Patch My PC Webinar on Third-Party Patching in Microsoft Intune and SCCM

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
okay let's go ahead and get started so first of all I want to thank everybody for joining this webinar what we're going to do is we're gonna go through and review what it looks like to configure our our product for both third-party application and patch management within Microsoft configuration manager and Microsoft Intune so quick introduction on me my name is Justin shelf and I'm the founder here at patch my PC and I also have about five people from our team that are monitoring the the questions and answers section within this GoToWebinar so if you have any questions throughout the demo please feel free to go through and you know put that question in and there's a good chance we can get that answered throughout the demo now I'm also going to go through and configure the product and hopefully we'll have time at the end as well for me to address any questions that you didn't have answered during the session itself so to get started what we're going to do is actually go through configure our product and show you exactly what it looks like right so what I have here I'm running on a config manager environment it's a pretty clean set up so we don't have any third-party updates or applications created so for example if I come in here and look at all software updates we can see that we only have a few Microsoft updates same thing for applications so currently we don't have any applications configured either um so within this we'll go through and we'll actually show you within about 30 minutes how we can get that set up within our product now if you're looking at you know if this demo looks interesting the first step for you if you just want to evaluate things if you come over to our download and Docs page let me go ahead and open that up so so currently if you want to try it out this is our full trial page so you can come in here you can get a full trial and then within the download and Docs page this is where we can actually go and download the MSI that we use for installation now within that same download page we do also have a free setup session that you can configure like if you want to go evaluate it but you want to work with one of our engineers you'll be able to go through and schedule a session to help actually set it up within your environment if you want it so within here I'm gonna go ahead and launch our publisher installer now a little background on what this tool does this is what allows us to actually go through and publish the updates in applications to either configuration manager or Microsoft Intune or even both if you want it to so this has the capability to both do Intune apps as well as config manager third-party updates and applications the only option that you would get within the Installer is if you want to enable in tune standalone mode so if you did want to able in tune only and you weren't using config manager you could simply check that box and that was just disable some of the prerequisite checks that we have okay we'll go ahead and get that launched now this utility does get installed if you're using config manager it would get installed on your top level software update point within your site so within our lab environment this is pretty simple we only have one site system and it's also our site server and it's also our software update point now if you're using in tune only you could really install this wherever you want it could be a Windows 10 machine in Microsoft Azure for example but if you are using config manager and you want to use the updates feature you would want to make sure that you install it on your top level software update point and that just allows us to publish the updates to the topmost sup and that's gonna synchronize down to all the others within your environment now the first option that we have here is when we open the tool we have a certificate that we need to configure so if you want to use the software updates feature you really have two options you can either generate a self-signed certificate so right from our tool we can come in here and we can generate this or you could import a pfx file so if you have a certificate authority like Active Directory certificate services and you wanted to issue a code signing certificate from there you could do that now this is simply the certificate that is used to sign the third-party updates they get published to wsus so this just allows your clients to verify that the updates that you are publishing are coming from a certificate that you've configured so I'm just gonna use a self-signed one from our tool now one of the nice features within config manager 1806 or newer even if you came through and you published a certificate from our tool what we can do we can go into your software update point and we can choose this option to allow config manager to manage this certificate now what this is going to do is the next time that your software update point synchronizes let me go ahead and trigger that it's going to actually read that certificate and it's going to import it into config manager oh sorry I'll open to our log file what actually wanted to open was the W sync manager log so there we go we can see the sync completed and we can see that it did detect that new certificate that was generated through the patch my PC tool so what's going to happen if we come back into our software update point we've now got that prerequisite of our code signing certificate for the W signing for our updates third-party updates we now have that certificate automatically added into config manager so we don't have to worry about doing any GPOs to deploy the certificate or anything like that it can all natively be handled within configuration manager so for example the only other setting that we would need in order for our clients to trust the updates that we publish there's just the third-party updates client setting within the software updates node within the client settings and the only other thing that you would want to do ahead of time would be to enable the third-party software updates so that's going to allow your clients to automatically install that third-party certificate using config manager natively in the client so that's really all there is from a prerequisite side is really just that certificates the big thing they're now jumping into our next step so we have three different tabs here this will be primarily what you guys are working with so we're going to have the Updates tab the config manager Apps tab and one of our new recent features is going to be the into Nats tab so this is where you know really all the core work would happen within our publisher so the updates that's