Automate Third-Party App Creation and Patching in SCCM - Webinar with Patch My PC

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

all right we will go ahead and get started so thanks everyone for joining my name is Justin Xiao Han I am the founder here at patch PIPC and in this webinar what we're gonna do is just kind of review what our product looks like and how you can integrate third-party patching and automate application creation within SCCM so it's gonna be pretty much walking through a demo so we're not gonna bore you with PowerPoint or go any over any sales pitches it's really going to be just showing you how our product functions and how you can basically go from not having any third-party patching or application automation within SCCM to really having everything set up within about a 30 minute period um so with that said we'll go ahead and just jump right into the demo um so within our lab environment we have a pretty clean environment we don't currently have any third-party patches within our all software updates node like you can see here in SCCM and we also don't have any type of third-party apps created so we'll go through this process showing you how easy that can be from start to finish so the first thing that I'm going to do is go ahead and set up our publishing service that you can use to publish third-party patches now throughout this demo we are going to cover a lot of common questions that we get but for now if you have any questions please use the the chat window and once we're kind of done with the live demo if we didn't cover your question we can go ahead and take any retaining questions from the chat as well as probably unmute everyone so that we can get some questions in via voice as well um so as far as installing our tool the way that this would work is you would install this on your software update point within SCCM so in this environment things are pretty simple we only have our a single site server and we also have our software update point co-located on that site server in the event that you had a remote site system running your software update point and wsus role you would simply install this MSI on that remote site system so here we go as far as the tool itself it's it's super lightweight it's only about three Meg and really the core purpose of our publishing tool is to give full automation in the application creation and software update publishing process for third-party apps once you first get in the tool you kind of have a few options here the first thing is that if you get a full trial so if you come to our site and you've request a full 30-day trial using the form here you would get a unique ID for your environment that's going to give you access to every single product that we support within our products list now if you don't want to submit any form or give us any details we also have an option here where you can use trial mode you can simply download the MSI you don't need to submit any forms but it is a subset of products just used for evaluation purposes so kind of two different trial modes there that you cannot use as far as prerequisites go the only real prereq that we have in order to publish third-party updates would be we need AWS signing certificate now with config manager 18:06 this process becomes much easier we can simply come into our software update point and under the new third party updates tab we can enable third-party updates and we can even let SCCM automatically create our wsus signing cert so what I need to do after enabling that option we can simply come in to our all software updates and if we trigger a synchronization what we're gonna see is that if we look at the SCC MW sync manager log it's gonna automatically generate that signing certificate for us so that's going to create a self-signed cert using SCCM and what's nice about this feature within SCCM is also going to deploy it to all your clients using the native SCCM client so you don't have to worry about deploying any search using GPOs or anything external so it looks like SCCM synchronization completed so if i reopen our publishing service we're gonna see that we now have the certificate that SCCM created for us so we basically handled all the prereqs natively using SCCM the other feature that's available since SCCM 1802 is under your client settings you can also enable third-party updates directly within client settings so that means that there's absolutely no GPOs that you have to configure in order to get your clients ready to install if there already patches so from a prerequisite side that's pretty much everything that we would need to do if you enabled the functionality within secm you wouldn't have to worry about generating a cert from our tool or you wouldn't have to worry about using PGI base certs now if you did have PKI and you wanted to use that instead of letting SCCM generate a self sign one you can simply import your code signing cert directly within our publishing service UI here alright so that's it for the prereqs now jumping in to where we really start doing the work we have these two different tabs here we have our update rules and our application rules so these function very similar to the way that your software update point products work within your console so for example if you came into your software update point and looked at your products you're gonna notice that you have a lot of different products from Microsoft right so you have things like Windows 10 Windows 7 office all the different Microsoft products that you can natively patch within SCCM now for our tool we're gonna give you the same type of view but we're simply using third-party updates here so if we look at our supported products page we do currently list all the products that we support today so it's quite a large list a jock will paste in this URL in case you want to check it out within the chat window here and GoToWebinar so this is kind of all the products that we support today and what's probably more important is we don't really focus on like you know we support this number of products what I really focus on running the product is that if we don't have something that that you have within your environment today we're very open to having new requests so we have our user voice page where you can come in here and see what our customers are requesting for new applications you can also say hey what's some recent applications that they shipped so you can see all these different products that were shipping based on customer request so if there's something that we don't support today we're always open to adding new products that provide value for our customers so you can simply come in here you can add your new idea and then we'll review all those apps that are coming in now there is quite a large list of different products within here so you may say hey I'm not really sure all of these products which ones you know I may need within my environment so we have this database scan feature what we do here is we scan your existing SCCM database and we look at all the installed products within your environment so if you go ahead and query that what will do is will automatically show you based on the products that we support today how many of those are actually installed so you can see things like the install account of all these different products that we support and then from here you could simply choose whether you want to enable everything based on it being detected or maybe you want to get more selected and only enable products based on them being on like a certain number of devices what we can also do now is we can automatically enable new products so let's say that we that we address one of those new products in our user voice based on customer feedback you can automatically have scans be performed whenever we perform our automated synchronization so that let's say we add new products in the future you wouldn't ever have to come back into our tool and enable any product so let's just say we wanted to enable everything that was detected we could simply select all and then within a few seconds we have everything that is enabled within the environment now one additional thing to note about this publishing service that we're working through is our intention of this is really to be a one-time setup so we're gonna go enable our products we're going to enable any future products based on scans and realistically you shouldn't ever have to come back into this tool very often everything would be done from the SEM console once you get everything configured the way that you want this would simply automatically run based on the sink that we'll talk about and publish anything new that we detect now we do have some customizations that we can apply at the all products level so there's a few things that we can apply globally to any child products within this list one option is you can choose whether you want to automatically close any third-party apps prior to an update being applied so if you want to make sure that you don't have files in use you would have the ability to automatically close any of those app processes prior to the update being installed you can also choose whether you want to skip the update if it's in use so maybe you don't want to auto