Robopatch
Robopatch automatically detects when an app vendor releases a new version, builds an updated package, and deploys it to your devices through configurable Deployment Waves.
How it works
- Create a Flow for an app (from Instant Apps or a custom upload)
- Add Deployment Waves — define which groups of devices receive the update and in what order
- Set thresholds — configure how many devices must receive and successfully install the update before moving to the next wave
- Robopack handles the rest — new versions are detected, packaged, and deployed automatically
Deployment Waves
Waves let you stage rollouts so you can catch problems early before they affect your entire device estate.
Example setup:
| Wave | Group | Type | Threshold | Success rate |
|---|---|---|---|---|
| 1 | IT Test Computers | Required | 60% | 100% |
| 2 | All Devices | Available | — | — |
In this example, at least 60% of your IT test computers must receive the update, and 100% of those must install it successfully, before the update rolls out to all devices as an available install.
You can also add a delay between waves to give your team time to verify everything works.
Patch groups
Patch groups let you manage multiple app update flows together with shared settings and deployment waves. Instead of configuring each flow individually, you can:
- Group related flows (e.g. all Microsoft apps, all browser updates)
- Edit settings for the group and have them pushed to all associated flows
- Add both Instant Apps and custom uploaded apps to the same patch group
To add an app to a patch group, view the package and select Setup Robopatch Flow, then choose the patch group from the list.
Manual proceed mode
For critical applications that need human approval before rolling out, you can set the Proceed Mode to Manual on any deployment wave. When enabled, Robopack will never advance to the next wave automatically — instead, you go to the deployment and click Skip to next wave to approve.
Additional Intune properties
When configuring a deployment flow, you can specify additional properties that are set in Intune:
- App name
- Publisher
- Developer
- Owner
- Comments
Excluded group assignments
Deployment waves support exclusion assignments — you can add Entra ID groups containing devices or users that should be excluded from a particular wave's deployment.
Flow settings
| Setting | Description |
|---|---|
| Flow name | Defaults to the app name (can be renamed to distinguish multiple flows for the same app) |
| Platform | The installer framework (e.g. Nullsoft, WixBurn, MSI) |
| Architecture | x64 or x86 |
| Scope | Machine or User scope |
| Script template | The PSADT template to use |
Sync app settings
If you make changes to an application's Custom App Settings after a flow is already running, you can click Sync app settings in the deployment to update the content in Intune for all tenants in that deployment.
Autopilot support
Robopack supports updating apps marked as Required in an Intune Enrollment Status Page. When an app is superseded by Robopack to a newer version, any enrollment profiles where the app is set as required will be updated to the newer version automatically.
This feature requires the DeviceManagementServiceConfig.ReadWrite.All permission. You may need to re-grant permissions in Settings > Tenants.
Requirements
- Intune tenant connected with Admin Consent authorization
DeviceManagementApps.ReadWrite.Allpermission
If your tenant was connected using the user-based method, Robopatch will not be available. You'll need to reconnect with Admin Consent.
Related
- Tutorial: Automating App Updates
- Radar Tracking — combine with Robopatch to patch discovered software