going to correspond to stop for updates within config manager so whichever products that we select here are gonna automatically publish into your config manager site as a software update so once we get this configured we're gonna see these third-party updates starting to flow in automatically now the other one's going to be our config manager apps tab so what this is going to be is which products you want to use as a config manager app so the apps what's nice about that compared to the updates is they can be installed even if the application isn't there right so you could use these in tasks sequences you could use these in collection deployments or any other deployment option that you would have for applications within config manager whereas with updates what that will allow you to do is patch applications that are already out there in your environment so once you get our applications deployed using tasks sequences or collections that's really where the third-party updates come into play where it can keep those machines up to date once they're already out there and you can report on all the compliance for your third-party apps and then lastly the newer feature that we've had only in the past couple two or three months or so are our into naps so the way that that's going to work is it's going to automatically populate your apps here and in tune for whichever products that you select within that tap so we're going to actually go through and we're going to able all three of these and show you how simple that can be now before we get started let's go ahead and look at our supportive products page so we currently have I don't even know how many apps we have today I know - probably a bit over 300 and that's simply because we add apps all the time so if you are kind of interested in just seeing which apps we have you can go over to our support products page and probably more importantly if there's an app that we don't support that you use in your environment we do have a link right from that page to our user voice page right so this is going to be where if there's an app that we don't have and you want to request it or you want to go search for existing apps that may already be requested and vote on those you have the ability to come in here and just search our ideas portal or submit a new request now just for some context what I'm going to do is jump over to our roadmap just to show you how many apps that we've been adding lately so just patch my PC com forward slash roadmap and that's going to give you a list of kind of all the features and things that we've been shipping recently within our product so for example you can see all these different features that we've released now anything that has a dark blue and tag is a new product these are going to be new applications that we've recently added so in the month of April for example we've added probably somewhere about ten apps and we usually do about five each month on average or so so the app list is always growing and it's really going to be based on the needs of our customers and what request that we're seeing people are voting up within our user voice now for this example one thing that can be quite helpful since we do have a large list of products so if you come in here you can see that there is a large list of products that we have available one of the features that can make this quite helpful is we have this scanning tool so what this will allow you to do is you'll be able to go through put in your config manager database in the database name and you'll be able to actually go out and scan your entire environment so this uses Hardware inventory that config manager collects by default on your devices so we can tell you based on all those products that we support how many of those are actually installed within your environment today so the way that that will work is from here you can come through and you can say hey I want to enable everything that we detected within our scans and within a couple clicks you can actually have every product that is already installed within your environment available and ready to publish now for times sake in this example we're not going to actually go through and configure that but one other option that we have within the scanning tool is we can actually make this reoccurring so if you wanted the scan to evaluate every time that we perform a synchronization to check for new third-party updates you would have criteria that says something like if a product is now installed on at least 10 machines automatically enable it for example just uncheck that and then cancel now before we actually enable some products let's actually right-click and once we right-click at the all products level at the vendor level or even at the individual product level you'll see that we get a list of customizations that we can apply during the patching process so for example let's say that there is an application where you wanted to you know automatically close that process before the application is updated maybe it's one where it doesn't update successfully if the app is in use we have a right-click option where you can simply go in and say I want to automatically close the app before updating we can also skip the update if the app is in use and then it will attempt during the next software update deployment and evaluation cycle on the client we can also do things like delete shortcuts disable the self updates for products and then enable logging so what we're going to do from the all products level we're gonna go in we're gonna delete any public desktop shortcuts that get created by products we're also going to disable the self update feature and then the last option that I'll show you here let me just copy a UNC path so we can see that we just have a network share called felled logs so I'm gonna go ahead and right-click all products I'm going to choose enable logging so what this is going to do is this is going to allow us to automatically add the logging parameters to any MSI and Exe installers for these products and by default we're going to automatically store those logs locally so we're going to create a subfolder within CCM logs if you're using config manager if this is an in tune log by default it would go in program data and we'll look at that one here in a second and then this last option can be quite helpful if we detect that an update failed or an application failed we can copy those failed installation logs to a separate location if you wanted to so for example you could have like a UNC path that would have all the felled logs get copied there all right so that's the settings that we're gonna apply at the global all products level so now what I'm going to do is actually enable an update for publishing so