Patch My PC and Dune Desormeaux at CLESCUG on Third-Party and Microsoft Updates in SCCM

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

If you want to skip my third-party update session (Sponsored session) and go right to Dune's session about how the SCCM product group is looking to improve Microsoft patching in SCCM, you can skip ahead to 53:13 https://youtu.be/5ukqcJPomkE?t=3195. There's a lot of great details in Dune's session that goes into details about some upcoming improvements around various software updates in SCCM.

- Justin

👍︎︎ 11 👤︎︎ u/PatchMyPCTeam 📅︎︎ Jul 31 2019 🗫︎ replies

Just signed on with these guys to get a handle on shit our HD team is bad at maintaining. So far working flawlessly.

👍︎︎ 2 👤︎︎ u/Michichael 📅︎︎ Jul 31 2019 🗫︎ replies

Great video!! I hope to be able to watch this in its entirety soon!

👍︎︎ 2 👤︎︎ u/Nate2003 📅︎︎ Aug 01 2019 🗫︎ replies

Captions

all right well I'll go ahead and get started so just a quick introduction on myself my name is Justin Chalfont I've run the team at patch my PC our company does third-party patching and application management for SCCM and this is really going to be a live demo we're gonna walk through exactly what we do how this how the setup works how everything gets into secm and how that deployment process works first of all I would like to thank Frank for having us out to his group I used to work with Frank as a PFE at Microsoft for quite a while so super excited to be here with you guys today so as far as the the environment goes that we have the demo end we're just running a config man site we're actually on 1907 latest tech preview build but we'll be walking through what the setup looks like within this environment so the only thing I'll kind of point out before we look is we don't have any third-party updates currently enabled so we're gonna go kind of through that process exactly what that will look like start to finish so we only have a few Windows updates at the moment and feel free to ask questions throughout the session usually we get a ton of questions as we're going throughout the demo so feel free to ask that here as well as in the chat window we'll be kind of monitoring that as well to address anything throughout now as far as our installation for how we're going to start publishing updates and applications to SCCM we just require a small installation it's going to go in your top level software update point so within our environment it's pretty basic just the standalone primary site so we only have one site system with the software update point on that server but you will only need to install the tool that's going to publish the updates on your software update point within SCCM so I'm gonna go ahead and launch that so it's just an msi only a few megabytes so very lightweight for the actual utility that's going to be handling the creation of third-party applications as well as updates that are actually pushing them into SCCM so we'll just go through this pretty pretty standard just everything default here and then okay alright so this is the the first part of the tool that you're going to get to I'm just going to go ahead and activate it with one of our demo licenses now there's a few options you can either activate a trial mode so you don't need to fill out any type of information if you just want to enable the public trial and that's going to give you access to a subset of products that you can use to validate publishing works and things like that if you want a full access 30-day trial on the same download site for the trial there's a form you can submit where you can get your own license ID kind of like what we're seeing with this custom URL and that will be valid for 30 days if you want to test all products you know and features within the tool now as far as prerequisites go the only real thing that we have is a certificate that needs to be added so this is the wsus signing certificate that's used to sign any third-party application or updates that gets published this is how your clients can validate that any updates being pushed through the windows update agent and SCCM and wsus are coming from a trusted location now within config man 18:06 there's actually a feature within the software update point that allows you to enable this and create the certificate directly within SCCM so it makes the process a little bit easier where if you're on that build or newer you can just say I want SCCM to manage this and it will also automatically deploy the circular clients now if you're not on that build yet it's easy to generate it in our tool using self-signed or if you want you can import a code signing syrup from a PKI if you have that configure within your environment if you want to go that route so since we enable this within config man that's why we're already all good to go as far as the prerequisites go with the sir check so once we have that configured the next thing is choosing what third-party updates you want to publish into SCCM so you can see that within our tool it's quite similar right if you go to your software update point it's the same type of tree view that you would get with any Microsoft products so if you were to come into your sup you can see you know Windows 10 same type of concept here where you can choose what products that you she want to publish from our catalog so jumping back here there's a few ways that you can do this you can either selectively kind of choose what you want to publish as an update within SCCM or we also have this scan feature so if I go ahead and click on scan what we can do is enter in our SCCM database server name as well as the database name and we can actually query against your SEM environment so this is going to look at the hardware inventory sent in from your clients and we're going to aggregate based on what clients have what products installed how many of those that we support directly within our tool that you already have out within your environment so for example we're gonna give you things like the installed count that we detected you can even sort by these numbers if you want to see of the products that we support which ones you already have from here you can select them all if you just said I want to enable everything that I already have and then you can enable them you can also export this list so if you're just trying to validate these are the the number of apps that I would get and benefit from directly with them what patch my PC supports today you can export that to a CSV just mute everyone here just here keyboard yep I didn't meet myself did I you guys still hear me okay I think we're good all right so jumping back over to that what I'm gonna do is we can see that if we just wanted to enable everything that we detected then the scan you can simply enable all the products that are already out there within a couple clicks so it's super simple versus trying to pick and choose what you think you might have but you're not really sure right so that makes that process quite easy now for this demonstration I'm not going to go in able everything that's detected because we have almost all products configured in this lab we're gonna select a couple individual products here now before I go and enable some products I do want to cover some of the customizations that we can apply to anything that we enable recursively so for example we can see I'm clicking the all products level so we can apply any of these settings recursively to any of the products that we enable later on so the first helpful option if you wanted to you can choose to automatically close any conflicting processes within the installation so for example let's say that you had an application that you knew may not update correctly if it's in use by the user like notepad plus plus is one of the applications that sometimes will fail to update if it's in use you can choose to auto close that or skip it if the process is in use next thing we can do we can delete public desktop shortcuts so for products like Chrome that leaves a public desktop shortcut for all users we can automatically delete that after any update is applied if you don't want that to be on the public desktop this one's quite helpful we can turn off self updates so if a product supports a common attribute like a reg value or if it creates a scheduled task or service something that we can automate turning off will be able to support disabling self updates within those products and then the last option that we can apply globally is going to be logging so this feature is is pretty cool I'll kind of explain what we're doing here so let me just copy this path so we can see that this secondary path that I'm about to add is just a UNC pass so this is going to be a location that you could kind of monitor so what we do by default we can enable installation logging for any update or application that supports logging so that would be all MSI based products that an MSI installer and any exe installers that support a log switch we essentially are going to automatically add that within the update or app installation and you can specify a common folder that you want to create that to so this can be helpful in a scenario that a third party update or application install fells rather than getting our 1603 error that we probably see quite a bit giv reported back to a CCM you would actually be able to look at the installation log to see at what point during the vendors install that process couldn't complete the update so there's a few things here so by default we're going to store the log path in the CCM logs folder just within a subfolder that we create but what's pretty cool about this we can prefix the log with the computer name and then what we can do is if the update felled we can optionally set a path that we want to copy any felled updates to so obviously you wouldn't want to have every single update for every single install go to this network path right but this could be helpful if maybe you want to have any failures so non zero exit codes get copied up where you can kind of troubleshoot them in that scenario as long as the main computers have modified rights to whatever share you want to dump logs that should be able to copy that to that secondary location so there's actually something we added this past week which was requested the last user group we're at last week the Minnesota group so pretty cool feature where we can copy only felt blogs if you want now what I'm going to do is actually jump to a product that we want to enable for update publishing now once we get into this the individual product level we do have some additional customizations that we can apply so we can add a custom pre and post update script per product so let's say that for what we're going to look at here is going to be Google Chrome so we're going to add a post update script that uses a PowerShell script to set the homepage so you could have like a standard configuration whenever chrome gets updated or installed within here using a PowerShell script so there's a few different formats that we support let me go ahead and click on that was there a question or no so we're gonna add a post update script today we support PowerShell VB script batch and you can even add an exe or an MSI file as a pre or post action so depending on like if you want to do like some dependencies you can do some interesting things there yeah it's all mo probably about 95% of the time it's same-day there's a few exceptions of that so if there's a specific day where there's only like one update and it's not a security update that may be a scenario where we push it to the following day but it's almost always same day regardless of security or other types but there's only one or two updates that aren't security focused on a specific day it's possible we might push that type of release to the following day so for this post action script I'm just gonna go ahead and browse out and we can just see we're just pointing to a PowerShell script so pretty basic here and it's just setting some Reg values to set the home page as well as some different chrome policies that we're configuring around password management and things like that so if there ever was a scenario where you wanted to do something a little custom maybe setting things like Java safe websites things like that you can do have whatever flexibility that you want by automatically adding actions within your own scripts to the update process right and then the other two that I kind of mentioned were modify command lines if you wanted to append additional command lines maybe if it's a paid product you want to add something like a product key something like that you can do that and then an MST transform you can apply if the product is an msi based installer the second product that will enable for update publishing is going to be Java 32-bit we can see that we did also configure the disable updates and logging option that we did in the previous step the only other thing I'll note about Java this one's kind of particular so we do append a pre action script by default that's going to remove any old versions of Java as a pre action so what this does is make sure that you're not left with multiple front times you're only going to have the latest one whenever an update applies and we'll hand removing those older versions for you throughout the update process cool uh so that's pretty much what it looks like as far as enabling updates for publishing so these are going to come in two config man as a software update and these can be used to update outdated versions of existing applications that you've installed in your devices now this only addressed one of the needs here what we noticed from feedback from customers is that's great but I still have to manage the initial deployment so I have to create applications I then periodically will want to update those so I'm not deploying an old version before the update starts scanning so it's kind of leaving you exposed to older versions for a while until that scan process for updates come in so what we've recently released is this feature that we call base installation so in addition to the updates that we just enabled you can also enable application creation within config man as well so as far as enabling this is pretty basic we'll just enable that option and there's a few simple settings that we need here so what you need to tell us where your SEC and provider is as well as the content source path so there's gonna be where we automatically download any application content for any of the application products that you enable for publishing as well there's a few additional options here that we can do so like for example do you want to allow the application to be installed in attach sequence just some items that correspond to what you probably be accustomed to when you're creating applications within SCCM and one thing I'll mention here is by default so this is a pretty big one we do automatically update previously created applications in place from our tool so that means let's say for example you had chrome version 74 created as an application and let's say 75 comes out in a few days will automatically update the existing application in place update your DPS so for example if you are referencing that app in a task sequence or collection deployment it's if you left the default behavior where we update it in place you're always going to be deploying the latest version of that product and you don't even have to think about in that scenario optionally if you want to create a new one for each version that's an option as well depending testing and things that you may have to do within your change process and then the last option here we can auto distribute to distribution point groups so we can automatically put that out on your DPS and update them whenever a