close you can simply skip it and it would attempt again during the next software update a scan cycle on your SCCM client we can also delete public desktop shortcuts so for updates like chrome that use an msi some of those may put a public desktop shortcut for all users in that case we could automatically delete those if you don't want every user to have that shortcut on their desktop another helpful feature is that we can disable the self updater of products that allow us to automate that using like a registry value or something similar so if you want to make sure that Java updates aren't automatically going out whenever they want you can kind of disable that directly within our update or application so that you have full control over when those updates happen and then the last option that we can apply globally here this one's quite helpful what we do is we can enable logging for the vendors installers so things like you know MSI ZX sees any of these product installers that support a logging switch we can automatically append that to the update install command line for you so there's a few options here that can be helpful by default we save all log files locally for any installation in the CCM Logs folder we can also enable for both logging if it's an MSI we can prefix the log name with the computer name so this can be quite helpful in this last scenario where if we detect that a update failed or an application installation felled meaning that it gave us a nonzero exit code we can copy only felled logs to like a standard shared folder like a UNC path so if you wanted to kind of review any of the felled updates or app installers you could look at an actual folder share that contains the logs for all the computers instead of just getting something generic like a 1603 exit code like you would typically get from your SCCM feedback using monitoring this would actually let you know hey at what point during the google chrome msi install did this fell was it unable to copy a file was it getting denied for the registry something like that so you can actually understand and troubleshoot different issues that you could potentially have within your environment so that's the three options that we enabled at the global level so if we come through any products they're going to automatically have those three options configured so for this demonstration we're going to able Google Chrome 64-bit and then we're gonna enable Java Runtime now once we get into the product level we do have three additional options that you can apply at the individual product that are specific to a product so the first thing that we can do here is we can add a custom pre or post installation script so let's say in our scenario we're gonna add this for google chrome and just go ahead and browse out here so what we're gonna do we're gonna add a post update script that would apply anytime a chrome update is applied or anytime a application is applied for Chrome created from our solution and it's essentially just going to set the home page so it's gonna make the home page for all users patch my PC com and you can just see it's a pretty basic script that's just configuring some registry values so whenever we're doing pre or post script you can really be as flexible as you want since you have full control over what type of script files you use it could be PowerShell VB script batch files you can even run an exe or MSI as a pre or post action if you've really wanted to get custom here you can also include additional files and folders so if you're using something like PS app deploy toolkit and you want to give a little bit more of a custom experience within the update or application install you can get as flexible as you want here but in our case I'm just gonna set the post update script to set the homepage so that means that anytime a chrome update is applied even for future updates that we publish it's going to automatically include any custom pre or post scripts that you've defined here optionally you can also modify the command line so if you want to append an additional command line argument maybe something like a product key if you're doing a paid product or any type of custom switches that could be applicable to your environment you can add that here and if it's an MSI based product installer you can also add a MST transform within the product as well alright so the only other one that one abel here for our update publishing is going to be java 8 32 bit now this one is a little bit different in the fact that we also automatically define a pre update script for you within Java now job is the only product that we currently do this too today and essentially what we're doing here since JRE doesn't remove older runtimes by default their installer we essentially opt in by default to a script that we run to clean up any current versions of Java eight runtime 32-bit in this scenario since that's the product we're looking at so that you're only left with the latest runtime of Java to make sure that you don't have older versions also installed with the latest so that's something we do by default if you wanted to keep those you can opt out of any of these scripts but we can also see of course the disable updates and the logging option was automatically enabled because we applied it at the all products level okay so that's the two products that we're gonna enable for software update publishing what that means is it's going to become an update within SCCM just like any other software update that we look here we're gonna see these third-party updates sync up in a second now the difference between the updates and the applications is that updates can only be used to apply patches to existing installations of products so for example you could only deploy the update if you had an older version of Chrome installed now when we were working with our customers and taking feedback this only addressed one of the problems because the customers would still have to go out they would have to packaged Chrome they would have to then keep that application install up-to-date you know assuming that you didn't want to deploy old versions of Chrome and then have to wait for the software update scan cycles to apply before the update would be applied so what we've recently introduced is the ability to also create applications for you within configuration manager as well so there's a few things that I want to show here so I'm going to go ahead and able the 7-zip 64-bit exe now within the applications we do have two additional options that are specific to applications within SCCM so for example we can set the min and the max runtime so if you wanted to make it a little bit different than the default of 120 and 5 you can set that and we can also include the deployment type install behavior feature within SCCM as well so what that will do it will add the process Exe names for any of these products into the install behavior tab with your deployment type so that you could notify users if they had to close out of any apps during an application update install that could be interactive so you could actually say hey this needs to update or this process needs to be closed in order for this application to update so in addition to that of course these applications since they function just like any other app within SCCM you can use this for base installation so even if you don't have the product installed you have the ability to install that product now for this example let me just go ahead and look at Chrome now let's say that you went through the software update rules and you enabled a bunch of different products based on the scan feature and you want to duplicate all the products that you enabled for software update publishing for application creation as well we can simply click this copy icon and we can even copy any custom pre or post scripts that you applied for the update publishing for these products automatically and they'll also get copied over for app creation so we automatically just enabled chrome in Java within two clicks here and we also have our custom post update script that would be applied for an application install as well as far as the application options it's pretty basic here so you're gonna have to tell our service where your SMS provider is as well as a route UNC path that you want to use to download all the application content there's a few other options available so for example there's a few things that correspond to applications within SCCM so do you want to allow the app to be installed from attach sequence for example by default we automatically update any previously created applications in place so what that means is let's say that our publishing tool ran today and you just enabled application creation for Chrome the version that was published today let's say was version 76 and let's say a week later Chrome comes out with an update if you left the default behavior referred to automatically update the application content what we would do is we would automatically update that previously created app and we would also update the distribution points for you so that means that you would always have the latest version if you referenced that application with an attached sequence or a collection deployment where you would