we're gonna do Google Chrome 64-bit now once we get to the product level we can see that we have three additional options that are specific to individual products so we can add custom pre and post scripts we can modify command lines like if you had a product key or some custom parameter for your environment we could easily do that and then if it's an msi based product we can also add a transform for the installation as well for google chrome just as an example of how you can get custom if needed we're gonna add a post update script so for the script types we support batch powershell vb exe and msi files could be run as a pre or post action in this example we're just gonna run a PowerShell script and what this script is going to do is just set the google chrome home page so it's just gonna set some registry values and it's going to set the default home page for all users to patch my PC com just an example of how you could get custom if you ever did have some type of you know environment specific configuration that you would want to apply during an update or application installation and then the only other one that we're going to do is Java 8 32-bit so let's go and select that we can see that we have those options applied at the global level and one thing that we do for Java because it doesn't auto remove old versions by default we do have a pre action enabled by default that's gonna automatically remove any old JD JRE versions prior to the update ok so we've now got Java on Chrome so once this publishing occurs these two are going to show up here in the all software updates because they're gonna be a third party update within config man now jumping over to the application side the configuration is pretty basic so the only real thing that you have to tell us is where do you want us to download your application content right so where do you want all the source files to go one cool feature within here is if we come back in and look at Mike console we can see that we do have some subfolders automatically created ahead of time or that we've created ahead of time so let's say that we want all our applications created from patch my PC let's say we want to put them into a custom folder within the applications note of config man so I'm just gonna set that at the global level so that anything that happens there will go into that folder okay and then probably the only other option that's kind of interesting here is how do you want application updates to occur so let's say Google Chrome 79 was published version 80 came out how do you want that update to take place so by default we're gonna update any previous application that we've created for Chrome in place meaning that you won't have to go through and you won't have to like if it's attached sequence you won't have to go and you know remove the old app and add the new one we would simply be updating the existing app that we had which would include updating the detection method within the deployment type updating the content and your distribution points so if you left the default option that's always going to make sure that you're deploying the latest version of that product within your task sequences or collections for any new devices now if you did want to have more control over that we do have this option here at the bottom that says whenever an update comes out create a new application so then you could have a little bit more change management if needed and then we can also automatically distribute the apps when they get created as well um so that's pretty much all we need for the app options now what's interesting here is you know for the most part it's almost the exact same list for the products that support update publishing versus the products that support base application creation within SCCM um so we actually have this option where let's say that you went through and you enabled a lot of different products for update publishing we can simply duplicate those and automatically enable those applications including any of the custom right-click options for the applications as well now you know when we look at the apt customizations we do have a few more options here that are specific to applications within SCCM but not update so for example we can you know have different configurations like max runtimes and things like that now the only other thing I might enable here is 7-zip so we're gonna do 7-zip as an application and one customization that we're going to set we're gonna say that for 7-zip we actually want to be more specific and move that to a separate folder within the aiccm console okay so that's our updates and that's our apps for config manager next thing let's go ahead and look at our in tune app so we'll go ahead and take a quick look at that and we can see that's basically the same concept here right so you're going to have a list of products that you want to choose now within the options this is where you can determine how you want to update any previous applications that we've created within Microsoft Intune so by default we're gonna automatically copy any assignments that might have been created for the previous version like chrome 79 and we would automatically duplicate those assignments whenever there's a newer version out like chrome 80 for example so I'm going to go ahead and do that same option where I'm going to duplicate those so if we come down down here and we look at Java or Chrome for example we can see that we have all those same customizations like our home page would get automatically set if we deployed this app in in tune as well as disabling updates and things like that now for this one just to save some time since this will have to upload to in tune let's just do Java for this example or I'm sorry Chrome for this example okay so that's pretty much it as far as all the products that we're going to enable for publishing so what I'm going to do is I'm gonna go ahead and trigger our first synchronization so what that's going to do is in the background it's going to get all these applications and updates publishing to our environment so first thing while we're waiting for that let's go ahead and look at intern really quick so if we take a look we can see that we currently only have 7-zip so once we get to the Intune portion of the app creation and the sync we'll see chrome get created here but jumping back to that sync schedule this is really going to be where all the automation takes place so once you've configured the products that you want for either update application or into an application creation you really don't have to come back into our tool at all everything's gonna happen automatically in the background whenever there's any new updates available in the catalog this tool is going to automatically