new version comes out cool um so that's all yep question yeah good good question so the the question was can you configure per application whether you want to update it in place so today that is not configurable per app it's kind of a global setting but I think that may already be in our user voice so we have a user voice page and I want to say there's there's an item in here that is similar to that where they want to be able to control settings per app there we go so it's already in our user voice so it's something that we're reviewing now to basically configure whether you want to auto update per app so something we're gonna be thinking about as an option that we want to update as far as the applications we support now that I'm here in the browser I'll quickly go over that so we currently support about three hundred and some-odd updates across 190 unique third-party products so this is all documented on our page here where you can go and check out what we have now what's important here is that if we have a product that you used that we don't support the day you can go request new apps on that same user voice web site ideas that patch my PC comm and if we take a quick look at the application request out of those 190 or so third party products about 80% of those have actually come directly from customer feedback so when we're evaluating new applications to add its solely based on customers that are actually requesting that specific app and you can also do things like vote up other apps and kind of see what's going on within our user boy site similar to the way that the config manager team does as well so the question was what's the turnaround time it really depends so when we were we used to generally do it about two to three weeks but just the scale that we're at now it's gonna vary depending on like how complex is the Installer it would it would have to meet some prerequisites like silent installs working under system context but it could vary depending on like how many customers are voting it up so maybe if there's a really popular one it could be a couple weeks if there's one that's you know maybe only one request maybe it's a little longer to kind of evaluate and get through that but I would say we're not doing specific time frames now just because the scale that we're at it's it's it's a lot more than than how we used to kind of handle new app requests and that's why we had to bring it into user voice you see kind of what what clients want what and searching for existing requests things like that so ideally I would say within a few weeks but realistically with how many requests were getting now it could be a little longer it just depends on the product and complexity there for that yep all right cool so the applications so the view is going to be exactly the same as what products we just enabled for software update publishing so what I'm going to do here is come in and enable 7-zip so that's one that we did not enable as a software update so let me just enable 7-zip 64-bit and what we can also do so if we look at Chrome we have this option where let's say that you went through the update piece you scan your environment and you enabled a bunch of products that you wanted to publish as a software update we can click this duplicate option over here on the right and that can automatically duplicate any products that you enable for update publishing as well as any of the right-click actions that you may have applied for application creation as well so we duplicated that we can now see that chrome was Auto enabled as an application and it also enabled all the right click apps actions like disabling updates the custom post action script that sets the home page as well as the logging and shortcut options all got enabled for application creation as well okay any questions up until this point did we get anything on that shot okay awesome so that looks good as far as what we want to publish is a software update as well as what we want to auto create as an application with an S ECM the next thing I'm a jump over to is the sync schedule so I'm just going to go ahead and start the initial synchronization which is going to get products downloading in the background and starting to publish so this will probably take about three minutes or so to go through and while we're waiting on that let me just kind of review the sync schedule this is going to be how often our publishing service is going to reach out download the latest catalogue from our service and determine based on the products you enable for update or app creation whether there's been any new updates on our side if there are it will auto publish the new update and then supersede any previous versions of those updates or applications so by default it's every night at 7 p.m. kind of touching in on that question about how often we update if I jump over here and look at our RSS feed so we do post each release out to an RSS feed so for example we can see we had a catalog update yesterday this one was actually pretty massive I think I mean take a look so within here we're going to show all of the products that were released in a specific days update if it's a security update we're also going to include things like CV IDs right so you can quickly see things like that you can even click directly out to the vendor release notes so if I go ahead and open that up we can see this was one of the adopt open JDK products that we support come back over here and yesterday and I think they're probably about 20 or so updates so we can see we had some updates for iTunes and iCloud they were also security related so just a long list of products that kind of got updated here now we do also scan every single installer through virustotal so before I update or application would ever get published to our customers we would be scanning that installer binary through virustotal and including those results in the hashes out within our release RSS feed or email newsletter just to kind of make sure that we do due diligence on the installer to test against different things this includes about 64 different AV engines that basically scan the binaries before any update would get released so that's that's kind of the global notification so you can either subscribe to that RSS feed or you can subscribe to the newsletter if you want to get an email version of that exact same data right so you can do either of those options now in addition to that kind of global notification that you would get for any products that we support so like all three hundred and some-odd updates whenever we do an update all of those will be included there now if you don't want to get all that data maybe you only care about the updates that you've actually enabled for publishing within your site you can enable email notifications directly within our publishing tool here as well and this would only notify you when there's actually been a third-party update or application for a product that you've been able that gets updated or published within your site so you can also configure it here or you can even do both depending on you know how you want to stay up to date with new products coming out right so that that's pretty good on the publishing tool I think so it looks like we just completed our publishing so let me take a quick look here back over here so we can see that we just got email that we have new chrome updates configured so that looks good now Java this one is a little bit different so Java is a licensed product now and we can now handle licensed products basically the way that it works is that if there's an update like Java where you require a portal within there to download that content we can still support that the only difference is that you would have to kind of pre download it into the content folder that you define for licensed products within here so pretty cool but what we can see is that when updates get published within the email directly from our tool you can see things like vendor release notes for example right so we can see that the release notes here you just scroll that down we also include things like classification levels so we can see that this chrome update was security-related it also had a critical severity level and it also had some CV IDs here as well these are also clickable and it will go out to the national vulnerability database where you can get details about that specific fixed now for Java looks like I didn't have things quite ready to go here let me just see if I can copy copy something here just to get that to publish if not we'll just work with Chrome not a big deal let me just get this working really fast business so what happened is when Javed released update to 221 I think this was earlier this week I I just didn't copy that just so you kind of demo what that looks like so if I come and look at where I actually have my offline content folder in the J Drive let me just see if I can get that running and Java is the only product that requires a local content publishing let me just copy that in here so now we have the latest two versions that it said it couldn't find so even though it is licensed you can still certainly patch Java just every quarter when a new update comes out you would just get an email like this letting you know hey this is a licensed product you would want to download this and then the next time we run a sync let me see if I can get that running it would be able to use the local installer for JRE to publish that as an update and application so we'll get that running any questions while we're waiting for that sync to occur before we jump over to the secm side of things okay I must be covering everything pretty thorough awesome there we go so we can now see that uh we detected the Java update locally and now it's publishing just fine and this is the only product that requires a manual download today and that's just because the licensing changes in April's update for JRE where it's now paid for business did that affect anyone here where they started to make that a paid product for corporations yeah so what we did to kind of address some of that there are some open source versions of JRE now so we actually support quite a few of those today so we support the adopt open JDK iterations of Java as well as Amazon's open source version but as well so that we found a lot of customers starting to move to some of the open source JRE platforms because of those licensing changes for Oracle and we can patch and deploy those as well alright so from the SCCM side of things there was one option here that I'll call out whenever a new third-party update gets published 2w sauce we also have this option where we can automatically trigger your SCCM software update point to sync so what that means is that we got this email saying hey chrome in Java was just published and it's gonna automatically sync your software update points so they start showing up within your config name console right away so I think that Java just completed so if we go back to our email of course we can see that we got this notification saying hey Java just published as well because we had in the local content so we can of course go out to release notes we can see the different CV IDs corresponding to Java and let me just copy this I'll show you on the SCCM side of things having them search for some of this data so if I come back to config manager if you remember we only had a couple Microsoft updates when we initially looked but now we have our third-party patches showing up within the console because we auto sync that software update point right away so they're showing up just right after they get published so pretty quick as far as the sync time goes we can see of course all the same data so your compliance statistics this is going to show up just like any other Microsoft update where you see how many machines required or are compliant with third-party patches they also deploy the exact same way where you can use either searches or atrs to configure all your deployment deployments of the updates and we can even see if I search for the CVID it's going to show the update directly in the console as well so we do include CV IDs within the description of every update so it's a searchable property directly within the console if you wanted to say hey there's this CV ID my security teams looking at let me see if I have any updates to show what's being affected and fixed within that specific version so from here yeah just not not really anything different so we could say let's look at the vendors patch my PC if you wanted to do searches to create your update groups and you can come in here create your groups and download them now in this environment we're using an ADR so if we come over here and look at our ADR quick look here we can see that there's there's not really any different between how you would create the ADR s for Microsoft versus the server showing non superseded updates that are Oh update or security where they're coming from patch my PC so this would essentially pick up only third-party patches but you could even include our updates in your monthly ADRs Microsoft as well there's no technical reason why you couldn't but we generally split third-party updates into an ADR and then maybe Microsoft into a different one but you could use whatever method you're currently using today to deploy these updates as far as the deployments go within our ADR we've got a couple pilot groups so same type of things where you can have multiple deployments you're going to be using all your existing infrastructure and secm technology like collections deadlines Software Center experience or do you want to have users see the updates as well as things like maintenance windows and restart behavior everything's going to be using the exact same flow that you'll be using for any Microsoft updates so when this ADR kicked off it auto downloaded this into a deployment package that's going to of course go to all your existing distribution points so you don't need any type of additional infrastructure or client agents everything's going through config managers so it created our update group and then also did those three deployments within that update group within our environment and then the only other thing we'll we'll take a look at from the SCM console side of things are the applications so in addition to the third-party updates to get published into config manager as a software update that you could use to patch existing devices that are outdated we also created those applications for you as well so you could use this within your tasks sequences or collection deployments for actually deploying those apps and keeping those initial deployments patched as well so for example we do fill out quite a bit of details within each application here for Software Center as well so things like keywords icons description things that are gonna make the end-user experience better if you're doing available deployment will be configured here within the operation as well and like I mentioned these do also update automatically so let's say chrome 76 comes out the default behavior is that we would update that existing app that we already created in place so that you'd always be getting the latest one if you had it referenced question yep it does yeah exactly so let me let me go ahead and deploy these apps and I'll come back to that question so the question was what happens with the detection method whenever an app gets updated in place so what we would essentially be doing if we come in here and look at our detection method we're using the PowerShell script for the detection methods of these apps we would automatically update that so that the version of the application being detected would auto update so if we look at this that's kind of the main things that we're