always have the latest one going out you wouldn't have to worry about manually reassociate new app now if you did want to have more control over that you certainly could change to the bottom drop box here where you could say I want to create a new application whenever there's a new update available so that would give you full control over when you wanted to deploy that out for example and then lastly we can also automatically distribute any newly created applications to any distribution point groups within your environment as well so in our case we have it just going out to all our distribution point groups and that's basically how we have our settings configured for our apps so I'm gonna go ahead and apply this so essentially what we have we have Google Chrome and Java enabled for software updates and then we have Google and Java and seven zip enabled for application creation now I'm gonna go ahead and jump over to our sink schedule and I'm gonna go ahead and trigger our first synchronization just to get this process started in the background so that we can start downloading these apps so it can be running as we go through the next few tabs but the way the sync schedule works is by default our publishing tool is going to go out download our latest catalog every day at 7 p.m. so from our perspective if we look at our RSS feed you can see kind of a history of some recent catalog updates that we've performed so usually on average we're doing about 3 to 4 catalog updates a week we generally get updates out the same day that vendors released them so for example if we look at our history for September 2019 we can see that we had a total of 157 third-party updates released that month 38 of those were security updates and 30 of those had CV IDs and we also added eight new products based on customer feedback that we can see here at the top within each catalog newsletter which you could either subscribe to an RSS feed like I'm showing you here or you can get an email newsletter whenever we release an update we include details like release notes for that product right so we can see that here's Firefox 69 that was released we can see that it was a security update and had quite a few vulnerabilities that were fixed and we do also scan every single binary that we released an update for through virustotal so before we would ever have pache that made it out to our catalog it would get scanned through virustotal to make sure that there's no malware bloatware etc for that products installer now jumping back to the sink so you can basically set this however you want so if you wanted to always stay up-to-date the daily options probably good because we generally have an update for our catalog almost daily if you wanted to only get new third-party update showing up an SCCM on like a monthly cadence maybe you want to correspond to Patch Tuesday that's perfectly fine too so you would simply have a sink that would run every month and it would publish anything that we've done within that last month for example so it just depends on how often you want to stay up to date and we also have this option where if we detect that we published any new third-party updates to wsus from our tool we can also automatically sync your software update point within SCCM so you don't have to wait for your next scheduled sync cycle in order to see any of the new third-party updates in your console so optionally if you wanted to see those updates right away you could check that box as well all right now as far as notification so in addition to kind of the global notifications that you can view in our RSS or email we also have notifications you can enable directly from our publishing tool so the difference here is that this will only email you when there's actually been a new product that's been published into your environment so this would only be for products that you enabled so anytime something new is published as either an update or an application you would automatically get notified now there is one thing I think that I forgot that's that's pretty popular over in the apps we do have the ability to automatically move any applications that is created by our tool into a subfolder within the applications note so in my case I didn't check this before the sync but if you wanted to like say hey I want all patched my PC apps to go into the subfolder you would have the ability to set that now since it looks like the synchronization has already completed we of course just have them in the root level because I didn't enable that to auto move and that's pretty much it as far as the publishing tool goes so at this point essentially things would just run in the background the only time that you may have to come back in here is if you wanted to change any of the custom right-click options on any of the products so maybe you wanted to change a pre or post script outside of that everything is really going to be fully automated and the only thing that you would do is be performing your work for a software update deployment and application deployment directly in the SCM console so if we jump over and look at the email that we should have just got here we go so we just got our email from our publishing tool this will show us any new updates and apps that had been published so for example we can see that we had Google Chrome and Java published as a new software update and then we have 7-zip Chrome and Java that was created as an application so for example let's say that we've released a new version of Chrome or Java tomorrow you would also get an email alert just letting you know hey there's this new update that was published and this also includes a lot of helpful details so the update title is clickable so that's going to take you directly to the vendor release notes for that specific update that was published within that sync cycle so we can see that this chrome update it was a security fix at a lot of different TV IDs with it so that can be quite helpful we also include things like the classification of the update so was it security was it an update was it critical and that's gonna automatically be populated in this email as well as any severity level for the product in addition to that the CVE the CVS are also clickable here so for example if we click the CV for Java we can see that we automatically take you out to the national vulnerability database where you can get more details about that specific CV ID for that product for example what's also helpful about these so if we jump back into our se Sam console we should see that these updates are now showing up within our software updates node because we did have the option to automatically sync the catalog within SCCM whenever we publish new updates and what's pretty cool about those CV IDs as well is we you can also paste those directly into the all software updates node and we do include all CV IDs within the descript filled of any software update so let's say for example you're trying to find your compliance on a specific CVID that your security team is tracking so we do include those in the description so anytime you paste that in if we find any type of match for that you would automatically get that get those details for that specific update where you could go out and see data about that specific patch for example so for Jabba we can see that we have one device that has that software update as required meaning that it's unpatched so we can see chrome here as well and as far as deploying things once we get over to the SCCM side there's really no difference for deploying third-party updates versus Microsoft updates right so we can see that they all show up within the SCCM console just like any other update we could also do any type of custom search criteria so we could say let's look at third-party updates released by patch my PC as a vendor where it's a security update for example so at this point we can see we have our two updates we published we could create our update group if you create your update group manually each month and then you could deploy that as usual now in our environment we can see that these two patches are already downloaded and deployed now the only reason that that happened automatically is because we do have an ADR that was pre configured to automatically deploy these patches so just like you can use a DRS for Microsoft updates we can see that we have the same type of capability here so we're just saying let's find any non superseded updates that are critical security or an update classification coming from patch by PC so if we preview that we can see that we have our two third party updates that we published showing up within the console here all right now in addition to that we also had three different deployments configured for that ADR as well so we had a pilot deployment going to our IT group we had a broader pilot going to a broader collection and then we had our production and we can see these are all staged out one day three days and seven days out so just like you choose your collections for how you want to deploy Microsoft patches same type of concept here so we've got our third-party pilot group we also have the same like whether you want to show it in software Center do you want to abide by maintenance windows or