← Back to blog
Cloud & Infrastructure

Intune Enterprise Application Management: third-party apps automatically up to date without manual supersedence

By Zarioh Digital Solutions7 min read
Share
Intune Enterprise Application Management: third-party apps automatically up to date without manual supersedence

Manually packaging and superseding every Chrome, Zoom, or 7-Zip update is one of the most time-consuming tasks in endpoint management. Enterprise Application Management in Intune addresses this with a managed catalogue and automatic updates, included in Microsoft 365 E5 from 1 July 2026.

Ask the average IT team how much time goes into keeping application updates current on managed Windows devices each month and the answer is sobering. Chrome ships a new version every few weeks. Zoom follows. 7-Zip, VLC, Adobe Acrobat Reader, Notepad++, Slack — the list grows with every additional piece of software the organisation uses. Until recently, each of those updates required the same ritual: download the new package, repackage it in Intune, configure a supersedence relationship, test it, deploy it. That is no longer management — that is an attrition war.

Enterprise Application Management, abbreviated EAM, is the answer Microsoft has built into Intune. The feature reached general availability in June 2026 and has been included in Microsoft 365 E5 subscriptions from 1 July. For IT teams running E5 who have not yet acted on EAM, this is the moment.

What is Enterprise Application Management?

Enterprise Application Management is a managed application catalogue built directly into the Intune admin console. Microsoft makes pre-packaged, tested, and signed installation packages available for popular business applications. IT administrators do not need to build those packages themselves: they select an app from the catalogue, configure an assignment, and Intune handles installation on the target devices.

The difference from a regular Win32 app in Intune is fundamental. With a Win32 app, the administrator builds the installation package, tests it in a pilot ring, and manages every new version as a separate app object with its own supersedence configuration. With EAM, Microsoft manages the package. The catalogue app is always the latest stable version and the administrator never needs to create a new object for an update.

How do automatic updates work?

The core of EAM is the auto-update capability that became generally available in June 2026. When an administrator assigns an EAM catalogue app as a Required assignment and enables auto-update, Intune automatically detects when a newer version appears in the catalogue. Without any manual action from the administrator, the new version is deployed to the target devices.

Technically this runs through the Intune Management Extension on the Windows device. It periodically compares the installed version against the most recent version in the cloud catalogue. As soon as a newer version is available, a silent installation is scheduled. If the application is active on the device at that moment, the user receives a notification to save and restart the application, similar to how Windows Update handles deferred restarts.

The benefit for IT teams is concrete. An app sitting at version 4.1 that receives an update to 4.2 is upgraded without the administrator creating a new app object, configuring a supersedence relationship, or running through a new deployment ring. Incremental updates and major versions are both handled in the same way. No special treatment is needed per release type.

Which applications are in the catalogue?

The EAM catalogue contains popular business Windows applications for which Microsoft manages and tests the packages. The emphasis is on widely used software in organisations: web browsers, communication tools, PDF readers, compression utilities, development environments, and a growing number of third-party business applications.

The catalogue is not static. Microsoft regularly adds applications based on usage and demand from the market. IT administrators who cannot find a particular piece of software in the catalogue can submit a request through the feedback channel in the Intune admin console. The expectation is that the catalogue will continue to grow in the coming months, particularly now that EAM has become broadly available through the E5 bundle.

What are the limitations?

EAM is powerful but has a few concrete limitations that IT administrators need to understand well. The first concerns the assignment type. Auto-updates work exclusively for Required assignments. Apps assigned as Available in the Company Portal do not receive automatic updates. Users who have installed the app themselves via the Company Portal must wait until the administrator changes the assignment to Required or manually triggers the update.

The second limitation concerns macOS. For macOS devices, EAM currently does not provide an automatic update mechanism for PKG files. The catalogue supports .dmg installations on macOS, but the automatic version detection and update pipeline available for Windows does not yet exist for PKG. IT teams managing macOS devices through Intune remain dependent on a supplementary approach for a portion of their software.

The third limitation is catalogue scope. Despite its growth, the EAM catalogue does not contain all software in use in a typical organisation. Custom solutions, industry-specific software, or less common business tools are unlikely to be in the catalogue and still require the traditional Win32 approach with manual packaging and supersedence.

Compliance and security

EAM also offers an interesting integration with Intune compliance policies. If a critical security update is available for an EAM app and a device has not installed that update, the device can be marked as non-compliant. That activates the Conditional Access chain: access to company resources is restricted until the device is up to date.

This fundamentally changes the dynamic of app patching. In the traditional approach, an outdated third-party app is a risk that the IT administrator tracks but that users rarely feel the consequences of. With EAM and compliance integration, an outdated version of a critical application becomes directly noticeable to the user through the access restriction. That creates an automatic incentive to keep devices current, without the help desk needing to call.

How do you activate EAM in Intune?

Activating EAM runs through the Intune admin console at intune.microsoft.com. Navigate to Apps and select Windows apps. Via the Add button, select the type Enterprise App Catalog app. The catalogue opens with a search function where you can find the desired application.

After selecting the app, configure the properties: name, description, the target group via assignments, and most importantly, the auto-update toggle. That toggle sits in the app properties configuration and can be set per app. Then publish the app. Intune begins the deployment to the target devices at the next Intune management client check-in, typically within eight hours but for new devices almost immediately.

For organisations that are already deploying Win32 packages of the same applications, migrating to EAM is the recommended approach. Create an EAM version of the app, assign it to a pilot group, verify that installation runs correctly, and then scale. The Win32 version can coexist until the migration is fully completed.

Now included in Microsoft 365 E5

Until 1 July 2026, Enterprise Application Management was exclusively available as part of the Intune Suite add-on, a licence purchased on top of existing Microsoft 365 subscriptions. From 1 July 2026, EAM is included in Microsoft 365 E5 at no additional cost. Organisations on E5 that had not previously purchased the Intune Suite due to the additional licence costs can now activate EAM directly.

For organisations on Microsoft 365 E3 the picture is different. The E3 update includes Remote Help, Advanced Analytics, and Intune Plan 2, but EAM falls outside the E3 bundle. E3 customers who want EAM can purchase the Intune Suite as a standalone add-on or consider whether the move to E5 based on the full feature set is worthwhile.

The practical impact for E5 customers is immediate. There is no new procurement process to go through, no new licences to purchase. All that is needed is activation via the Intune admin console and configuring the desired apps in the catalogue. The licence check happens automatically based on the E5 subscription.

When does this make sense for your organisation?

EAM is most valuable for IT teams that currently spend significant time manually tracking application updates and who work in environments with a larger number of managed Windows devices. The threshold at which EAM justifies the investment in configuration time is fairly low: five or more managed Windows devices with regularly updated third-party software benefit immediately.

For organisations already on Microsoft 365 E5, the question is really not whether EAM makes sense, but when to start. The licence is there. The feature is available. Every month without EAM is a month where the IT department is doing more work than necessary. Want support activating Enterprise Application Management, building your app catalogue, or migrating existing Win32 packages to EAM? Contact Zarioh.

Z

Zarioh Digital Solutions

IT specialists from Utrecht, the Netherlands. We help businesses with Microsoft 365, AI agents, hosting and telephony — and share what we learn in practice. Follow us on LinkedIn

Related articles

← Back to all articles
Share