sync and publish those into your environment I'm so by default we do sync every night at 7:00 p.m. but you can of course change this to however often you want so from our perspective we probably do about four to five catalog updates per week because third-party updates don't really correspond to say Patch Tuesday like Microsoft updates do for example now one of the nice features about this is we do have some alerting available so you probably just saw that team's notification show up so you can get automatically emailed or you can even enable a team's webhook for new notifications whenever anything gets published so for example let's go down to the bottom of the messages here and we can see that we actually just had a new update published to SCCM for Google Chrome so if we look at that message we can click out that will take us directly to release notes so we can see you know for example this chrome update was a security update we can see that this one had TVs associated with it so for example if I look at the Seavey's and click that we can see that actually takes us out to the National vulnerability database directly where you could get more information about the CVEs for the update that was just published into your environment of real time so definitely helpful for staying up to date with you know updates that are being published and now available within your SCCM updates ok same thing for Java so Java just published we can quickly go out to the release notes there we can see this one had quite a few more CVEs and that could also be directly clickable there as well alright so now we're moving on and starting to create the applications within SCCM so if we look over here we can see that that 7-zip application actually Scot created and we also get notified within our teams alerts for any applications as well so same thing we have our app created for Chrome and then we just had our app auto created for Java okay so we can see the updates are already starting to synchronize n so that they're synchronizing automatically because within our sync schedule we did have this option enabled to automatically trigger a software update sync whenever we publish any new third-party update so if we detected we published a new update we could automatically sync your software update point to pull that new published update from W sauce so that you don't have to wait for your next scheduled sync so just while we wait a few minutes for the other update to sink in let's take a quick look at our applications that we had created within config manager so for example if I look at that 7-zip 1 we can see that it did put it in that custom subfolder we can see that all the metadata gets filled out here as well so things like the name the privacy URL is the documentation the keywords and the icons are all automatically added within config manager so that if you were to deploy this and make it available within software Center you know it would be a nice experience you would have everything looking really well especially with icons and the keywords all of this would directly map within that experience within software Center and then it looks like we just created our Intune application for Chrome so let's go ahead and look at our intern console there we go and let's refresh this so now we can see that the application for Chrome was also automatically created now one thing that I missed here is I did not show the assignments feature so let me go into our into naps and let's go ahead and deploy 7-zip so one of the right-click options that are pretty cool with Intune is that we can automatically deploy any of these applications so for example let's say that we wanted to automatically deploy 7-zip we could say we want to deploy this to the all users group within asher so let me go ahead and do that if we click on the group that we just added we also get additional options like when do you want to make the app available if you wanted to customize some of those additional deployments that you might be familiar with if you've ever created an assignment within in tune for this one let's go ahead and just do 7-zip and we can also do this at the all product level as well so let's say that you went through and you enabled a lot of different applications within in tune and you wanted to make them all available to all your users so you could simply come into the tool let me go ahead and apply that you could come into the tool and you could automatically have the assignments automatically created so instead of going into in tune for example after we auto create the app and going and manually clicking each of these going into the properties and choosing a sign you could have all of that happen all at once so if you wanted to make you know a hundred app say it available to all your users you would have the ability to do that in a single click within our tool so super helpful if you did want to target maybe a standard group for a lot of different applications within in tune okay so jumping back into the config man side while we wait for that to sink we can see that our updates have automatically shown up within our config man console so we see chrome we can see Java we can see that we're already getting compliance data so we can see that we have one machine that needs this Java update and needs this chrome update so everything from a deployment perspective and monitoring within config manager is going to be exactly like a Microsoft update right so for example we come in and we look at our automatic deployment rules one thing that we did have pre-configured here is we actually have an ADR set up and we can see that it's just saying show me any third-party update from patch my PC so in this case it would automatically have that job on Chrome update and any other products that you've added and it would auto deploy them now just like any other ADR you can have custom deployment so we have two pilot deployments added automatically and then we have our production deployment and they use the same exact functionality as an ADA for Microsoft updates for example you can set a custom deadline for each of those three deployments we can choose whether or not we want it to show in software Center maintenance windows and restarts would all have the exact same deployment options as any other update so when this automatically triggered it downloaded our updates into a deployment package and distributed them to our DPS and it automatically created a software update group so what's nice about this is that we're using the exact same technology that config man uses to deploy those updates so you don't have to worry about any additional servers or any additional client agents everything uses the exact same technology here ok so last thing I do before