suppress restarts all the same functionality from your console is going to be the same process you use so when that ad are downloaded the content it went into an existing deployment package and that of course goes out to your existing distribution point so you don't have to worry about standing up any additional server infrastructure when it comes to third-party patches because everything goes through the same exact workflow so that also created our software update group and that got deployed to our client now with regards to the applications if we jump over to the apps node we can see that we also have those three applications that we auto created so if we go ahead and look at those we can see that we automatically populate a lot of common details like the app name whether or not you wanted to show different items in software Center so things like icons keywords description user Doc's privacy URLs all of that gets automatically populated so that you have a nice experience if you deploy these applications to users as available now what I'm going to do here is I'm going to go ahead and deploy these three applications to the all users collection has available so I'm just going to use a PowerShell script it's going to loop through those three apps and it's going to create an available deployment to the all users collection so if I go ahead and refresh we can just see that that created the deployment and just automated that so we didn't have to manually go through each app I'm so on the client side once we jump over here in a few minutes we'll see what Software Center looks like for these products now let me just switch my screen over okay so I just switched over to the client side hopefully everyone's seeing that okay so what we should see here is that we have Software Center open and this device was part of our pilot collection that got targeted with our deadline one day from now for our software update so we can see that if we didn't deploy this in software center because we allowed visibility in software center it would automatically install on the deadline which would be tomorrow now on this device we can see we have a couple things going on here so we have an outdated version of Google Chrome so if we look at that we can see that we have chrome and then we have Java and these are both outdated so for Chrome we can see that we have version 75 and then for Java we have Java 8 update 161 so we can see that both of those updates that were applied using the ad are are showing up as available now if I go ahead and now close out of chrome and open that back up we can see that there's nothing special here so we just have the standard Google Start page so I'm going to go ahead and click on chrome and we're going to install that now everything from the installation perspective is going to work just like any other software update through SCCM so for example all the existing client logs like wua handlers going to show the updates installing but in addition to that if you remember we also enable vendor install logging so we can see that we automatically created our subfolder and we now have the Google Chrome MSI verbose log directly within that log folder and then of course if the update felled we also created that secondary where it would copy any felled logs into that UNC path so you could see it from a central location for any devices having issues in our case we can see that looks like chrome updated with it the next code is 0 and then the last thing that we have is we do create one kind of standard log that we use for monitoring any third-party updates or application installs happening from patch my PC so we can see that for example this one shows the Google Chrome installed running so we can see the MSI we can see any custom argument so we have reboot equal suppress and we can see that we also automatically appended the log location based on what we did in the right-click option we can then see the update completed it gave us a good exit code it then deleted the desktop shortcut based on that right-click option we then configure to registry values to turn off the self update feature of Chrome based on the right-click option and then lastly we can even see that if we XR if we execute any custom PowerShell scripts based on any PowerShell scripts that you add as a pre or post action so here's that script running that sets the home page and we can see that the script completed with the exit code zero and then the main install is now complete so if we go back here we can see that we no longer have that Google Chrome shortcut on the public desktop and if we were to launch the Chrome application we can see that we now have the home page set to patch my PC com if we look at our chrome settings we can also see that that was a system level of registry setting so that the user could no longer change that because we applied that globally for any chrome user so that looks good the only other thing we look at here for updates is Java so this one's a little bit special so we didn't disable Java updates so when we initially deployed Java on this device we just kept everything default using just the silent installation so we can see that updates are set to check every Saturday at 1:00 a.m. if we also open up regedit let's see if I can get here really quick so if we look at local machine software see I think there's a Java soft key see if we get that there we go and then the auto update look at that Java update policy so we can see that the enable Java update registry value is set to 1 so that's the default value so Java would self update on its own so what we're gonna do we're going to go ahead and click on that Java update and what we should see happen is if we open that up we're gonna see that the Java control panel app is going to automatically close because we enabled the option to auto close processes go so I think I missed that so I think the CM trace was full screen but we can see that we automatically close those Java processes we then ran the auto uninstall for old versions and now we're currently running the main job installer so if we look back at our installation logs for vendors we can also see that we even have the install logging for Java as exe installer showing kind of verbose output of what Java's installer is actually doing what we're gonna see back in the patch my PC log is once the update is complete we'll see that we automatically set the reg values for you to turn off the self update feature job so we can see it just completed then we set for different registry values to disable the self update so if we come back into our registry and if we refresh we can now see that enable Java update is set to zero and we also configure three additional values to just turn off notifications completely for any Java update so that was all based on the right-click option that we applied to turn off Java updates when we did all products um so that point that looks good so we have our two updates so if we go ahead and refresh we can now see that we have chrome version 77 and then we have Java 8 update to 21 and we'll of course jump over to the aiccm console in a little bit and show you how compliance reports back for these patches but jumping over to the applications we can now see that we have all the apps showing up as well so in my case if I look at atom we programs we can see that we don't currently have 7-zip installed here so I'm gonna go ahead and kick that off this process to install the apps is gonna work just like any other application so here in a little bit we're gonna see that we get our app and force log that is part of SCCM and we can see that it's running the app install just like any other application installation through SCCM so we can now see that the install completed so we should now have it as successful you can also see that you get your icon description URLs and all kinds of helpful details directly within software center for your users as well so if i go out and refresh add/remove programs we can see that we now have 7-zip and we can of course launch that just like any other app so that's how we can deploy it to a collection of course if you wanted to use any of these apps for task sequence deployments that would work the same exact way as you would be accustomed to for just adding an app within a task sequence alright so I think that that's just about everything I had on the client side of things let's just jump back over to the server for a minute ok there we go so yeah so once the updates start reporting back if we look at our all software updates we're going to of course see our compliance numbers directly within the console so we can see the chrome went up we can see that Java is now compliant and in addition to that you have the capability to use any of your existing SCCM reports so for example if you went back into your software updates and just I'm just looking at my SCCM software updates here you could run any of the native reports that are available under software update compliance um so a lot of these aren't very intuitive with regards to like graphical you know graph things like that it's very much you know table with charts type things for the native reports so we do have some dashboards that you can install directly from the Advanced