) instead of building a parallel ring structure. Health-gated progression pauses rollout automatically if failure rates spike.

Hash-verified WinGet packaging

Both the WinGet manifest and the downloaded installer are SHA-256 verified before packaging. A tampered installer is rejected before it ever reaches your tenant.

Custom MSI uploads

Drop an in-house MSI directly into the portal. App Store reads the Property table, auto-generates an Add/Remove Programs detection rule, and pushes the package through the same PSADT pipeline as catalog apps.

Per-app version history & rollback

Every deployment is recorded. Roll a single app back to a previous version with one click. The two-app model means rollbacks are deploys, not deletes. No emergency repackaging at 2am.

Multi-stage approval workflows

Configurable approval workflows with conditional stages. Set rules based on application cost, category, platform, publisher, or department. IT stays in control while users self-serve what they need.

Self-service catalog

Branded portal where employees browse available applications and submit requests. Routes through your approval workflow, then auto-deploys via Intune. Cuts down on help-desk tickets for app installs.

Real-time install status

Pull install status from Intune's reporting API (pending, downloading, installing, installed, failed) per device, in real time. Requesters and admins both see the same view.

Email & Teams notifications

Configurable notifications via email and Microsoft Teams. Requesters receive updates when their request is approved, deployed, or installed. Admins get notified when action is needed.

Corporate branding

Customize the portal with your organization's logo, colors, and name. Employees see a branded experience that looks like an internal tool, not a third-party product.

Programmatic API access

Full REST API with JWT Bearer auth (Entra ID app registrations). Upload custom MSIs from your CI/CD pipeline, trigger WinGet update detection from a CVE feed, pull deployment status into your monitoring dashboard. Documented at docs.powerstacks.com with PowerShell examples.

Coming soon

Items on the active roadmap. Early customers help shape what lands first.

VM-based smoke testing

Roadmap

Before a freshly packaged app reaches your production rings, an isolated Windows VM in your tenant tries to install it and reports success or failure. No more "we shipped the package and 200 endpoints failed at install time."

AI-assisted failure analysis

Roadmap

When a deployment fails, the agent service uses an LLM running in your tenant to summarize the application installation logs and propose a fix. Cuts the time-to-diagnose for the long-tail of weird installer failures.

PSADT branding customization

Roadmap

Customize the PSADT install/uninstall toast notifications, banner imagery, and prompt copy through the portal UI, instead of editing PSADT scripts by hand for every package.

ConfigMgr-style dynamic collections

Roadmap

Build dynamic Entra ID groups from queries against your Intune device data, the same pattern ConfigMgr admins know as query-based collections. The portal evaluates the query on a schedule and keeps the group accurate as devices enroll, change category, or fall out of compliance. Closes one of the most-requested gaps when moving from ConfigMgr to Intune.

Pricing

App Store for Intune is sold as an annual subscription sized to your environment. Contact us for a quote.

Azure architecture

Azure App Service

Linux App Service Plan hosting the .NET 8 API and React SPA. B2 tier for small deployments, S1+ for production.

Azure SQL Database

Application data, request history, approval records, and packaging cache. Auto-migrating schema on startup.

Azure Blob Storage

Queue-based packaging pipeline, custom-upload staging, and PSADT template caching.

Azure Key Vault

Client secrets, connection strings, and API keys. Referenced directly from App Service configuration.

Application Insights

Monitoring, logging, performance tracking. Integrated with the .NET backend for full request tracing.

Microsoft Graph API

Entra ID authentication, Intune app deployment, group management, install status reporting.

Run App Store in your tenant

Start a free trial, or contact us for a pricing quote sized to your environment.

Start a free trial Request a quote