we jump over to a client I'm going to go ahead and run a PowerShell script and what that's going to do is it's going to deploy those three applications that we created and it's going to deploy them as available to the all users collection just so that we can see what those new applications look like when we go into Software Center okay so we've just switched over to your client so you should be seeing this screen now if not just let me know in the comments but this you should see our client device here so this this device is part of the initial pilot deployment for our software update group so that means that we have a deadline set for one day out so these would automatically install tomorrow if they weren't installed ahead of time first now we also made these updates available within software Center and that's why we have the ability here to install them ahead of time now within this client we can see that we have an outdated version of Chrome so we have Google Chrome 77 and we have Java 8 update to 21 so if we go ahead and look at google chrome really quick we can see that we do have a public desktop icon for all users so that's right here if I go ahead and open that up we can see that we just have the standard Google homepage nothing custom so let's go ahead and kick that off and choose install now one thing that you might remember is we did enable installation logging for Google Chrome so what should happen here in a second we're gonna automatically create that sub folder for our vendor installation logs and then any vendor install log that supports it which is about 90% or more that supports a command line log or a command switch log will automatically add the logging for the vendors install so this is actually Google Chrome's MSI log so let's say for example you ever had a device where the update or application installation was failing instead of just getting a generic 16:03 exit code you would actually be able to come in here look at the log file to specifically see why that update was failing on that device we do also have one other log file that will kind of show you all the things that we did for either an update or an application installer back in the root of the CCM logs we have this log called patch my PC script runner so if you enabled any of those custom right-click options for a product will actually log out and show you exactly what we're doing throughout this process so for example we'll see we'll see when we start running the vendors installer we can see that we also deleted that shortcut on the public desktop we also enabled three different reg values to disable the self update feature based on that right-click option and then the last thing here because we did define that custom powershell script we can see that running as well as the exit code that everything returns so if we come through and we look at this we can see that that shortcut is now totally gone and if we go out and launch google chrome from the Start menu now we can see that that homepage was automatically set using that custom power show script so you know any of those customizations that you've applied you can actually see those all happening within a log file if you ever did have to troubleshoot something so that's our chrome update I'm the only other thing we'll mention with Java is that we can currently see the Java updates are enabled so if we look at the Java control panel we can see that set to check for updates and we can even see that we're getting notified here in the taskbar that there's a new Java update available so am I going to click this what we're going to notice is that Java control panel app is going to auto close actually I don't know I may have not enabled the right-click option on on Java so that one might actually not close for this scenario but if we come back to our patch my PC log we will be able to see everything that's taking place for this installation so for example if we come in and we look at our vendor logs we can now see that even that exe installer for Java it automatically added the logging switch and it's saving it to whichever folder that you defined within your process so there we go we can see that Java is now up to date so if we come back into add/remove programs we can see that we went from google chrome 77 to version 80 and then we went from JRE 8 update to 21 to 241 now the only other thing if we look at our applications we can see that our new applications that we created for config manager are also automatically showing up here as well so just like any other application you could deploy this just you know any any way that you would be from so whether that's collection deployments so in our case we just made an available deployment for all users you could also deploy this in TAS sequences or any other method that you could have within config man so I'm going to go ahead and kick this off we're also gonna see we use the same exact log file so if we look at that patch my PC script runner we should see here in a second that it's going to start to install 7-zip there we go so we can see the 7-zip installation taking place we can see that it's using the exe and we can also see the command line that we ran for that product as well one nice feature we also will set the uninstall command line as well so if you ever wanted to deploy an application as a uninstalled type you can always revert back to you know a previous version of an application or an update using our application feature here as well alright so that looks good from the client side let's jump back to the server here for a second okay so we actually went over to one of our Intune devices so what we're gonna do we're just gonna check whether or not company portal is showing the new applications that we've deployed um sometimes there can be a little delay so we may or may not see that seven okay it looks like it did the policy did update here in time um so we can see both that Google Chrome in that 7-zip application that's been automatically deployed and created using Microsoft Intune and the win32 applications so we'll go ahead and click on google chrome we can see that we have the same type of experience that we saw within software Center for config managers so within company portal you know we have descriptions keywords we have the release notes we have the docs all of these will be pre-populated for any of the apps that we create within Intune as well so this would really function like any other win32 app deployment so this will save you a ton of packaging time and it will also automatically keep those apps up-to-date within in tune so for example if you were deploying chrome to all your users and you chose the option to the default option to automatically update assignments from via