tab of our publishing service to give you a bit more graphical view about what your compliance looks like from Microsoft as well as third-party updates so there's a variety of different graphs in here now these initial graphs these are actually free of charge regardless of whether you're a customer or not these were originally done as a template from a Microsoft engineer and what we've done is we've taken them we've added a few new operating systems to support and then we've also created a installer that can automatically change all the URLs for any sub reports to match your environment so you don't have to go manually change every single sub report it would all be automatically created for you um so for example kind of at the front of this you see how many workstations and servers that you're managing within your environment it then breaks out software update compliance by month so you can see kind of the trailing compliance for workstations and servers for each month so in our lab we actually had our 8-hour ADRs kick off so we actually look pretty good as far as compliance goes for both workstations and servers but let's say that we wanted to click into the month of October we can see that four servers were 88% compliant you would see all the updates released that month and then you can see like which ones are required so we can see that one of our servers are missing a trim of update for Windows so if we were to click in there um some of these reports can get very specific and drill you into some of the native reports so we could find what are the different machines that actually need that one specific update for servers so from the dashboards you can get quite detailed with regards to whether you want to look at specific computers specific updates you can drill down pretty far with with these dashboards and that's just the first two graphs there's a variety of different graphs so overall compliance by operating system you can see how many machines are missing a specific range of updates so we have five machines that are workstations missing between one and ten updates so that looks pretty good let's go back and then we break out compliance by operating system for the last six months so if you even want to get more specific than just workstations let's say we want to look at Windows 7 so we can see for the month of September we have two Windows 7 machines and only one of them are fully compliant with all patches so that's kind of the first dashboard that shows third-party updates as well as Microsoft we also have some dashboards that show only third-party patches there's a few where you can limit to specific software update groups as well as collections so you can get pretty detailed on what you want to look at now what's nice about the patches that we publish is they report back compliance just like any other Microsoft Update so if you're using any of your own reports you've created or if you're using any of the free ones available so for example this one is a free powered by FBI report available from Microsoft and what we're kind of interested in mostly is the update compliance piece of this so we can see just the general overview of our update health within this chart now if we want to get more details about that we can click over to update compliance and we can see that we get a nice graphical view within this power bi report about how we're doing with regards to software updates within our environment in whole so in addition to all these Microsoft patches that we can see we see we have some communitive updates we have a bunch of different third-party patches so you're gonna see all update RR updates in addition to Microsoft and let's say that you only wanted to look at critical patches so just like anything else in power bi it's pretty simple you just kind of click a graph and we can see that if we limit by that we're missing a Firefox update and Java update to have a critical severity level and that's pretty much it there but any reports that you're using today should work perfectly fine for looking at your third-party compliance as well as Microsoft all right but with that said that's most of the technical piece of the the demo I'll quickly cover some of the pricing aspects so we have a few different subscription options the two that we find most people are using is either our enterprise or Enterprise Plus so it's either two dollars per device a year if you just want an enterprise that's going to support full automation but that only supports software updates if you want to add the automatic application management in as well that would be enterprise plus within the pricing charts on our main website you can get a nice comparison chart between all the different subscription levels and we can see that as far as Enterprise Plus and enterprise go the big piece there is that Enterprise Plus supports automatically creating apps and updating them within SCCM um I guess the only other thing we look at before we open up the questions just because we still have a decent amount of time is let's see if we can simulate a catalog update just to show you how it would look like to have chrome automatically updated in place using the application let's just come back here for a second I'm just gonna temporarily disable all the updates and I'm gonna switch over to a new subscription URL so what we essentially did when we initially created this is we're using an outdated catalog just so that we could simulate products being updated in the event that that we wanted to see an in-place update so if we jump back over to our applications we can see that we currently had google chrome 77 and it ended in version 75 so what we'll do let's go ahead and run a synchronization just to see if we can simulate just to show you what that would look like in place so we can now see that detected there is a chrome update so we went ahead and downloaded the latest version of Chrome we can see that that ended in dot 120 for the build number and so if we look at that we can see that it just downloaded and we can see that we automatically updated the application so if we come back to our email really quick let's see if we got a notification about that there we go so we can see that we got this notification saying that we had an existing application that was updated to a new version so if we come back to our console when we click refresh here we're going to see that we automatically updated that application in place and we also automatically triggered an update of the distribution point so that any new devices that are getting that applications thawed would essentially be getting the latest one from the initial deployment here but with that said I think that's really all I had for the demo so the product is pretty simple to set up we can see that we've pretty much got everything going within about a 45 minute time window so with that said I'll kind of jump over to the chat we'll see if we can get any questions so if you have any questions please you know just start typing them in the chat window and we'll take any any questions that we get now and any other discussions that you guys want to hear all right so I just saw a question come in is there a yearly maintenance fee no there's not so essentially what we do with pricing if we kind of look back over here come back to fake use so we have simply a subscription cost so it's either one two or three dollars per year we don't have any maintenance fees or any large upfront acquisition fees the way that we kind of run things we just give you a straight up front price we don't want to charge you big fees for the initial acquisition just because we think that you know if we have a product and it's not meeting your needs I don't want you to feel like you you know you guys are tied in for a long time with our subscription so there's no yearly maintenance fees it's simply a subscription fee each year and then if you don't like it you you know you're not tying into a big fee that you had I've also ok so I found the question window it looks like we have quite a few things to talk about here so let me just kind of pull that over and we'll see what we've got ok so I see one in here saying that they used Avanti for patching what are the benefits um so just kind of a quick question on that so with regards to competitors so just to be straight forward with that to be honest we don't really compare ourselves or try to maintain a comparison between from an engineering side and product perspective in general I don't think it's a good idea to really be basing what we do based on competitors we essentially get all our feedback based on customers so from a feature perspective I really don't know how we compare but hopefully with this demo you guys kind of see what we do I'm not sure if Avanti can create applications I know I talked to a few of their support staff at MMS I don't think with in the May time frame I think they only did updates so that might be something maybe they've added that I'm not sure but hopefully through this demo you you kind of have an understanding of kind of kind of the differences so if you used Avanti and you kind of saw what we did I suspect that you know that should have you know good comparison for what we showed in the demo