looking at so it's kind of a mix between the if it's an MSI based application we would search for the product code as well as the version greater than or equal to so if you're doing a required deployment I don't know if that's kind of where this came you could potentially update existing products using the app model as well just depends on what scenario you would prefer but we would automatically update detection method in the version that we're checking whenever a new app got created in place now the other option would be you could just have a new application for each version that comes out and then you could handle associating or updating that as you need yeah question good question so today we are not superseding so the option would be do you want to use these the same app updated in place update detection map that will create a new one super students is something that we we're gonna start trying to support so overall this app feature is relatively new so we released it within the last month that's one thing we may even have it on our ideas portal let me take a look but we do want to we do want to support super students we just need to test whether yeah so I think it's no that's not the one but we do want to look at just having a supersedeas option where you we would create a new app but we would set the super students relationship things can get a little tricky with how many versions do we want to keep super students for how does that impact the provider in scenarios where you have a lot of apps created because there's a certain level where that can start becoming an issue so we just need to make sure that we test all the scenarios and get it done right when we do at it but that's kind of a thing that is on the radar to be able to use the default superseded and just create a new app and supersede any previous ones up to a certain amount basically yeah good question though [Music] anything from doesn't look like anything in the chat cool so jumping over to the client side of things if we go ahead and look over here this this device is part of our pilot collection so we can see that their deadline was set for one day from now but since we did show this in software Center we can see that we are able to install that head of the deadline just like any other Microsoft Update that you would deploy like this so the only thing I'm note here that we do have some outdated version so we have a chrome 67 and we have Java 8 update 161 so both of these are out of date if I go ahead and kick off my chrome install the only thing thou know'st tear is that if we go ahead and open up Google Chrome we can see we don't have any type of custom homepage so just the standard Google Start page if you were to deploy the MSI so nothing going on there and if we take a look at the shortcut we can see it is in fact on the public desktop here as well so what should happen when we install this we're gonna update Chrome we're gonna automatically remove the shortcut and then we're going to set the home page using the post action powershell script now if you remember we did also enable the verbose logging of the actual vendors installer so if we open up CCM logs where your client logs are we can see we created that sub folder that we defined and we've got the verbose log of Chrome now in the event that let's say chrome failed on this device we got a bad exit code that's when it would copy it to that network share so you would say hey we see that this specific computer name with this device failed and you could actually see the log from Chrome's MSI because that's really where you're gonna get the most value in troubleshooting an actual installation errors usually the exit code is pretty generic right so that's where that log can come and be quite helpful in addition to the vendors log any updates that you've enabled any custom actions on we will have kind of a standard generic log that shows a lot of basic details about what's happening so this will be in the root of CCM logs it does use a format compatible CM trace so just like any other SCCM log and this one's just called patch my pc script runner and this is going to show any update and custom actions that are being applied based on the right-click options that you may have configured for that product so for example we can see that we enabled the action to kill chrome in our case it wasn't running so we didn't actually terminate anything we can see any type of customizations like registry values that we're gonna configure for turning off updates for that product and we can also see the logging switch that's going to take place so here's where we actually executed the chrome installer we can see that MSI returned exit code zero which is a good install after that we deleted that public desktop shortcut that we configured we then set to different registry values for turning off the chrome auto update check we can see all that within the log and then we ran the custom post action PowerShell script and it returned an exit code of zero for that script so that looks good and then we end the install so if you're ever kind of looking at anything that's ever been done through our product whether it's an app install or an update here's kind of a log file that you need a lot of helpful details from so if we jump back to Software Center we can see that chrome is now installed the shortcut is now deleted if we go ahead and search for chrome and launch that we can see the home page did get configured using the post action powershell script if we look at the settings this was also a system-level setting so the user wouldn't be able to come in here and actually change that so pretty cool you can basically so however flexible you need to get with those post action scripts you can do whatever you need so yeah that's chrome so now if we refreshed that we can see chrome went from version 67 to version 75 dot something so the next thing we'll look at is Java this one's actually kind of cool as well so if we take a quick look at the existing Java control panel we can see when we deployed this application initially we didn't turn off self updates right so we can see updates are set to check every week if we look at the Java update policy in the registry reg FAL you we can also see enable updates or just set the one which would be that default behavior if you didn't specifically turn things off so what I'm going to do is go ahead and kick off the Java now we did enable the option two closed conflicting apps for Java so what's gonna happen when I click install we're gonna see the job of control panel app on left auto close if we look at the patch my PC log we can see here's where we actually terminated those processes for JRE now we're running the auto uninstall script of previous versions and now we're updating the latest app here if we go ahead and look at our logging folder we should also see the JRE for boast logging here as well so if we come back up here where we put the Installer vendor logs we can see the actual Java installer taking place within that update install as well so copy that to the right there we go to patch my PC on the left so once - there we go - Java just completed now we're going to turn off the self updates using four different reg values you can see all that happening in the log as well so if we come back into the registry and refresh we're gonna set enable updates to zero and then we also are going to configure three other values for turning off different notifications around JRE updates so that would happen just by right clicking and clicking that disable updates on that Java product within the tool so pretty helpful for basically trying to enable common things that customers are asking for to make it a simple action that we can perform for you all right so that's Java so if we were to come back into the Java control panel app we can see that the update tab is basically completely hidden because that's the way they handle within their control panel app so that looks good for that the only other thing we'll look at now if we go back to the application piece since we had that script deploy the apps to all users you can see you get a nice experience here you can see description keywords icons release notes just all the things that we populated within the application on the admin side for you so we don't currently have a 7-zip installed so let me come back over here and go ahead and kick that off and this is just the standard application that would get installed just like any other config man app so if we go ahead and open up our log it's going to be the same exact log that we use for updates as well so when this 7-zip install gets kicked off we can see that we're now executing the vendor's installer and you can see most logging there as well so it looks like that completed and now we have 7-zip so if we come back into Adam remove programs do a quick refresh we can see that we've deployed 7-zip using an application that just basically automatically got created for you to help save you the packaging time as well as the update piece that we offer today cool so at this point we are pretty much good to go with those two updates as well as 7-zip try to figure out how to minimize this now that here we go okay so jumping back over to the server as far as compliance goes everything's gonna be exactly the same that you would have compliance stats for Microsoft Update so if we were to come back in - oh there we go I had something open so if we come back into our all software updates now that we've had time to install those we're gonna see all the compliance start reporting as compliant for those those two updates for Java and Chrome so if we come in here we can now see we're compliant same thing for Java now what I'm going to do is jump over to another one of our lab environments that has some more client data and show some of the reports so in addition to any of the default reports that are available in config manager they're all going to report compliance for third-party updates just like Microsoft but we do also provide some dashboards that I quickly go over here so they upload directly into sequel reporting services so you could run these right from your console these are free regardless of whether your customer they were actually originally created from a Microsoft engineer they used to work with but he was ok with kind of us repurposing them adding some new operating systems as well as an automated installer to help change all the URLs to your environment so you can use these regardless whether your customer if you just search for our site for like free dashboards you'll be able to find and install these reports so basically how many workstations and servers that you're managing you can click in by each month so for example the month of July we can see we're seventy-two percent compliant with all software updates for workstations released within that month when we click into that month it's going to show you what updates are missing so for example we have a adopt open JDK so one of those alternative JDK runtimes we can see is required on five devices it's also a security update from here you could click into each individual update and that will take you into one of the native SCCM reports where you can see like what what are the actual device is missing that specific update and you can even go to individual devices so it can drill down pretty pretty detailed depending on what type of data you want to see question for most logging for an app that has already published downloaded do you then have to republish it or will it only take effect for new versions when they're downloaded that's a good question so the question was if you enable logging after an updates already been published do you have to republish that update and in the the answer is it depends so we actually have a good FAQ for this specific question so if we look at republish it it's an FAQ about when you may need to republish so if you enabled logging on a product after it was already published you would have to republish it in the event that that update did not have any other right-click options enabled so for example if if you had the delete shortcuts enabled and then you enabled logging after that was already enabled we would be able to modify it during the next ink and just append a different command line but if you did not have any of the right click actions enabled on a product and then you enable the logging option that would be a scenario where you'd have to say I need to republish that the reason for that is when updates get published they contain a specific hash and if we don't include our customization file that allows us to do these right-click actions in the initial publishing it would require you to republish but if you had any of these right click actions enabled and then you enable logging after it would be able to modify that on the fly so yeah it just depends on whether anything else was enabled if you if you changed anything on the applications that would always be able to configure that during the next sync because it's not as specific where the hash can't change for a published update with the way that works hopefully that makes sense all right so uh yeah back to the dashboard oh sorry wrong wrong machine you see them there we go yeah and then there's just a variety of other different charts and graphs that you can use for just reporting compliance by devices by servers things like that so that's that's the first dashboard there's a few other ones that are quite similar but if you only want to see third-party updates limit your software update groups or collections there's different reports in there for that but what's cool about the way that the third-party updates work is any other solution that you're using is going to report the same type of compliance data since there's no difference between the way config manner sees third-party updates versus Microsoft so this is the free power bi template that you can download from Microsoft as far as their business dashboards for power bi so what we can see is that if we look at this dashboard within power bi here's just kind of the overview so this is going to give you a lot of details about just overall things with an S ECM right so how many clients what your health is just a lot of helpful details but there's this piece down here around update compliance so if we were to come down to the update compliance page we can see that in addition to all the Microsoft updates that we're reporting on we can see all the third-party updates as well so we're missing flash player on a bunch of machines Mission Java Foxit reader but they're going to show up just like anything else we could even come in here and say let's look at only critical updates with that severity level and then we can see we went down from all those third-party updates to Firefox in Java and a few other ones so you could even say what are the security updates that had a critical severity that are actually missing here with just easy filters through power bi so I think that's all I had from the reporting side so for the most part that's pretty much the whole product and how things work so once you've configured your products in your sync schedule you really don't have to come into our tool anymore it's just gonna run in the background the only time you'd have to change is if you wanted to enable or disable any products or any right-click options outside of that you're just going to get emailed whenever new updates get auto published based on your product selection and sync and you're pretty much good to go as far as automation in the future and from config man you can use a DRS searches no change in the way that you can do that so you could potentially automate everything from start to finish for third party patches just like