Spurgeon's let's say that chrome 81 came out you know it could auto create that and auto assign it to any groups that you've already deployed it to so that's one of the ways that we can kind of keep those win32 apps up to date and keep those clients up to date as well now in turn it might take a little bit of time where it does have to download this from in tune so what we're going to do we'll jump back to the server and we'll review some of the reporting options available okay so we're back on the server now one of the nice things about the third-party patching is any of the reports that you're accustomed to within config manager will work so any of the native SCCM reports will work perfectly fine with the third-party updates now one thing to note is that we do provide free third-party update dashboards and Microsoft as well and you can actually use these regardless of whether you're a customer so if you wanted to install these you can go to the Advanced tab with the service and just click run report installer what that's gonna do is it's gonna automatically install some SSRS dashboards that use your config manager update data to to show your compliance data right so I'll go ahead and run one of these and we'll kind of take a look so you can either run these against only third-party updates or if you wanted to you could also view Microsoft updates as well so for example let's go ahead and make this little wider we can see that it will show you things like how many workstations you manage how many servers that you're managing and then it breaks up compliance by month for both workstations and servers for the past year so for example for the month of April we can see that we have four hundred and sixty eight instances where either an update is installed or it's required and not installed out of those were 91 percent compliance if we click into that we're gonna see the updates that were released within that month and for example we can see that this notepad plus plus update that was released yesterday we can see that we're missing that on 8 devices same thing for this Google Chrome update that was released yesterday this was one of those security updates for Chrome so we can also see the category is also security over here as well and depending on how deep you go into these reports let's say we want to go to this specific update it might take you into one of the native SCCM reports where you can get very specific about the compliance of that update right so from the dashboards it's very easy to kind of dig in and kind of see which data that you might be really interested in from that graph from the dashboard so if we come back here we did we there's quite a few different charts and graphs that can be quite helpful on this dashboard as well so we'll just scroll through and kind of show all of these they're all interactive as well so let's say that you you know you have one machine for this graph here that's missing between 26 and 50 updates so that's you know quite a bit higher than the 12 machines that are missing between 1 and 10 so if we were to click into that it would actually show us the machine that are missing missing you know it looks like 27 updates in this scenario and then you could actually click in and get more details about that specific device and try to understand hey why is this one so much higher than all my other machines for the number of updates it's missing and then what's nice is if you're using any other let's say of the free power bi dashboards for example so this is one of the free ones available from Microsoft any of the patches that are coming from our product should work through any of the other dashboards or solutions that you're using because it uses the same exact update reporting mechanism as Microsoft updates within config manager so definitely helpful for kind of using single pane of glass and using all your existing functionality and reports for monitoring that but that's pretty much the entire configuration portion of this so we've got our apps both our updates and config man we have our apps and config manager and then we have our win32 apps automatically created in Intune as well um the only other thing we'll look at before we open up to QA would be the pricing so as far as the pricing goes let me just scroll down here and we'll take a look at that we basically have three different subscribe options yeah so the the the most common one that we're seeing a lot today would be Enterprise Plus so that's going to give you essentially access to everything that's going to include the SCCM application the SEC M updates and and the Intune applications as well so that's going to be access to all features within the service the enterprise only option that's going to give you access to the SCCM software updates feature but it would not give you access to the the third-party application creation and then we have an intern only option where if you're only managing your devices in the cloud you would have the ability to have that in tune only subscription but that's pretty much it from the pricing perspective so kind of the top tier 3.5 per machine per year now one thing I do want to mention is we do have a starting price that like a minimum price for each of these so for example the men that in tune would be would be $1.99 the men price per year for the enterprise Plus would be to $4.99 and then the men for the enterprise only if you only care about updates would be $14.99 so just be aware that we do have a minimum starting price and if you want more info about kind of why we did that if you click that link it will go into more details about why we came up with that minimum price ultimately it has to do with a lot of the time-saving value that's there regardless of the size of your environment so for example we did a kind of a study here and on average based on the number of products we see our customers enabling it's about 2,500 hours per year of potential packaging time that would be saved there right but that's all I had for the demo so let's take a look at the questions okay it looks like most of them have been answered sure yeah so can you show the app update repo for where the content gets download absolutely so if we go and look at our sources folder so we we define this this was kind of root paths that we defined within our tool so by default we're gonna automatically create a subfolder called applications we then break it up by vendor so for example we've got google we've got 7-zip and we've got oracle as a subfolder automatically created we then break it up by product so in our case we only did google chrome 64-bit and then each application is going to have a unique gooood from our product and that's where we could see the actual vendors installer as