today okay so it looks like we had a question about where to find the power bi report let me just pull up that link and I'll link you to the Microsoft site where you guys can download that dashboard second so I'm about to paste the link into the questions for the power bi dashboard so if you check the main chat window you should see the download for power bi okay so we have a question about a caste so if you're in a caz environment the publishing service would need to be installed at the software update point at the cache level so that's going to make sure that when you publish the third-party updates that they replicate down to all your child software updates within any child primary site so if you have a caste you would want to install it at the caste level we also got one about our dashboard so if you wanted to install our dashboards that I said we're free you could simply download the publishing service MSI from our download page and within the Advanced tab there's going to be an option here to install the SSRS reporting dashboards you would simply type in your reporting services server name and then whatever the folder name is so it's usually can config manager underscore and then your three-character site code and then you would click start report install we would automatically change all the links to your environment and then they would automatically upload into your reporting instance within SCCM so that's how you can install our reports if you also just use a search engine and click free dashboards patch my PC that should also take you out to the free dashboard compliance page where you can download the MSI and there's also a video describing the setup as well as what each individual reporting dashboard gives you with regards to compliance okay so we had a question about when you're using pre and post scripts about security for like if you have products blocking it so we do allow the scripts so by default we do automatically code sign any PowerShell script that we use for any detection method and it's also pretty easy to code sign those any custom pre or post ones using the same signing certificate so if you're able to like allow script to run based on a certificate that's signed them that should be pretty easy to you know exclude them from any security products that you have for that ok same type of comparison question with Flex era so back on the FAQ page I think that's really probably the best answer there is we really don't have a good comparison because we're not building based on competitors that would answer the Flex era one as well do you cover 7-zip MSI yeah so we cover all those products 7-zip Firefox Chrome and we'll also include that support of products list you should see in the chat window you can also get there from our supported products page here as well so we can see all those products you can just do a quick search there it looks like we had a question about in tune so in tune is currently the most popular user voice request that we have it's something that we're looking into so we can see that we have the user voice here we've already noted it from an engineering side it's going to take some time to kind of evaluate what we can do with regards to in tune what API is we have available through graph things like that so it's definitely something that we're looking at as far as that goes it looks like Joc already answered one of the questions about education pricing so if you go to our FAQ page you can check out any of the discounts that we offer so we do have discounts for education here as well so it's a standard 15% that we would give off up from for any education customers as far as superseded for updates so we have one here so we automatically create superseded ins so whenever a new update comes out we will automatically set the superseded relationship so there's no need for you to do anything manually so when the new update came out for example for Chrome any previous version would be superseded and then based on your software update point superseded in Truls it would automatically set there okay so does your product require SCCM okay so good question so we do allow you to use standalone wsus so if you're not license or don't have SCCM today we do have an option in the advanced menu to use standalone wsus mode so that means that these third-party patches would automatically appear within the wsus console and you could ploy those just like any other Microsoft Update within your environment do you cover in BAM so we don't cover in BAM today as a supported product that's certainly something that we could look into so if if you wanted in BAM to be covered we could just you know submit a new request let me see if we have anything for him BAM today it doesn't look like it so if in BAM the client is something that you wanted to see updated you could just request that and that would be a product that we could certainly evaluate well MMS be at MMS or I'm sorry will patch my PC be at MMS moa 20/20 yes yeah so we'll be a sponsor at MMS MOA we will also be at MMS jazz in a few months as well in New Orleans options for piloting apps before they auto update yeah so as far as that goes you could use collections so if you have any apps that you want to kind of test in phases you could use any collection targeting to go from like smaller groups to medium groups to larger groups just like you could use any other kind of staging with collections for that as well are you going to support updates for carbon black I'm not familiar that product as far as the client goes if you wanted to check anything that we're kind of working on probably the best way would be to just maybe search carbon block here let's see if we have anything today it doesn't look like we have any pending requests so if it's not in the ideas portal it's probably not something that we're currently looking at so if that's a product that you'd like to see added that would probably a good one to kind of you know put a new request here so we would at least have it on our radar because any products that we add are be based on customer feedback and that's really how we take feedback for new apps we're not gonna just add things based on you know just trying to increase a number it's always gonna be based on what our customers are asking for looks like we had something about a device true up so as far as true up goes we try to make things as easy for our customers as possible so with regards to client increases okay so within a subscription term we do allow you to let's say that you had kind of normal growth we allow you to exceed your purchase count within a subscription term by up to 25% so we want to make sure that you know we're not doing these true ups just for small number of devices so we think that 25% almost covers all typical organization growth for devices within any subscription term so a true up would only be required like if you had more than 25% of your original numbers so if you purchased for a thousand you could essentially go within your term up to 1250 devices before you would even have to let us know so we try to reduce as much friction for our customers as possible and this is one of the areas where we added that for I'll also paste in this link as well into this FAQ page to answer that question for Pete so we had a question about app supercede ins so the question was when a new application is updated will it automatically supersede any previous one so today we don't do that so it's either you could update the application in place meaning that we would update the existing app that we created or you can create a new application super seasons is something that we do have on a radar where we could just create a new app and then create a super Seaton's relationship but we just have to test some of the kind of the engineering sides of it like how many relationships could we realistically keep back what type of strain would that have on the SMS provider when we're trying to query multiple superseded apps so it's something that we're looking into we certainly would like to support the super students within the application model in native duress CCM so it's not something we do today but something that we definitely have on the radar so if an app requires a specific reg key to be applied will it also be applied that's that's hard to say so if the installer automatically creates that reg key is certainly would um if it's something that doesn't get created automatically or there's not a command line within the Installer that you could add you would probably need to use a post update script for that scenario just to answer Corey's question okay so besides adding a script to a package is there an option to move the icon instead of deleting it so today we don't have any capability like that I'm not entirely sure the scenario like what type of folder would you want to move it to etc today it would only be delete if you wanted to move the icons on the all users desktop to a custom folder that's something that you would have to do via post update script if you gave us more details about what's this scenario why you would want to move it to a different folder or what folder you'd want maybe on the ideas portal we could certainly look at adding it if it's something that we think