you can do with Microsoft today um so yeah any other questions or things we can take at this time we do have a few pricing points that I'll cover we basically have three options for the most part customers will go with either the enterprise or Enterprise Plus just because that includes all the automation pieces the only difference between enterprise and Enterprise Plus is the base installs so if you wanted to include the application creation and auto update that's where it's three dollars per device a client if you only care about patching with automation it's just two dollars per client and then the basic would require you to use system Center update publisher publisher to publish the updates so it's just a little bit more manual and uses a older version of the format of the catalog that's just a little easier to manage so that's the three different levels that we offer as far as pricing goes so any questions or things we can take at this point sounds good from our end okay so to actually patch tonic or since there's a parallel installs do any of those products that you guys published included an uninstall of the previous version or is it just purely an install of the newest you know good version yeah yes the.net core is one of the only ones that I think the way their installer technology works is it leaves the old version Java is actually one that is similar let me kind of jump back to our service and explain how we should be handled or how we could be handling that so there's a few options that you have in that scenario so dotnet core and your instance here we go so if you wanted to auto remove previous builds that's where we could do a custom pre or post action script so we handle this today for Java where we have a pre action script that essentially removes all old versions as a pre action that's something we could certainly look at adding for dotnet core if that's a scenario that you would want to support I don't think we got it requested today but for the vast majority of products I think dotnet core might be the only one that I can think of today we do test auto remove of old versions whether that's just natively through the installer which is probably about 98% of the time their installer would just handle a clean upgrade and removing the old version but I think dotnet core is one of those ones where depending on your scenario you might want to test against older runtimes but that's certainly something that we could look at supporting similar to the way we do it with Java where we essentially run a pre action to uninstall all those versions so it's certainly something that we could either add or something that if you wanted to do it today you could just add a pre action script that would just call like an uninstall for any existing installs where you could add that for that but that certainly makes sense that we could add that as just a native that you could either opt into if you wanted to auto uninstall for that specific product that doesn't do that yep yeah so good question so the the question was for those on the call is the device cost per managed device or like everything so we're pretty flexible as far as that goes so if you check out the FAQ we talked about this a little bit more it's essentially what you want to manage so we're pretty flexible there so how is device count purchased determined so if you have devices that you want to exclude things like servers Mac devices Linux things that you know that what you're never want to deploy to you can give us whatever count you think most corresponds to the active workstations or devices that you intend to deploy third-party updates to so all right there you go yeah oh yeah good question so your question was how many products can be published at once this is probably something I could have covered as we're going throughout so essentially what I think you're getting at is that wsus has a limitation of a hundred unique third party product and vendors that can be published at once so what we did to work around that so we we work with the Microsoft product we try to determine what would be the best route not to hit this limit so on the back end of things if you actually go into your software update point products everything does come in as a single vendor product combination so even though we give you a nice view about what you want to publish it's only going to use one vendor product so if you're using other catalogs you won't ever hit that limit because what would happen for vendors that would use a specific specific vendor for each product and vendor like let's say Oracle and then Java Runtime that would essentially be two vendors within that hundred limit so it would end up either being the vendors would be like just some vendors would be per vendor and then you would have like one generic one so what we determined is we're gonna just use a single vendor product and then if you ever have to get custom like with a DRS or filters we have a guide on how you can use title filters like if you want to exclude specific updates like Java or you want to include specific updates we can use a title filter but we had to go with something that would be compatible we're because obviously we're well above that hundred Thunder limit so that that's what we did on the back end so even though you can get a nice selection with specifically what products you want from the UI side when they actually publish into W sauce and sink into config man is just gonna show up as a single vendor product and then you can use filters with titles or some other mechanism that you can use if you did have to get more specific and what you wanted to order to play for example cool other questions okay do updates by bus yeah so reboot behavior is gonna be exactly what you would configure it within your software update group deployment so essentially what would happen is if you were suppressing restarts or if you had a reboot window with how much time you have that would be determined based on the exit code of the update so for example if it was a 13-10 exit code which means a pending restart it would it would be determined based on how you configure your software update group deployment whether you wanted to suppress those same thing with the reboot deadline so the timer would come into effect just like any other Microsoft update that you would be deploying it's gonna by the exact same way no problem any other questions from the room or any of you guys on the teams meeting all right cool well that's all I had so thanks everyone who came in person and on the meeting and thanks Frank for having us yeah I think dune is up next in a few minutes from the config man product group so I'll let Frank kind of take over we'll probably have to switch some voice up on the team's meeting so maybe offer a couple minutes and then dune will be in to present from the config manager yeah so right just like Justin said obviously first and foremost thanks to patch my PC and Justin and jock for coming out really appreciate that obviously that's a really awesome and yes doing is up next year for us and doun are you ready to roll I am ready to roll all right so for everybody here in the room we're gonna go ahead and get started with our next portion of our meeting today we've got do moon dis or mo from the SCCM product team and he is going to present some stuff for us today so for the for you dune if I have questions in the room I see someone someone's hand go up all of Jill sounds great yeah thank you so much for for having me Frank and for everybody for having me so I'm dune I'm a program manager on the unified endpoint management team Microsoft I say unified Empire management cuz we're all we're kind of one team now that works on config manager in tune desktop analytics and autopilot it's kind of the the team of four and my focus has been on config manager and my focus is specifically right now being on software updates and I know that you just guys just had an awesome session from Justin Thank You Justin talking about third-party updates and my focus today is gonna be on first party updates for Windows and kind of saw the challenges and fun that comes along with that I have some slides here I don't have a huge number of slides I like to kind of keep these as conversational as we can I apologize that we're you know we're doing this remotely so heckling me might be a little more challenging there's like one more layer of difficulty but I'm here to be heckled so please don't hesitate to either you know speak up in the room or wave vigorously for at Frank or just put text in the IM window or if you're on the phone unmute and speak your mind because I you know as the person who has been blessed slashed cursed with ownership of config manager software updates I know that there are you know there are typically some some tomatoes to throw and and that's par for the course and we need to we need to hear hear it and take those tomatoes so so don't hesitate that's the preamble I kind of wanted to kick things off by talking a little bit about what we're thinking about as what you know what Microsoft is thinking about in terms of how we're trying to make your life easier and this is all this is all very much kind of high-level guiding principles that are trying to take us and you'll see as we get through them that not all of them are obviously within my control but there are things we think that are important to you and what I'm interested in here in hearing a little bit from you guys is whether these seem like the right areas for Microsoft to focus to make your life easier and also about the order because there are in some kind of rough priority order as I was looking at this I before the session I kind of realized that maybe I haven't read stacked them in a while but if you have feelings about what's more important then I definitely want to hear about that yeah I do yeah is that recording has started bar is that on my screen do you see that right now oh I do see that that is I don't know maybe I can dismiss this Oh all right thank you that's on mine cool can you guys all see the screen I can see somebody I think our Gees having trouble connecting oh okay we have it here okay okay cool seems to be working okay cool let me know if there's technical difficulties also it's weird I'm seeing some of the IMS on my phone and not on my computer so I don't know why that is but I will try and keep an eye on both what do you think what was that okay so what are we thinking about item number one this is always always kind of humorous because of course it's not something that my team works on directly but we figure that you know if Windows would just not break things then it will be a lot more easy to patch because a lot of times the reasons that that things break are completely outside of the update stack and so when when things go wrong then it can be you know quality is a part of upgrade and this is something that my team you know the config manager team has internalized or did internalize quite a while ago when we were originally moving from our four-year cadence to our four-month cadence which is that quality is part of the upgrade feature and it's something that I lobby for hard and all my conversations with the windows team unfortunately the answer to this and in terms of how we can address it isn't really ship zero bugs because because as I'm sure you're aware there are about there are about 10,000 engineers who work on Windows which is a huge number and they're all humans and or at least most of them are and so they're going to probably check in bugs and we need the right processes to make sure that those bugs don't get out the door and ultimately affect enterprise environments and so this is where efforts that we have around this are things like helping helping our customers leverage insiders more right not something that everybody necessarily asked us for or necessarily wants today but but we really hope that over time we can get more enterprise customers to validate Windows builds earlier because overall back and that is one method by which we can get builds out into the wild and into the real world so that they can get some validation before they get out into the into the production where they could do some damage because there's you know we test heavily internally but sometimes things slip through the cracks and so we're trying to narrow that you know make that mash as fine as we can so we catch all those kind of errors so what does quality always number one always a looming problem that frustrates us deeply at Microsoft when something breaks way downstream of anything that we work on but then updates become hard release validation so this is around processes that help our customers validate new releases before before distributing them and this is where this is the bucket that I would put our work on desktop analytics into hopefully everyone's heard of desktop analytics show of plus ones or yelling or something oh it's definitely quiet we've got a lot of yeah yes is in this room okay cool okay cool and a thumbs up on the thread and a bunch of plus ones on my phone this is weird I'm have to keep them both looking okay cool yeah that's what I'm analytics like thousand mile view is a solution that is now in public preview yay public preview finally and it is intended to help customers identify odd ability issues and kind of move multum Utley move from a place where you're manually testing everything over time to get to a place where you can use data that Microsoft has from a huge you know our huge suite of customers inclusive of consumer and use that help reduce the number of manual the amount of manual testing that you have to do on your at least your widely adopted kind of third-party vendor applications before you do each upgrades and so that's that's release validation and that's one area of investment we have here update download size so this always enters the conversation how do we help you distribute the content that you need to get out to your devices in order to update them and how can we streamline that process always enters the conversation the work that we're doing in this space is around things like delivery optimization and LED that will be the two big ones that I call out now something I think a lot of people don't realize about delivery optimization is that people tend to know what it is and get excited about it and know that Microsoft is excited about it but when we get down to brass tacks of what it actually is leveraged for in config manager world today it's pretty much only leveraged if you have expressed updates enabled in config manager so show of show plus ones and thumbs and yeses in the room from Frank of folks who are using Express updates with config manager today got a couple hands up here a couple hands what percentage would you say say I have no idea having people were there five by five yeah okay that sounds about right yeah so so you guys you five percent you're using delivery optimization today if you have it enabled to get that content out there because it's it's in the stack when you're using Express updates but other than that today most of you are not using it for update content now you might be using it for it might be in play for things like store content so if you have devices that can reach the internet and are doing language pack acquisition then some of you might be using do if you allow your end-users to go to the store to download apps or if you are using Microsoft Store for business applications then do would be in play and and one of the things that my team is focusing on here is trying to just expand that palette to make sure that that we can help you leverage do for more work clothes and make that content distribution easier it's also lie also mentioned LED bat LED bat is a kind of