well as some of the customizations that we use when we call that so some of our binaries for this example for chrome where we included a post action script we can also see that PowerShell script that we included there as well just looking at some of the other questions here if you have a question also feel free to come off mute if you can i I don't think that we're I think you should be able to come off at this point maybe so what about the updates I break down by OS good questions so for example if you're if you're breaking up your ad ours by OS what you can do is we have a article so if we come over to our FAQ x' as far as deploying them by OS that may not necessarily make sense for third-party patches because you know a third-party update might be applicable to seven and Windows 10 but if you did want to break them up using products since they since they do come under a single vendor or patch my PC um the reason we do that is because there's a wsus limitation of up to 100 third-party Update vendors that are supported once you go above that they stop publishing so what we did we we're simply using a single vendor just so that we can you know get around that but if you did want to break these out by product we have a specific KB article that talks about how to filter products how to filter by product within an ATR so basically what we do here is we're using tidal filters so for example let's say that we wanted to go let's go modify ours just to show you what this would look like so let's say that you had an ATR and you only wanted to deploy Java here so what we could do we could add a title and we could say the title must contain Java so that's that's basically could be a replacement for the product and now you can see that we're only deploying a Java update now let's say that you wanted to exclude Java so you wanted to deploy all patch my PC updates but you did not want to order to play Java so what we could do we could put a - before the title and then preview and now we're only going to be deploying that chrome update because we wanted to exclude Java so still still super easy to do kind of like a product specific deployment in that scenario yeah so what would be the recommended minimum number of devices to get a benefit from patch my PC um that's a good question and I don't know if there's really a good answer from a device perspective my my response would be it's more about the time-saving so you know even if you have 15 devices that you're managing say an intern I would say the question for you would be how many applications and how much time are you spending packaging those applications right so you know that that's really going to come down to the value and time savings that it would be worth it I don't really see the device count being a big factor in that it's more how many apps are you managing how much time that you're spending packaging and deploying those in in tune or config manager and at what point would with that time benefit you for the price that that subscription would cost so I don't know I think it really comes down to just evaluating how much time you're spending packaging versus maybe time you could be spending you know doing other things within the environment so I think it's really very personal really depends on the company how many apps you have how much time you spend as to when that might make sense for that starting price for the number of devices that you have you know we have a we have a wide ranging of customers where it might be 10 15 devices within you know in tune-up Tuesday what are some of our bigger config main clients are well above 80 80 thousand devices per you know within that environment so it definitely ranges a lot as far as the the benefit there with the number of devices it really it's really very specific to you know how much time you want to save versus maybe how much that time is worth yeah so can you go over how you how things happen on the backend for when updates get released yeah so it's there's a variety of resources that we use for understanding when updates are available so one thing that we do to monitor this for example this probably works for about half of the 3 350 400 products or so that we support is we're actually monitor whether or not a file hash has changed on the vendor server so a couple times a day we'll have a service that we've wrote automatically download and check file hashes so that works for any product where they use the same download URL for some of the other ones we scrap different release notes data but it really just depends on the product but yeah it takes a lot of time um to release updates and kind of monitor for those updates I think that's a big piece of where that value comes from saving you from having to do a lot of this work for packaging and probably even more importantly just you know just understanding like when new updates are available can be challenging enough as a config manager admin or Intune admin where you're also wearing all these other hats and doing all these other things within your environment so even just understanding when things come out that that could be impactful for your environment whether that's new security updates for a product or just a new you know bug fix or feature update for a product just monitoring that let alone having to package it it is hard enough from that perspective so yeah we have a team it takes us quite a bit of time to kind of keep up with you know how things are happening yeah so if we implement patch my PC after termination of an agreement will be possible to use those yeah so in the example let's say that you you purchase patch my PC you have the subscription for a year and let's say that you decide you know we're just not for you we're not a good fit and you don't renew anything that was published whether that's an application or an update would still be a vein within your environment you simply would not get anything new in that scenario so you should be okay in that scenario for having access to everything that's already been created within a subscription so why would I use patch my PC when some products have an auto updater so I'd say that's really kind of specific to the company so some products do update pretty well but one of the things that we see is some of our customers they want to have a more standard environment right so they want to control when updates happen they don't want say thousands of machines for example in some of the larger environments they don't want them all going and going through their internet you know pipe to go download the update files for every single device so by using config manager you know they can really control when that happens they can get all the content locally within their distribution points