Robopatch
Robopatch automatically detects when an app vendor releases a new version, builds an updated package, and deploys it to your devices through configurable Deployment Waves.
How it works
- Create a Flow for an app (from Instant Apps or a custom upload)
- Add Deployment Waves — define which groups of devices receive the update and in what order
- Set thresholds — configure how many devices must receive and successfully install the update before moving to the next wave
- Robopack handles the rest — new versions are detected, packaged, and deployed automatically
Once a flow is created with Auto-update enabled, new versions are detected from the Winget repository and automatically deployed through your configured waves. Robopack checks for new versions continuously — once a new version appears in Winget, it is typically available through Robopack within approximately 30 minutes.
Deployment Waves
Waves let you stage rollouts so you can catch problems early before they affect your entire device estate.
Example setup:
| Wave | Group | Type | Threshold | Success rate |
|---|---|---|---|---|
| 1 | IT Test Computers | Required | 60% | 100% |
| 2 | All Devices | Available | — | — |
In this example, at least 60% of your IT test computers must receive the update, and 100% of those must install it successfully, before the update rolls out to all devices as an available install.
You can also add a delay between waves to give your team time to verify everything works.
Wave Time Limit
Set a time limit on waves to prevent them from getting stuck indefinitely. When the time limit is reached, the flow advances to the next wave automatically — even if the success threshold hasn't been met. If you want to wait until the flow has completed instead, use Delay after completion.
Exclusion groups
Deployment waves support exclusion assignments — you can add Entra ID groups containing devices or users that should be excluded from a particular wave's deployment.
Do not use the same Entra ID group in multiple waves of the same flow. This causes deployment errors.
Patch groups
Patch groups let you manage multiple app update flows together with shared settings and deployment waves. Instead of configuring each flow individually, you can:
- Group related flows (e.g. all Microsoft apps, all browser updates)
- Edit settings for the group and have them pushed to all associated flows
- Add both Instant Apps and custom uploaded apps to the same patch group
To add an app to a patch group, view the package and select Setup Robopatch Flow, then choose the patch group from the list.
If you change settings in a patch group, you need to Stop and Start each flow for the changes to take effect.
Manual proceed mode
For critical applications that need human approval before rolling out, you can set the Proceed Mode to Manual on any deployment wave. When enabled, Robopack will never advance to the next wave automatically — instead, you go to the deployment and click Skip to next wave to approve.
Flow options for new versions
When a new version becomes available while a deployment is in progress, you can configure how Robopack handles it:
| Option | Behaviour |
|---|---|
| Pause current version and start new one | Stops the current deployment and starts deploying the new version immediately |
| Wait for current version to complete | Finishes the current deployment before starting the new version |
| Run new version alongside current one | Deploys both versions simultaneously |
Supersedence
Supersedence is managed by the patch flow. When a new version is deployed:
- The old version is automatically superseded in Intune
- Robopack keeps a configurable number of previous versions (default: 3) before deleting them from Intune
- The "Last version" vs "All versions" setting controls how many old versions are superseded
Detection method options
| Setting | Behaviour |
|---|---|
| Equals (default) | Detects only the exact version deployed |
| Match newer versions (Greater than or equals to) | Detects any version equal to or newer than the deployed version. Prevents Intune from re-deploying when a newer version is already present |
After changing the detection method, click Sync app settings to push the change to Intune.
Syncing app settings
If you make changes to an application's Custom App Settings or flow configuration after a flow is already running, click Sync app settings in the deployment to update the content in Intune for all tenants in that deployment.
Additional Intune properties
When configuring a deployment flow, you can specify additional properties that are set in Intune:
- App name
- Publisher
- Developer
- Owner
- Comments
Uninstall via patch flow
To uninstall an application from all machines in a group:
- Add the group to a wave in the patch flow
- Set the Assignment type to Uninstall
The app will be removed from all devices in that group.
Autopilot support
Robopack supports updating apps marked as Required in an Intune Enrollment Status Page. When an app is superseded by Robopack to a newer version, any enrollment profiles where the app is set as required will be updated to the newer version automatically.
This feature requires the DeviceManagementServiceConfig.ReadWrite.All permission. You may need to re-grant permissions in Settings > Tenants.
Requirements
- Intune tenant connected with Admin Consent authorization
DeviceManagementApps.ReadWrite.Allpermission
If your tenant was connected using the user-based method, Robopatch will not be available. You'll need to reconnect with Admin Consent.
Related
- Tutorial: Automating App Updates
- Radar Tracking — combine with Robopatch to patch discovered software
- Troubleshooting: Robopatch Flows