protocol level change that helps protect your network but by using kind of dynamic throttling it does have some server side prerequisites because it is a server it is a sender side technology the way that I the way that I finally clicked for me what led that was was I pictured and I'm a huge geek and I'm just gonna further out myself as a huge geek is is that you can use basically it's built on the concept that you can use the latency on a single connection in a network across any network including the internet to measure you know approximately get to a heuristic of the of the traffic on that network and so what led back does is it uses a connection and I picture so what I picture is the connection between you note in Harry Potter when Harry Potter and Voldemort like try and cast spells in each other and there one stick together for some reason that image really helped me understand this once again massive geek and on that connection when the latency goes down then that means that you know there's more bandwidth available and when it goes when the latency goes up meaning the connection take takes longer packets are taking longer to go over the network then traffic goes up and what let that does is when it sees it the traffic on the network is going up it will aggressively and quickly back off from sending content so that be normal workloads on your network don't get consumed and so let that works today for distribution points and giving manager so you're on from DPS can leverage the leverage love that if they have I believe Server 2016 minimum server OS the other places where it can be useful is on your steps so software update point traffic scan traffic can you know and metadata transfer can also benefit from this and and you have to light that up today with PowerShell if you if you look it up online you'll find out that there's some manual stuff you have to do but it is possible today and we're gonna light up UI to make it even easier for you and config manager in the future but we don't have it we don't have to get so it is possible today look into it if you have subs that are already running Server 2016 so that's download size and content distribution and moving onward and downward pre-post so we think a lot about pre-post actions naturally so especially this is particularly talking about feature updates right so a central theme of my talk here is gonna be that that Microsoft in general has been investing heavily in making it easier for our customers to use feature updates and the reason is that the teams that own the client and server for Windows Update along with the team that work some Windows setup have been innovating for several years in the space in the software update space to improve the the you know and optimize the experience and the workflow or updating devices using a software updates based workflow that uses Windows Update and what is update agent and and you can imagine that so if you picture Microsoft as like the world's biggest IT organization they are updating Windows PCs across all consumer estate using this technology right so millions and millions of devices are updated from version to version every Windows release using the Windows Update stack and so it's the platform that we have the most coverage on and so it's very strategically important it has been good for us building a good story for them and unfortunately because of how the Windows Update service site is structured basically we have this we have several versions of Windows Update and play so there's an older version of Windows Update called Microsoft update v6 that we internally call it that that speaks the language that W stuff speaks and in practice that's the version that's the service side version of Windows Update that our enterprise customers speak to because they tend to be using wsus and you know it usually SSE M with WS or W selves native both of which would be talking to Microsoft at the v6 and not the newer version of Windows Update that internally we call deployment catalog Tcat that's the version of Windows Update that devices that run Windows Update for business connect to and that's the version that consumer devices connect to and on our aside from a technical perspective the the code path that that device is that update take is unfortunately quite different like really different it's a different protocol and there are a whole bunch of benefit that have been added to updates that you speak at that we don't benefit from in the the old Microsoft Update v6 model and so I'll come back to this in a little bit when I get to another topic that I'll cover here but but suffice to say we want to help it's not easy today for customers to use feature updates and we totally understand that and we're trying to make it easier and part of how we make it easier is helping enterprise customers leverage this new version of Windows Update and another part of it is supporting things like pre post actions because customers today who can't use feature updates will use task sequences of course who's using tastic wants us to do updates lots of hands in the room I'm sure and we need to this actually said I actually felt really weird because usually I get some kind of feedback but I don't have any here so if I'm totally wrong I need somebody to call me out lots of hands went up in the room so yeah cool ok yeah so pre post actions would be basically the ability to do some kind of scripting around future updates so that you can achieve some things that you need to do to make it work and we deliberately we're not trying to rewrite testicles tack sequences are awesome and they're super powerful and they are in the words of the brilliant mr. DC tardy who's on my team a while back if you know what you're doing with fast sequences you can you know toast bread and make the martini but if you if you go down that path and you're that good at it then you're also doing that something that's so flexible and dangerous and powerful that like it could even be in the you know gray support area and we've created this we've kind of created this monster of like this very flexible and useful tool but the overhead associated with it is very high and unfortunately the user experience side of it is not great and the outage time that it tends to to entail for end users is very long and the user experiences that we show it at least in box there's some great third-party tools out there that will help you make it look better but in box it looks pretty old-school it doesn't feel like like a modern when is update it's very different for example from the experience that your end users would have if they have a personal Windows PC and they're doing a feature update there and so for all these reasons we're trying to help folks do feature updates pre post is one way that we're we're hoping we can bridge the gap you guys will know my team hates bridge metaphors now so I probably shouldn't even say bridge but there are some things that that our customers will continue to need to do from a custom scripting perspective and we hope to give them kind of a minimum ability that they need to get that stuff done but some stuff should just work and hopefully everything that I'm gonna get through in the rest of this list will also just work and so that stuff would be steps that we hope you can remove from your task sequence and remove from your upgrade workflow in general and so that'll be obvious when I get to the next few ones this is the reason that lots of people have lots of people have steps for those in their task sequence right drivers and firmware enumeration packaging servicing this is an area where Microsoft could do a lot better we are totally aware of that and this is something that we think about a lot we you know yeah some of you might say well you can service drivers with wsus and that is true you can technically but has anybody tried that in the room or on the call nothing here yeah okay and so the reason the reason most likely that you haven't tried it is because you heard somebody tell you to not do that and the reason was that when you check the driver's category in config manager or or in W sauce it will sink down every driver known to humanity which is on the order of hundreds of thousands of drivers and then it is up to you to figure out which drivers are actually applicable and useful and it's a nightmare and so that's not a good story we so and so what we see our customers tending to do is using OSD to do the driver package deployment which which is fine and we do support but that puts the drivers out there but then they pretty much don't service them unless things are broken is what we tend to hear and when they are broken then they'll do then our customers will do package or app deployments to update those drivers or if they're using test sequences to do an update then they will lay down new drivers when they do the update there's any compatibility issues but it's very hands-off it's our customers tend to run drivers that are out-of-date and this causes all kinds of problems the the joke that I always tell is that what our customers tend to say is is on the one hand I need to be able to update my drivers really fast whenever there's a problem and I need to be able to do it in a way that's not impactful and that's quick and they load stuff but also I never ever want to touch my drivers so it's like this tension right of I need this capability but also I never want to use it which I think has been kind of humorous for us as we try and reason through this but what we'd love to do over time is fill the model instead of saying instead of saying you know check the driver category and seeing hundreds of thousands of drivers that would be able to have some kind of inventory based model that would tell you which drivers you actually need and you know which drivers are out of date and that kind of thing and so we're headed in that direction but it'll it'll still be to be totally honest with you it'll still be a little bit of time before we nail that now there are some things that are available to you in this area and and a few of those later in the presentation here so for I had I've had and that's my oh here we go I'm just seeing plus ones in the in the messages here I haven't seen any questions yet if you have questions let me know any thoughts on using third-party tools to do driver updates for example HP images hist in thoughts let's see an interesting part about drivers is that there are always OEMs in play even with first-party harbour and and so many of our many of our partners will come up with their own driver management tech which is cool and and it's very useful for for customers today ultimately the Microsoft direction the way that we'd love to steer folks is to encourage people to put drivers on Windows Update and have that be the source of truth for drivers and customers tend to agree that that's the path but the process that's in place today is not stellar because they there seems to be there's a lag right now between what latest drivers are from customers and the drivers end up London on Windows Update of course om sore some tension because they you know want to sell products and they've made just products that help you deploy in service drivers but unfortunately of course they don't you know HP doesn't also ship the drivers for Lenovo and Intel and all these other things and so you can't you know they don't you can't really have a source of truth for all the drivers that you need and so it becomes kind of problematic but these are all problems that were wrestling with updates on surface driver deployment and SCCM we support it and we are looking to improve it I think the next thing oh I hope I don't get in trouble here for its film beans let's see I don't wanna leave the witness but it's probably impossible for me to not leave the witness without being able to see or hear anybody so the next thing I think that we're thinking about for service drivers is being able to do it supporting a way to do service drivers offline because right now right now it's not really possible because you can't do surface drivers without config manager so you like like native wsus doesn't support surface drubbed service driver syncing and so you can't a lot of our offline customers like our gaps or or online server offline client customers can't necessarily or I guess all night sobered work but air gap customers or customers that have offline pieces in there can't really do service surface drivers today and so that's something ever thinking about problem that we're trying to solve I'll be there for service hopefully that helps a little what is actually why is it actually not possible to update um SSU before chemo updates and secm when will it be possible good question carsten i will cover that in a few slides the answer is well ok I'll cover in a few slides I don't I don't want to let the cat out of the bag high noon was latest uninstalling servicing so that's the same question good good questions Carsten and Eric I know this one is very top of mind and I will get to it in a moment HP ia and my OSD RP use a sequences ok yeah HPI is the HP products that does imaging image assistant yeah yeah okay cool so we talked about that it's really cool it probably helps a lot for HP it doesn't help so much for other third-party drivers I thought about using that lacks a good way of filtering of model yeah okay so sometimes that their party driver management tools are insufficient as well is what we're hearing here and it's good that you guys are you guys are kind of it sounds like this is common issue that you guys have with HP that's why we love user groups right it's a place for us to be like hey we're not alone we experienced the same pain okay that's drivers and I will remember the SSU question because it will come up again modern driver management term I see computer yeah that's when we hear a lot - Vern is that there there's a partner tool out there modern driver management which does some really cool stuff and we've heard that a lot of our customers who do successfully service drivers are using that we're totally aware of that another big one for what we're thinking about in terms of updates and this again applies specifically to feature updates is language pack and fadh retention feature on demand retention so what happens here is if you're installing a feature update and and you have any language pack other than your primary language pack on the device so let's say you have an English device but you have French and Spanish language packs on the device for example and you go through a feature update those secondary language packs just disappear they're just going after the update total deal-breaker for pretty much anybody who has either lives in a place that's bilingual or that services multiple languages very frustrating and we heard a lot unclear and it is something that we have plans to address because we need to it's another reason that a lot of customers have to use toss sequences today because they use it to stay language pack content and vods that they need app compat remediation this is another it's also related to desktop analytics and that does stuff Analytics deals with that compat and over time what we'd like to do is provide a better way for you to remediate that ability issues that appear and make it immoral automate the process so after you're released validation you've discovered a set of apps that have compatibility issues and providing quick and easy ways for you to be able to remediate those compatibility issues both in advance of an upgrade and right up against an upgrade through the pre post technology that we mentioned because there are some actions that need to be taken right up against the update if you have an app compat issue for example with third-party