and probably one of the more important factors they have a change control to understand exactly when an updates going out for a product to make sure that doesn't disrupt any any business you know continuity issues where maybe a new update might not be tested for certain applications yet so I think probably one of the bigger factors why some customers might not want to auto update is really around control and making sure things are tested and making sure they know when things happen where they happen and where those clients get the content that's a good question Eric we were so our engineering team we were actually discussing this it's actually talking to this up with Cody the other day so if you have any any plans to support getting content directly from the internet instead of having to replicate it for CMG we're potentially looking at this for in tune maybe in the future the challenge there's like so the use case is that since a lot of these third-party update you know updates the content are available directly from the internet through the vendor do you really want to have to host that content in cloud in a CMG distribution point in the cloud so that will always be the case for software updates the reason for that is because all software updates are signed with your code signing certificate so it's very specific to you right but for in tune like we're trying to debate if we could ever make an option we're potentially are our tool that runs the update or the win32 app install could potentially download it from the vendor there's actually a lot of challenges in that case the biggest one is what happens when the vendor updates the application and it doesn't match the hash of the application that we originally created so there there's some security concerns in there there's some variables that we would have to account for but it's something that we're trying to evaluate if that could be feasible in the future specifically for applications most likely within in tune for the config manager side there's a lot more hash checking where I don't think it would be feasible especially for updates where they're specific to your code signing environment yeah yes so no clients so we don't have any of our own clients everything would work natively either using the config manager client or the intern client so you don't need anything there yeah so as far as hiring um you know we picked up a few engineers over the past few months but just stay tuned with our Twitter account if we ever add an opening coming up here in the near future we would definitely post it there on Twitter so if a deployment went wrong in pilot how would I stop it from going out to the second group so within config managers specifically you can use phase deployments and you can have different criterias for when it would target kind of that second collection so there's certainly some options there around you know how how you would want to proceed with different phase deployment groups within your environment to make sure that you know it looks good now so for internet for Intune only devices the application content will get replicated directly to Microsoft Intune so within the app itself that we create for Intune that content would be coming directly down through in tune so you would not have any network shares that the client would need access to we would simply be creating an app just like if you were to go and upload you know an app for say Google Chrome we're doing basically that same process all the content would be downloaded directly from Intune in the cloud yeah so the SSRS reports we showed that was our report so you can install that from our advanced tab so these reports were actually originally done by a Microsoft consultant Garry Simmons he had a blog post about this and that's the reason that we were keeping these free I'm just because a lot of the updating of these reports that we did to add new operating systems as well as the the simple installer where we'll automatically install it and change all the URLs but the core reports that we originally kind of took these were from were an example blog post so yeah you can go through you can install these even if you're not a customer and they would simply upload into your secret reporting instance within SCCM and that's where all these reports come from so you could definitely go through you could install these and use them how you see fit so an install application for in tune will not be patched users we have to go in a company portal and install the new updated application manually to get them no not necessarily so in our example we did make them available within in tune so you know if I come and look at that Google Chrome we can see it was automatically assigned from our tool and it was only available but for example if you made these application assignments required they would automatically apply so in our case you can see it's just available so that's why we had to manually go into software Center but let's say that you wanted Chrome on all your devices or maybe you made a a separate group that you wanted to target only chrome 2 if you made that deployment required it would keep updating it whenever our app gets updated it would automatically keep that required deployment and it would automatically install so you would have the ability to have some more automation you would simply make it a required assignment instead of an available assignment and then it would automatically update chrome in that scenario but out of that it looks like that's pretty much all the questions so I want to thank everybody for joining the webinar hopefully you got some value from this if you have any follow-up questions feel free to send us an email as far as next step steps if this looked interesting what you can do you can jump over to our website you can get a free trial so that's going to give you access to all features all products if you wanted some assistance getting things set up in your environment on the same download page you do have the ability to schedule call with an engineer and you can just schedule that based on your convenience if you wanted some assistance kind of getting things set up in your trial but thanks everyone for joining
Info
Channel: Patch My PC
Views: 1,918
Rating: undefined out of 5
Keywords: SCCM Apps, Intune APps, Intune Java, SCCM Java, Microsoft Intune Third-Party Patching, Microsoft Intune Updates, Microsoft SCCM Third-Party Patching, Patch My PC Webinar, Intune Google Chrome Deployment, SCCM Google Chrome Package, PatchMyPC Intune., PatchMyPC SCCM, Intune Patching, Intune 3rd party patching
Id: NckTpks4itU
Channel Id: undefined
Length: 56min 38sec (3398 seconds)
Published: Thu Apr 23 2020
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.