could provide value to our customers okay so we have one two three critical apps that would be crucial adding before purchase yeah so you could yeah so user voice would probably be the best place to submit that you can also email me so I'll answer that with my email address feel free to email me with the apps if you don't want to put in user voice I certainly could and we could definitely evaluate those apps as well will you be supporting OpenJDK so we do have quite a few of the open JDK s already supported so we have Amazon's iteration we also have the adopt open JDK iteration I'm not sure about open JDK by Azula systems I don't think we currently have any requests for that today but if it's something you would like to see added putting it on the user voice would would definitely be the place where we could start evaluating to see you know how many customers would get value from that product etc let me just paste that in there okay so we have multiple SMS providers in the cache hierarchy does that configuration items an array of providers good question so I today we only support one SMS provider I haven't really seen the need until we actually got that question but yeah I can definitely see the value where we could potentially allow multiple and then in case we couldn't connect to one of your providers maybe we could you know try the secondary one or maybe we could even configure it to kind of switch back and forth to help offload provider load um so yeah that's that's an interesting question we don't support that today but that would be an excellent feedback item to submit I can definitely see the value in having multiple for the SMS provider for where we talk just working through a few more of these unanswered ones so how do you handle license products like Acrobat so as far as the Acrobat updates go the the actual patches come down as MSP updates so it would only be a patch to an existing product that you had installed so if we look back on the updates these would just be patches so for example we would take you from let's say Acrobat 19 x2 19.1 etc so there shouldn't be any issues with regards to Acrobat and patching now for some of the products that we support for licensed products so things like TeamViewer or something if you wanted to add that using our base installation you would just need to make sure that you either append the command line to like include like a product key parameter or you add some type of post action to activate it for you so yeah that's how licensed products would work for that does the application does the discovery of application requires some type of software inventory to be installed all right no so when the update scan for compliance is all based on the software update scan cycle so you don't need to worry about any type of software inventory for things like star XE there's nothing additional that you would have to capture it would all be scanned on the fly with regards to the applicability and detection for apps and that also applies to our based applications we don't need any type of software updates okay so do I manually need to choose a different product on the sup so good question so as far as the for update point in W Cisco's we actually create all our updates under single vendor product the reason that we do that is because W sauce has a limitation of only allowing up to 100 third-party products to be added to the catalog so in order to work around that we do on the backend have a single vendor product combination for our patches now as far as filtering and reporting we do have a KB article is actually pretty simple like if you did want to create like an ADR based on product we have a KB on how you could use title filters for every single product so if you wanted to include specific products or exclude specific products that's quite easy to do from a ADR so yeah we only have one product on the back end just so that we don't hit that limit and break things in w cells essentially okay so if Adobe Acrobat DC versions you can check out which specific ones that we support over on the supported products page so if you go to Acrobat you will be able to see any sub products as well so we support all the current tracks like 2015 17 and 19 for that product okay so there's a question about if you have the latest version of Chrome installed why did it still show up in software Center on our client so the reason for that is because the application detection method did not run after the update applied it so that's why it was kind of still listed as available if I actually went and clicked on install on Chrome and software center under the app it would then show that it was installed so we don't currently support Adobe CC updates certainly something we can look into if we get feedback for that okay so someone just asked if I could show an example of filtering a product absolutely so let's say that we went into our ADR so it sounded like they did not want nodejs to auto deploy essentially what we could do here is if we look at the ADR so right now we're saying let's approve everything from patch my PC let's say that we didn't want to have Java auto deploy so we would just come into our ADR we would choose title and then we would do exclude which is a dash so we would exclude any title that contains Java if we preview that we can now see that we only have Chrome so if you wanted to exclude no js' you could go to our KB article that talks about how we can exclude based on title and you would probably just include something like nodejs for the title filter so that's how we could exclude that within the ADR as far as the SSRS reports they don't update automatically if we had a change you would simply go back into that report installer and you would just re-upped load them yeah so if you only wanted to deploy LTS you could just include a filter for it must contain LTS or it must not contain as far as excluding a specific version of nodejs it would be the same type of filter that I used to do chrome as far as rollback goes so we do so software updates in general don't support rollback at all that's that's applicable for Microsoft updates as well but what's pretty cool since we now support applications if you ever wanted to rollback an app that we created you would probably have the latest version of that also created as an application so what you could do is we will automatically populate the uninstall method for any application so if you ever wanted to rollback you could simply deploy the latest version that's that broke something as an uninstall method for that and then you could install the previous one as well have you had any issues creating desktop icons and they failed when creating desktop icons and they failed no that doesn't sound familiar I'm not familiar with any issues with installers creating desktop icons that's not something that we've seen in our testing at least today oh yeah okay good question so is it possible to export the settings for update and application rules within that yeah so actually one of the recent builds that we had probably within the last few weeks within the publishing service there's a new option the advanced tab where you can export all the settings that you've currently configured to an XML file so you could simply export that and then let's say that you have another environment with it with a separate server you can then import that you also have the ability to automatically create a backup on like a UNC path whenever anything changes so when do we decide to quit supporting a product generally it's after the vendor has stopped support for updating it usually within a couple years after that so for example within our supportive products page we do have a specific item that covers any products that we no longer support so Yahoo Messenger we actually stopped supporting within the catalog altogether probably about six months ago so that one had been deprecated for quite some time but usually it's after about a year or two from products not being available so you can kind of see some of the past history based on this item here for when we start stop supporting different products okay so do we need to replace the application and at a sequence when it's updated it's really going to depend on what option you choose so if you keep the default option that it automatically updates the existing app in place you would not so it would automatically reference and use the same app ID you would only have to redo it if you choose the option to create a new app for each update okay so is it possible to setup a POC of your product absolutely so you can either do a trial download right so if we come back over here you could request the full trial and do a POC within your environment or if you wanted to get a live demo which would be quite similar to the webinar that we did today and you just want to add more people from your team on like a one on one you can come up here click request live demo up at the top and then we have an interactive calendar we can automatically schedule a live demo using Microsoft Team Sky go to meeting zoom whichever one makes sense for your environment you can then click on that event and then you can choose whichever time frame that we have available based on your availability and it