anti-malware or if their party VPN or things that need to be up right up until the outage begins for an update then you need to be able to take actions right up against the update for specifically for app compat things and pre-flight checks is I think a last one and that is in the same kind of boat right things you need to do to check the readiness of device not necessarily from like we already covered the app compat readiness but readiness from a is my device on power does it have sufficient disk space to actually succeed when the update completes and so that's another thing that we're thinking about here so given that that is the end of my list are there other areas related to software updates and updating Windows you know in particular feature updates that you think we have not called out here that are important and are you comfortable with the order that I have here or do you think that there are items near the bottom that should perhaps be higher this be a little challenging to run remotely but I will I will watch carefully on I am and see how I can keep up and if nobody has feelings then I will proceed as well I got a comments in here doing that they should all be number one haha okay cool that's good are there any other items that are not on the list that should be number one no hands going up here okay cool that that makes me feel good that I have a decent list here if you think of things and you think a man I read really like Microsoft to be thinking about this as well when it comes to software updates then let us know and we will we'll add it to the list or we'll think about it or both error equals success zero zero zero zero yep yep Erik we're aware that one and mr. W Hamilton also likes the order excellent yeah error success zero failure zero is my favorite error as well actually no sorry that's it that's wrong catastrophic failure is my favorite error because it doesn't tell you anything about what's going on and it just makes it sound like it's really important and scary okay so that's the list of what we're thinking about I've done sessions where I just spent the entire time on that I already talked for like half an hour and slide two like I said I don't have that many slides but that's kind of what we're what's top of mind for us now digging into a couple of these feature on the man and language pack was a big one like we said there there's no way to preserve those at least not out of the box so there-there is custom ways that customers have made this work and you know this usually involves deploying an application or task sequence in a dense of a feature update in order to to stage language packs and features on demand and do some readiness stuff so we do that by the way so this what I'm describing is a super manual way to do it but we do have some very large in fact our largest customer who is using servicing is using this approach where they'll deploy tasks sequence task sequence will pre cache content for the future update it will stage a bunch of features on demand in language packs and it will you know stage some ni-ni file to prep some set up command lines and stuff like that and then it will write a registry key and they'll deploy a baseline to a set of devices to build a collection based on those registry keys and that collection is then used to target the feature update so so many hoops it's so much jumping through hoops but if you are willing to jump through those hoops then you can get to a place where using feature updates today if these are your only blockers will work now that's feature on demand the second one here is no jump to latest so one problem that customers who had tried out features feature updates had told us was well okay I install my feature update I managed to get around the other problems but now once I'm up to the latest version of Windows I am immediately not compliant because I might have deployed for example 19:03 and as soon as that version lands well it might be June and the killer of updates for for all the months between the release of 1903 and June are already out in the wild and they're not installed on these new devices so that's another big one and the final one that we already talked about content of okay how do I deal with these content things and so trying to address these three problems we have something that would be that's been in the works for a long time which is called unified update platform have show of show of plus ones and hands in the room with you guys have heard of the unified update platform got a couple up here couple cool that's exciting because usually it's 0 and so on stick nice so unify uptick platform is a what it is is the new new old neck neck method for packaging updates indie cat right the new version of Windows Update and I say new olds because it's going to be new to enterprise but it is the same packaging and deployment technology that consumer and what is up day for business customers have been using for a year and a half actually maybe becoming close for two years now and what we're basically doing is is trying to translate through this translation between D cat and the protocols that it speaks and the update packaging format and putting those updates over to Microsoft of 36 so that W cells can understand them and our enterprise customers can benefit from some of the benefits of UDP and so you can imagine this is really challenging that the the technological problem that we're up against is kind of like translating Klingon to Old English and so it's it's a lot of fun and and that's the reason that we've been that it has been slow going to be totally honest with you but we think the value is certainly there because it will help you get through all of these all of these things here so so the first one is getting current and secure in one step so you can pick and basically what happens is you can pick and choose a patch level so you get the feature feature update and you get an LCU with it and you can choose whether you want well if I've laid on sa LCU I mean latest key load of update meaning the monthly updates and you can pick and choose whether you want the March patch level or the April patch level and that will help you get out of that problem where you're not compliant immediately and then also features on demand and language packs will be preserved over the update which is a big one and then over time this is this is gonna come later but over time we'd also like to help you decrease your network traffic to pcs through some kind of delta content mechanism I don't want to say Express because I don't know necessarily that it will be expressed when we're done with it but we want to help you decrease that content size so we talked about this download size availability so we're like I said it's available today for customers that are doing Wu connectivity so if you have a personal Windows computer then you're already using it if you have a if you use Windows Update for business then you're already using it and we want to get to a public preview before the end of the calendar year for our enterprise customers we're a private preview right now and so what does this mean what does it actually do what it is effectively doing is including the language pack and fadh content in both the feature updates and the the monthly updates the LCU's and so that means that the content for each of these is much bigger but the good news is that the state much bigger it's it's a few gigs bigger it's not not hugely bigger but it's bigger and the good news is that the pod and language pack content is pretty much duplicated across each Kimmel update and and and feature update so that means that de doop on your server helps a lot with reducing the actual size of a bunch of these and and the the good the good news that is that your clients only download the niners facts and stuff that they need so it's really only large content from the service to your server infrastructure not from your client so your client will know to grab only the language packs for example that are relevant to persist those rather than having to download the whole content so when I talk about bigger just to give you some vague idea of what I'm talking about there I think the thought and language pack content is about about six gigs in addition to the size of the update so it's not like ten thousand times bigger but at this bigger and the benefits that you get are hopefully obvious and hopefully that trade-off will not be so that and in terms of how that content looks that is a bunch of small files it's not it's not one big file that is you know not one big six gig monster it's it's individual files that make up the content and that includes all your you know your fraud content your your LCU content and that last one the last earlier sorry the second last one new feature update is therefore released every month right what like and I say that in kind of quotes what that means is that a feature update that includes the latest cumulative update is released every month the feature update content actually includes the cumulative update and when you and it's republished so that you when you look at your config manager UI you'll see a feature update for each patch level like I had mentioned before hopefully that makes sense and then finally with GP LCU's have the servicing packs the servicing stack updates included yay so that is to answer that there are two questions on that and I am window that means that you don't have to worry about installing the ssues first they would just automatically get installed beforehand so that's one that we know has been top of mind for many of our customers given the past few releases where there's the past few monthly key motives where there's being SS we are totally and we totally understand that there's anxiety around what happens if you don't install the SS you first and we have we know that people are jumping through hoops to try and make it happen given that they don't know what's gonna happen if it doesn't and there was that I believe it was Ellie was made where there was a hard lock in place which which caused a lot of pain and we're acutely aware of that so we are we are trying to help with that with the UUP we're also looking at other ways that we can help reduce that pain in the shorter term from a feature work perspective so we promise we hear you on the SS use and we're trying to make that better before I move on that's a huge quantity of content do you guys have any questions just volta plus one yeah I'm not getting any hands here in the room for questions so okay can you just tell me what people's faces look like are people very excited right now okay okay it's hard to eat like I I enjoy working with people face to face and so doing it remotely is kind of funny because I I can't tell if everyone's just mad at me and prepping their tomatoes or if they're if they're happy with what we're talking about so dynamic update so dynamic update is an option I hope people know this and if you have devices that are you're okay with connecting to the internet then some of these things that I mentioned as reasons that we're doing UUP can just work today so dynamic update for those of you who don't know is a technology by which you can that is that the Windows client during an update like while setup is running can reach out to Windows Update service and download content from the internet and add it as part of your update and so this this works for the latest kilo to update so can grab the latest monthly update it works for Peter on demand and fought and and language packed content and it works for drivers as well so your client add update time can go grab those three kinds of content from the internet if you enable a dynamic update and there's an endpoint separate from the traditional Windows Update endpoint that choices will reach up to so you have some kind of firewall rule that you really can't have your devices reach out to Windows Update specifically then they can still get dynamic update content now we know that's something that people don't want in all cases as well which is why in our next release of config Manager I think I say next very loosely because we're gonna ship it very soon I know people are probably going well it's 1906 today's July 25th when is it coming tuned when is it coming and the answer is hopefully very very soon stay tuned and that will include a client setting that will help you disable dynamic update you can also disable dynamic update with an ionized file or setup command-line parameters so if you need to turn it off you can does require connectivity to Windows Update but it can do a lot of the same stuff that you P does it can help you persist those language packs and features on demand it can help you with service your drivers without having to you never ever having to touch language packs now you do have to be comfortable with getting the drivers that are on Windows Update but when I ask people how their experiences have been in consumer where this is in play typically typically people have had pretty good experiences it may not be something that you're comfortable enabling on you know very sensitive workloads but for information worker devices and that kind of thing it might be worth the trade-off and you know having get a way for you to get to much more current drivers so something I'd encourage you to consider and you can turn it off I already mention that so that's do you dynamic update and those are two of the ways that we're trying to address a bunch of those kind of central update concerns I wanted to talk a little bit about key mode of updates and how that quality updates and how we've decreased the download size has anybody noticed that devices that are are getting quality updates for Windows 79 and later oh ok Frank turn on the camera how can I make that bigger one second I could see you but you're tiny well I just tried to get it on to the room to set you up there so he should have some of the room now at least there we go awesome that helps me a lot thank you Hey look who it is sorry I should have done that sooner oh it's fine I didn't I yeah like a like I said I I like the feedback so this is good at least I can tell if you're frowning now so 1709 quality updates they got smaller hands up in the room if you noticed this nope okay so just work that mat notice it so that the reason why is that is not expressed so so previously we had this thing called Express and 5% of you approximately used it now that I see how many of you there are that's some pretty good math it was probably like what one of you so Express had its problems in that the size on the server was really really big that's because what Express basically did was taking every single possible Delta and put them into one big content and said hey put this on your server and then your clients will be able to download a smaller content so it was a trade-off between the server download and the client download which is cool if you're if you're okay with having really big content on your server which a lot of our customers are not elements so many people did not use it it did also cause it could cause some performance issues as well in general had people some people had a bad time with it oh and I said 79 by that I meant 1809 oopsie I meant 1809 I'm living a year a year later lost a whole year of my life there so what we did in 1809 was instead of having instead of having all the combinations the the great brains over in windows up they realized that we can instead of doing that have two deltas in each kilo to update one q 1 Delta that goes back to the RTM version of whatever windows you're running and one that goes forward to the next cumulative update and by doing that you don't have to jump from from A to B you can jump right from like here let me see if I can do something fancy here you user about to see whatever I sketched last is no windows angle workspace what is this help me ink there we go good fat Wow that's super this is some insider secrets here sorry you had to see this that's super I know that's super interesting for everyone so but no basically what we're doing is instead of previously if you were trying to go from patch two to patch three along your cute little update timeline here with time going this way my horrible finger drawing skills you would have needed if you're running from two to three then you would have to have content that included this Delta and instead of and every possible Delta you know add infinity going this way and so that content got really big but instead of doing that we're just gonna hop from two and you would have as of 1809 the ability to just hop here and then hop here and that's all the content that you would need in that update instead of the original content which would have it would have this jump but it would also have this one and this one and this one and this one and this one and this one and this one forever and so the red lines being a much smaller piece of content and amount of code change that you need in order to move between them and so the savings that you get are actually pretty dramatic you can see that the quality updates are they're actually slightly bigger on the client then Express content would have been I sure somebody much smarter than me could explain to you why I don't think I can but it is slightly bigger but look at the difference on this server right so the Express update is huge because it has every Delta but the quality update piece is much smaller so that's kind of a update download size hopefully it's something you didn't even feel to be totally totally straightforward with you we were really nervous that there was gonna be some problems we tested very aggressively we were super happy with how it did not cause any problems and in general it was all goodness we don't have a model like this for feature updates yet and and we don't know whether we can build one yet but we'd love to have one because it's worked great for quality updates that is download size shadowed on Twitter whoever that was your Brian your update offline tiny improvements okay this is this is a fun one because I have a pet peeve when I see people from Microsoft get in front of people and saying hey look look how its look out fast Windows updates and it sort of an enterprise crowd and they don't necessarily understand you know what the realities of the enterprise space are so I promise you that I do understand what's oh I'm sorry I'm thinking about our own one I'm gonna jump ahead so that I can continue my thought this is what I was talking about so I probably see that I do know that that this timeline is not reality for you today I fully appreciate that but this is a great reason and a compelling reason I think to consider going to feature updates rather than doing a task sequence right the median upgrade time feature update offline time so the time that the user is not productive during a feature update and this includes consumer I repeat it includes consumer is 22 minutes which we think is awesome and it's just getting faster and that downtime is continually going down that's probably the number one most compelling reason for customers to consider trying to use feature updates rather than TAS sequences right because the thing that feature updates do that that Tasik misses don't is that all the pre working can get out of the way while the user is still productive on the device so that knees are still doing their work and they don't even realize that something's happening and then they get prompted to reboot rather than install and then when they reboot it's just a commit phase of the update that has to happen and and when that happens it's a much shorter period of time they don't have to wait for the entire task sequence to run so the outage time is much shorter the other thing on the team but then this is this is by the way slides that I'm thinking from the windows fundamentals team that pones set up right and they're also trying to bring down the number of reboots so in 1809 there were three boots and reboots to necessary in 1903 there's two reboots necessary and in the future they want to get it down to only one read necessary to do a feature update of windows and they're still bringing that time down so once again I'm not showing you reality for you today I'd appreciate that and hopefully this is just a compelling reason for you to think about doing feature updates and figure out what the blockers are for your organization to do this pro tip if you you you might have an easier time trying this out if you are English only and if you have relatively few models of devices or if you don't use a third-party anti-malware if all of those checkboxes apply to you then you might have less work than you think to try and get to this 22-minute outage and and have a really good update experience if some of those apply to you but not all of them then there might still be some work to do and you might have to do some custom stuff for now and hopefully over time we'll add the right features to the product both windows and config manager so that you can get to here because we'd like to get everyone here make sense um jumping back here there the way that there that we're doing this of decreasing the outage time is so there's kind of three phases to the to the update right there's the what we call the down level phase which is happens when the user is productive there's the outage which is when the actual update is applied and then there's the then they come back online right and so what we've basically done to decrease the outage time has moved pieces of the update process from that outage phase into the down level phase so that can happen in the background and then in parallel we're doing things like automatically running the down level phase as a low priority thread so that's less intrusive for end-users and so they even notice it less now there's a trade-off there running things is the lower priority thread means they're gonna take longer right and so anybody who has tried to do feature updates has probably experienced that they need to go change the maximum run time on all those updates because if they don't then it will timeout and they will have at that time and so we're aware of that we've added in the next upcoming version of config manager the ability to set the default maximum of runtime for future synced updates of specific types I will actually I can show you that in a moment and and that will help hopefully with that problem with always having to set the runtime maximum runtime on every individual update which just gets super annoying okay so that is guy went through it and so how do i benefit from this now cuz I know everyone's probably like okay doing this is great but you're like often and you know you know unicorn field here and how do I show me how to do it so there will be you key so you can go change this maximum runtime on a per update basis today if you if you want to try and do this today you probably will need to do that hands up if like like the obvious litmus test for that is pens of you doing if you do feature updates today or you pride them and it might be no hands no hands one okay cool did you have to change the maximum pens up of you I had to change the maximum run time to make that work same hand okay did you not actually gentleman in the black shirt did did you did you not have to change the maximum runtime when you were doing your feature updates I think it's you Matt he said that he said his was more of an experimentation with the future updates oh okay okay so that's that's possible you did it okay I have someone else in the room that might not have been in the shot what are you doing but yeah he did say he had to extend the runtime okay okay yeah so we hear that a lot we're trying to help with it it is it is kind of a good thing and a bad thing right it's like yeah having it take longer in the downlevel phase is okay because it doesn't impact that you end-user but we need to not have config manager kill the update because it thinks that it's having trouble which is what the maximum runtime is for so the default was set kind of incorrectly or using an older model and we'll let you set the default for newly sink updates in the next version of cavemen so we talked about that the other thing that we should highlight here is that for now the deadline for a config manager still governs the beginning of the installation right which means that when the deadline hits today in config man your downlevel face hasn't started yet so you need to think about what your end user experience structure looks like we have some customers who are doing this very wide today and they're okay with how it works today which is basically that you know you have required software updates software updates are required experience that comes counts down to a deadline and then at the deadline the installation starts now with this decreased downtime and and low priority thread model you after that deadline you might have many hours of installation time happening so that could cause a little bit of confusion for the end user but then eventually they'll get the reboot experience and then their reboot will be will be nice and and and short so it's a trade-off that you've got to think about and it's something to consider as you as you go down this path I make sure that I'm not missing any questions not yet okay or is hope you don't like this or you want it to not run so slowly you can change the setup thread priority we have a client setting for it in 1902 you can also do it with an ini file and what it does is setting it to normal we'll use more system resources and it will update faster so that means it'll be in theory more intrusive for your end users but it will take less time and you can also set it to low which is the default or I believe I believe it's Windows 1709 and later which will run setup in the background so that it's less impactful now normal priority is the defaults for any media based upgrade approach so if you're doing pass sequences that's probably why you haven't heard about this at all because you're doing normal and setup is run you know in both cases whether you're doing a task sequence based upgrade or a feature update and it's just about how the the command line parameters get passed to setup and which content is actually necessary to do the update that differentiates the two so any questions on any of that stuff before I move on very quiet which is fine okay cool if you have questions let me know well it's actually not going to be quiet anymore because I have I haven't what I'd like to think of as a reverse Q&A before the end of my session which is first I ask you questions and then you guys can let me know what you think or if these are crazy questions then that's fine but these are kind of just meant to drive a little bit of a discussion to let help us understand whether we're headed in the right direction once again with those items that we had at the beginning or some of the other thinking that we're having here so so what factors are used to build your catalogue and to decide what to deploy so that means how do you decide which update categories you want to go check and sink into your environment and how do you decide which updates you want to deploy that's a question for folks on the call folks in the room help me out we have one reply was there security team says get everything basically okay cool and then and then they just say get everything and deploy it and deploy it as fast as you can yep one month okay so you got an SLA okay interesting okay cool anybody else have a different thing that happens oh here we go one of them on the I am from Erik ATR grabs all security and critical updates released in the last month so that's how you that's that's more of the how than than the what the the reason that you what's the reason that you do security and critical only Erik I'm asking obvious questions I realize that Eric you can either unmute or you can type so you're doing security and critical updates okay yeah cool okay is um is anybody else there hands up if you're also doing have an ADR that basically does that security and critical that's what we hear a lot it show show pants in the room if that's what you're doing or if you're doing something different can you explain to me why or what what it is that you're doing who has who has critical and security set in an ADR you had a couple of folks okay and then what else do we have I guess going on is the question so what is it rather who all's using a TRS everybody else using an ADR and then you have different criteria is the assumption like Matt what about you guys so I know you got you do all as well okay okay wow that's a lot of content like like okay and are all of these a TRS driven by security teams that are giving you guys requirements to do that god we do love security updates that actually fell into the category category so we but we do have a validation period with our production team they'll go in they'll see everything that was selected by the ATR and if there's anything else that they ain't here they pull in for whatever reason and it's rated hi my security okay right okay cool okay thanks folks this helps a lot I know it might seem like obvious or like a good question to ask but we're so part of the thinking that we that my team is doing here is what's how can we build up the next version of the Windows Update service and the integration with that service in our management tools and so questions like this help us with our thinking there to help build the solution that makes sense for you guys so I appreciate it let's we already talked about this let's skip a bunch of these this is a good one for what kind of content do you actively test so do you test every do you test cumulative updates every month or do you just let them roll and then the same for for feature updates or big updates and what does your testing look like good man so for monthly updates we do we have all of our critical business apps tests we have a series of games that we put content on and install on Microsoft Tuesday they come in on Wednesday and the test we have simps automated probably 90% of that so that significantly improves it we're looking to do that if what for the feature updates right now what we have is we have 250 critical line of business apps that are even more so than we do on every month that we test as part of the feature updates and they test that as soon as we get the image ready and then basically we have our leaves configured for each different business so if there isn't an app in that critical business list that's where we validate some of that testing okay gotcha okay cool is it the other folks have similar similar processes for chemo updates or other folks to do considerably less or even more yep can you hear that yeah I can pretty well yeah that's cool yeah so and that's not that's not a bad thing right I know Matt's got complicated environment so that's not necessarily a bad thing so do you just let them roll word sorry maybe you speak a little louder I'll crank my volume gotcha okay okay so that's why we have the rigorous testing and we have a very small pilot by the time we actually employ him we have to start the plane on Sunday the deadline so like our pilot is hope that everyone's on line between Thursday and Friday which everyone knows no one's on line on their writing and so testing to make sure that our critical acts work fine and one up breaks okay cool gotcha okay interesting let's see what else I got here we already do that okay let's let's uh that's lots of