will automatically schedule a live demo for you that we can use for this Oh drivers yes the driver is a common question so we don't support drivers directly in our catalog so if you go under our fa Q's we kind of talk about why that is so we don't support drivers directly through our service and the reason for that is because drivers are already available directly within the software updates feature for SCCM so if you wanted to subscribe to driver catalogs you could use the native functionality directly in the aiccm console and there are going to be some improvements for the in console publishing of like driver catalogs where you can also start filtering it so you don't have to publish the entire driver catalog and you can also have automation with full content publishing we expect that that's going to be out in config manager 1910 we've been working with the product group about four or five months on the additional filtering option available if you want to publish catalogs directly in the console so you can use that feature today and it's even going to get better in the next versions of config manager current branch automated patching of sequel or SharePoint so we don't support those products today we do support sequel management studio but if you have any like reporting services or main sequel runtimes like the sequel engine that's not a product we support but we could definitely look at that if you submit that to ideas we could look at adding that as a new app for SharePoint installers or or sequel yeah so will you be doing an in-depth driver catalog video um so we actually already have one so if you search the patch my PC YouTube channel and then even let's just put drivers okay so there's a section here for let's come here let's go to our playlist so if you go to our SCCM guide playlist we have a bunch of different su CM topics let me just send that for you so I think it's video number thirteen that covers the driver catalogs so there we go so enabling third-party Update catalogs in SCCM that one should also cover some of the driver catalogs how you can enable those yeah so Azure DevOps so essentially any product that you're requesting if if it's oh we support some Azure like the CLI client essentially if it's not in the product supported list and it's not in so it looks like we do have a user voice for DevOps so we're currently reviewing that product so that's certainly something that it looks like we're already evaluating so if it's something that's already in user voice it's something that we look at every single item we get there and if it's not already there and it's something you want to want to see at it that's where you could just submit a new request we would definitely check those out we will not be an MS or I'm sorry we won't be at ms ignite so just answer that question we won't be there for that event okay I think that that's most of them oh we don't have any examples of PS op deploy toolkit today so if you usually customers would already have like a template they would want to use in this scenario they're using that external firewalls good question so there is a list so so when we download update content it generally comes directly from the vendor so we do have a guide that covers the list of domains used so you would definitely want to check that out if you have a strict firewall within your environment to make sure that the domains used for full content downloads are available within the allowed list for your firewall so check out that KB article that would definitely have the requirements there as far as the permissions required for your ad our source folder basically the site server would need full control or modify at least for the NTFS and sharing permission oh good question so can you set a move app so the option to automatically move apps within the publishing service so this option here the question was can you set that per application so today so we ship this feature probably about three or four weeks ago the question was could this be applied per application so we don't support it per application today but that is something that we definitely have on the radar we've already heard that feedback quite a bit so what we're going to be looking at at some point in the future to see if we could support it is basically a right-click option that says move and that would be available per application so yeah we definitely want to get more granular with allowing you to set specific applications to custom folders another thing that we may do there is we may allow like wildcards like for example will like if you wanted to move all apps to like vendor folder so to automatically add like vendor that might be something that we evaluate as well to see if we could have more hard in that okay so is it possible to retain administrator categories for apps after an end place update I think we do reset categories when we do an in-place update to an existing app but that's something that we could evaluate to see like if we could not overwrite any of those settings so we'll take a look at that I don't think we retained them today but I could follow up if you send me an email so I just sent you my email address and that question I could follow up just to validate that but if it is overwritten we could certainly look at improving that for that as far as proxy authentication yes so we do support proxy off so if you have to use a login you can simply configure that in the proxy tab of the publishing service yeah so if you want to ask for a new app I'll just paste this link here again so if we don't have an app today you can just use that ideas website that I just pasted it into that question could you show the deployment of apps using the local repo not entirely sure if I get the context of that but as far as like if you're looking at like the content path it would be something like this so we would automatically create vendor folder you would see the update and then we will have a unique ID for each application and this is where the actual vendor content for installers would come into play as well as all the automation that we need for installing that application so where do you get a cons description so today looks like there is a question about German based applications so if we have any products that are language specific we have a user voice for a language category so if you want to see specific products in other languages that's something that we're currently evaluating we hope to have additional languages for products that are language specific like Firefox most most products these days are multi-language as far as the installer goes but we are going to look at start adding support for other languages probably early 2020 so if you want to go up both like languages for different products you can come here and you can upload that and you can subscribe to get notified whenever we have the you know support for that new language as far as the URL that we use for apps that is visible in the supported products XML file that you can look at in the installation directory so if you wanted to see where we get the icons from you can look at it there so it's either Wikipedia open Commons or its directly from the vendor site so it's going to be one of those two locations so we support icons I'm probably about 90 95 % of apps there's a few where we couldn't find any official apps from the vendor or a or in the common domain so in those scenarios there might be a small number of apps that don't have icons but the download URL for the PNG files are visible in the supported apps okay so that's just about all of them so if you have any other ones please get them in here in the next few minutes but if we don't get anything else here in the next few minutes we'll go ahead and end the webinar so for those of you that are still on thank you all for joining and we'll just follow up with a few additional questions that we get in the next few minutes if we get any okay so for log saving so as far as the permissions needed for the log saving like for example if we looked at Chrome so if you have a secondary location for your logs like a UNC path the updates would be running under the system context of the device so if you were using a UNC path you would need to make sure that domain computers at least have modified rights in order to save the log files into a UNC path as far as the default path if it's saved locally of course the system account would have full control to any local folder so it wouldn't be required there but if you were using a UNC path you would need to make sure the computer account so potentially adding like domain computers when at least have modified permissions to be able to create files within that share okay excellent so it looks like we have ran out of questions I want to thank everyone for joining and hopefully this was helpful

Info

Channel: Patch My PC

Views: 2,630

Rating: undefined out of 5

Keywords: SCCM Java, Third-Party Apps SCCM, Patch My PC Patching, Patch My PC Apps, Patch My PC in SCCM, SCCM patching for java, sccm webinar, 3rd-party update webinar, ConfigMgr 3rd-party apps, package java, package java sccm, application for chrome

Id: f-WsM_Xna2E

Channel Id: undefined

Length: 73min 11sec (4391 seconds)

Published: Tue Oct 15 2019