questions for you guys we'll move to a traditional Q&A now if there are questions from you guys I would love to answer those thanks for humoring me on my questions that is super useful for me to hear a little bit kind of what your your approaches are so thank you and I'm interested in what questions you guys have around updates in general or I'll even widen it out further if you want to just ask questions about config manager in general or about other features fire away and I'll do my best I don't know well I won't necessarily be able to answer but I will do my best it's really not easy to undo an update that is been deployed so if you can play something and it goes to a specific application and it breaks it it's kind of like an oh crap kind of thing in you know there's things you can do you know there's a command line you can install specific updates but is there any intention of putting something in the counsel that would help expedite that to where we're not kind of thinking about that as I'm rolling something out like how do I undo this if it really breaks um are you talking about applications are you talking about up self-reference software updates yeah yeah so we have an update uninstall is like number six on user voice or something like that out of out of globally and I am super aware of that and I keep on being like trying to front-load it every release we don't have it high enough in our stack right now to be totally honest that it's coming in the next release but it is on our list and I keep lobbying for it and we will get it and hearing it from you again helps me do that could I get can I get some plus ones or like vigorous hand waving from folks in the room who agree who really want that cuz that'll help you more okay cool great thank you + + 1 million from W Hamilton plus one okay oh I've got some questions on I am here so I'm gonna make sure I get these sorry some of these are okay that's answers to my questions thank you you pushed all updates to test group and they do validate internal applications okay cool so there's a pallid ation first nice okay getting on here difference between classic wu-six engine versus the new engine used by Woofie consumer when will we see this technology integrated with CM / WS so your question Charles that that effort to use the new engine is the the unified update platform so the the unified update platform is a an effort for us to kind of translate updates that come from deke at the new version of Windows Update and make Microsoft update v6 understand and wsus and therefore wsus so that's exactly the project that's that we're focused on for for making that kind of translation layer and helping bring that value to to customers so from an administrators perspective then that change will be more or less transparent sounds like it'll just mainly be in the background what's happening in the engine itself but not the way you would manage those updates within content manager or W says that fair statement that is the dream we really hope that you do not have to worry about it at all and whether that will be the case is yet to be determined there there's a chance for example that we might ask you to check a new category to opt in all right and we do you know each time a new Windows release comes out we have to make a decision whether we want to put that complexity on you guys up saying hey we're gonna do a you know we could dual publish updates and say we're gonna take this update and put it in movie six and we're also going to put it in D cat and and you P polish it which would mean that you can pick and choose but eventually we'd love to get to a place where we just only publish UUP updates and then you don't need to worry about it and they just work way better that's is that it all related to the reason that we had to select a new product for 1903 updates yes it is related we had thought that maybe that would be the cutover and we're trying to kind of set the stage for this so that's exactly why also by the way you'll notice when you update to config manager 1906 which is coming out very soon that if you have the windows 10 category checked in your feature updates or in your in your sup then we will automatically go check that new option for you that's a feature so that hopefully you don't even even need to go take that manual motion if you if you haven't already we'll check it for you so is it feasible we might see the OP not really the opposite effect but a companion effect of that too we're not just the later releases but also the older releases have their own specific product selection in other words so we don't download 1806 updates if we no longer have any 1806 updates in our environment since you can't easily filter them out with your ATR sync them at all then your ADR wouldn't pick them up you guys know you guys know Brian dam or who Brian Dennis I know Brian dam vocal community member has asked us for exactly this a bunch of times and and I totally understand like you don't want to be syncing stuff that you don't use anymore and we want to help you do that I don't to be honest I don't think we have a hard and fast plan about what our publishing story is going to be from a category perspective I understand that if we were to do that every release it would help you do that but we might be interested in providing you a different mechanism for you to do that of course use title to filter it out but that means now every time there's any release you got to make sure you attend your ADR which is fine and that's that's the way I get around it with my customers right now they don't want to sync all that extra information and don't want to you know they're still going to sync it but at least now their ADR is not gonna pick it up every month and add it to their to their groups when they don't need to but just you know curious because if at some point we just go in and uncheck it from the sub configuration that would be a whole lot easier so just countless time yeah totally understand a ward on I sorry I don't have your first name on I am asks we like TAS sequences for feature updates especially for troubleshooting and referencing its logs for failed upgrades have improvements being made in Windows 10 servicing so we can quickly gather logs for teacher update failures great question I almost I almost wish I'd planted that question but I didn't because there's work happening right now in the teams that own Windows setup to make this easier for you and and this is definitely top of mind Charles has dropped thank you for Carl's any other questions yes I got one here yeah date notifications for our end users generally speaking they completely ignore the 15-second toast notification didn't yell at us with one hour a lot better to know I skipped 18:10 but and I grew from there working on yet a section in and that's just to discuss how that notification with AMI I don't know when that might be a surprise for 1906 there's some stuff in 1906 I believe related to this it's getting a little better before I tell you what it is if you were to put your program and your hat on what would you build first what would you change and improve first about your enemies notifications just like take over the whole screen flashing neon news for five minutes so this is a funny one because we always get we always get mixed feedback on it actually at that session that Matt mentioned at MMS it was pretty humorous because a lot of people went into it thinking that they were gonna hear the same thing from everybody in session and it was totally 50/50 of people saying they want more notifications and more intrusive and people saying they want less notifications or and having different things it's like tolet like it's one of those things that people tend to have a lot of strong feelings about and so we need to provide really flexible configuration for it that said we have heard a lot include they're not interested enough and the COS stuff that we've done in 1906 is mostly amount around allowing you to make it more intrusive particularly the restart notifications so they don't get down to the what I call the pain zone with the red unclose ofwell countdown which nobody ever likes and is that remains pretty much the only way that I can explain to my nan and non IT inclined friends outside of work what I do for work because like you know the thing that you hate that's what I work on and so I'm trying we're trying really hard to make that not as much beeping and AVI for my team who was mentioned is working hard on that I used to own this and obviously I didn't do a good enough job and so obvious taken over taking the wheel he's doing great work on it and we're finally getting a lot of things that I've wanted for a really long time like the ability to snooze those restart notifications and provide more dialogues rather than toasts because we hear all the time that the toasts are not are not great how like I said I was done asking questions but I guess I'm not I have one more how do how do you folks feel about the consumer user experiences and how is your experience being outside of work with the updates because one thing that we've had we've heard or we we've toyed with is going down a path where our experiences you'll start to feel more like consumer disgust this is right I'm great with it another consumers anybody hate it Joey Hamilton has thoughts I get updated like every other day so oh yeah insider yeah yeah consumer doubly Hamilton says I like the I like that the updates happen during times I'm not using the Machine yeah Sam okay like let's say let's say in a wacky world tomorrow I said this will not happen spoilers this will not happen unfortunately but if I said tomorrow oh you have a setting that you can give your end-users exactly the experience they have in consumer how many of you would give that give me a thumbs up or thumbs down on how you'd feel about that or whether you would not care not caring in the front row nobody else is even giving me a thumbs up or thumbs down so I'm kind of indifferent that's good for us here Oh thumbs up for break okay yeah would not care we control it as much as possible okay cool good to hear it's something we have we've heard on and off and so I just wanted to get it read of the room how you guys feel about it okay yeah yeah so really long-winded way of saying yeah we know we still have a lot of work to do on end user notifications friend we need to get more intrusive and we also need to provide flexibility so that oh oh I just remember something that's coming which I'm really happy that we finally did related to this so 19:06 you guys should all upgrade in 1906 when it comes out because and that's what I definitely won't get charged for our new software is available notifications finally makes sense they previously it was so ridiculous how they works they would you would literally get a new software notification every time the client started up if you had any machine available targeted policy at policy to your device and so if you had anything every time it fired up you'd see a notification that was ridiculous it meant that many folks turned it off completely and starting in 1906 it will actually only show new software is available for a small period of time after an app is deployed and then no more so I'm really excited about that it seems like a tiny thing but it was it's something that we've been asked for for so frickin long that I'm very happy that we finally had that I know that cable stick some people were like duh but finally and that will make Matt and his colleagues there very happy that ones yeah I could see I could see Matt on I am here yep so yeah 19:06 upgrade to it any other questions I'm probably I'm like I would say I'm over time but I guess I did not really have a time bind from from that or from Frank other than when you guys start looking bored so I'll say going once one questions going twice oh you have one no no okay then I'm going to call it uh thank you so much Frank machine so you're saying I mean you have machines that fail via expressive dicks for several days and then just work on a random derivative or networks there's been walking other than I can't find did you hear that at all doom did you catch that one I did so Express updates failing all the time and then they working do they work so does it fail on a single device forever and then start working or does it fail it was failing in general for a while and then it started working and then that and then that happens every time you deploy that's really weird can you email Frank yeah and Frank can you email me and then we'll talk about it we'll figure out what's going on yeah okay sounds good random one random one for the heck of it from a Goodman has anyone seen slowness /timeout issues when installing updates to a machine with McAfee solid core installed I'm seeing extreme slowness and timeouts two plus hours stuck on getting windows ready during key live update installation even when solid core is in update mode machines with without solid core take the usual 30 to 45 minutes to install anybody using mcafee not not very helpful all right well thank you very much Frank for having me and folks for your questions and your faces and your waving and your thumbs much appreciated and if you have follow-ups that come up you can follow them through Frank and I'm sure he'll be able to pass those along to me and I still owe Frank an answer to his question I'm happy yeah thank you doing very much definitely appreciate it big hand for dune here everybody oh yeah thanks to and really appreciate it no problem enjoy the rest of your day thank you all right everybody that's it that's all I have for today hope everybody enjoyed the content that we had today we obviously had some really great speakers everybody on the phone if you guys are interested in seeing more of our groups group sessions and stuff go out to our meetup site meetup comm forward slash please guard on Twitter at please go we have sessions quarterly so we always try to get speakers and things lined up fun stuff going on so definitely keep joining us we'll have sessions like this and everybody is always welcome to join we'll always have a team session like this going to if you're not aware the teams meeting info will always be posted on the meetup site and on Twitter so if you're ever not able to make it that's where you're going to find it so I'm not going to add everybody individually and obviously that's going to be problematic and try to maintain something like that so it's just going to be out on Twitter out on the clean up meetup site and on our site as well so wcco.com I'm just shamelessly plugging the heck out of all everything right now but yeah anything you need to see out there again use it as a community forum so if you guys have questions that you want to ask your peers here that are local please do use that there we're all here to help each other and we're all dealing with the same things most of the time so with that said I'm gonna close it out again thank you everybody thanks dude and thanks Justin and patch my PC for coming in and that's it thanks guys they do whoever posted the meeting invite on the subreddit because that was where I saw it that was Justin Justin you're awesome man thank you yeah he was all over he posted it everywhere so all right thanks guys thanks folks thanks everyone

Info

Channel: Patch My PC

Views: 1,830

Rating: undefined out of 5

Keywords: SCCM, third-party updates sccm, 3rd party updates sccm, CLESCUG, Cleveland System Center User Group, java updates, Microsoft sccm patching, Dune Desormeaux, SCCM Product Team, ConfigMgr Product Group, SCCM Software Updates, Microsoft Patching SCCM, ConfigMgr Updates

Id: 5ukqcJPomkE

Channel Id: undefined

Length: 140min 17sec (8417 seconds)

Published: Tue Jul 30 2019