Third-Party Patching in Microsoft Endpoint Manager at CLESCUG

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

uh first of all just want to thank everybody for joining the user group here today uh big thanks for uh to frank for letting us sponsor it uh the first session that we have will be our sponsor session which will be a a live demo just showing you how our product patch my pc can work to help you both package third-party applications as well as integrate third-party patching into both config manager and in tune in addition that we then have cody and jordan engineers from our team that will be doing just a deep dive into ws and tips and tricks to maintain that and just just a concept just all around ws and updates so with that said i'm going to be presenting the patch my pc product showing you how it works and i'll just jump right into the demo so first thing is if this does look interesting to you and you wanted to try out our product you can request a free trial over on our website and that will give you access to everything that we offer all features and all products within our catalog in addition to that before we get started we do have some engineers from our team monitoring the chat for any questions since we're also on a team meeting if you do want to come off on mute and just ask something as i'm going through the demo that would be perfectly fine as well so first thing i'm going to do if you're trying out a product for the first time we can go over to our download and docs page at docs.patchmypc.com this is where we can grab our latest installer file and we do also have step-by-step docs both for our configuration manager product as well as our product that integrates into microsoft intune and if you wanted to you could do a live demo as well which will be very similar to what we're doing in this session maybe somebody from your team didn't catch it you could schedule a live demo which would be a one-on-one with an engineer from our team plus people from your team in addition to the live demo you can also do a free guided install which would be basically just scheduling a time with an engineer from our team and we can actually kind of reverse the live demo where you're setting up a trial for example in your environment and you actually have an engineer walking you through all the steps that we'll kind of be demoing here today so a lot of options to make sure that you get off and get started well so i'm going to go ahead and launch our installer so from a prerequisite perspective and kind of where we're installing this if you're using our product with config manager and you want to integrate third-party patching the publisher utility that we're downloading here this would get installed on your top level software update point within your configuration manager environment so in the demo that we're in today we have a relatively simple configman site we have a single site server and every single site system role is running on that including our software update point in the event that you did have a remote software update point that was the top level sub that synced with microsoft you would just ensure that you install this publisher utility on that server so it's only about seven megabytes so we'll just go through the typical msi install which is just next next next if you are using intune only and you don't have config manager you can enable the checkbox for intune standalone mode which will disable some of the prerequisite checks that we have for wsus for third party updates all right cool so once that's installed i'll go ahead and launch that now the the main uh areas that we offer with our product is third-party patching as well as third-party application uh packaging so from like kind of the tool perspective this is going to be the tool that will automate both the publishing and packaging of apps as well as the publishing of third-party updates to wsus which would then sync into config manager so um the only real prerequisite that we have this is actually a microsoft requirement is if you are doing third party updates you do need to have a code signing certificate and that's going to allow your clients to ensure that the updates that are being published are coming from a trusted source so there's a few ways that you can do this in config manager 1806 current branch or newer there's an option within the software update point components where you can allow config manager to automatically generate a signing certificate that's going to be used to publish your third party updates to wsus this will allow you to not have to worry about things like a pki certificate but that is an option as well if you did use the certificate authority and you wanted to generate your signing cert from pki our tool has the ability to import that as well but what we find is most customers are generally just coming into their software update point under the third party updates tab and then they choose the option for config manager to manage the serv so what will happen when i enable that setting the next time that your software update point runs a synchronization if you don't already have a third party certificate for code signing for wsus it's going to actually generate one for us so i'm just going to go into all software updates and trigger a software update point sync and then what i'm going to do is check the wsync manager log what we're going to notice here is since the certificate is not already in place it's going to generate one so we'll be able to see that taking place here where it said that it inserted and created our new signing certificate so what's going to happen at this point is all the prerequisites should be pretty much completed now one thing to note if you're already using third party updates maybe you have driver catalogs for instance or maybe a different vendor that does third party patching our publishing utility would automatically detect that and you could just keep using the existing certificate that's already in your environment but now that i've run that synchronization if i come back in my software update point i'll be able to see that config manager automatically generated the code signing certificate that's going to be used for my third party patches we can see the thumbprint ends in 789 so if i click ok out of that all i have to do is come back to the publisher and if we click on show certificate it's going to recheck for the cert and we can see that we're just going to reuse and make use of that 789 thumbprint certificate that configuration manager is using for us so that's really the only thing to get started and start publishing our updates that you would really have to do external to our tool is just make sure that cert is in place the only other setting with regards to deploying that certificate to clients if you go to your client settings there is one additional setting that you want to apply under software updates you would just want to ensure that the option to enable third-party software updates is set to yes and if this is set to yes as long as that certificate was created it's going to automatically deploy that certificate to your configman clients using client policy so you don't have to worry about setting things like a gpo up you can handle this all directly through your config manager client go cool so with regards to actually kind of using our tool there's two core areas we have our our updates and our apps so if we kind of look at what this corresponds to in configuration manager we'll see that let's come back over here we have basically our updates tab and then we have our configman apps tab so the updates tab this is going to allow us to publish third party updates into the software updates feature of configuration manager and then you can use things like software update groups deployment packages to actually go out and deploy that we then have the actual applications and what that's going to do is that will package applications for you and automatically have them populate into your applications node within config manager so that could be used for machines that don't already have the app you could use task sequences or collection deployments to go ahead and deploy those so you don't have to manually package that and then the updates will come into play for those machines once that app gets installed you can ensure that it's staying patched with those third-party updates using the updates feature so we cover both the new app deployment as well as the updating all using native config manager features okay so what i'm going to do for the demo we're going to enable a couple of products for the updates as well as the applications and show you what that looks like and then we'll also kind of jump in and i'll show you what the intune functionality looks like if you're using cloud or if you're using co-management both intune and config manager we'll go through both of those options so to get started we do have a pretty large list of products so in our supported products page you'll be able to see kind of all the products that we have and one important thing to note out let's say that you have a product within your environment and maybe we don't support it today in our list if you click on request a new product in that supported products page that will take you out to ideas.patchmypc.com which is our user voice where you can submit new application feedback so maybe there's a new feature or a new application that you would like to see added you would be able to go and submit that or upvote an existing one and then if we did ship one out you would get notified via email when that took place now in addition to this you can also check out our public roadmap from the top of here as well and that will actually show you all the features and products that we've shipped recently so for example i can see in the month of august if i scroll down we added new four new products that month to the catalog if i look a couple months back you know we added about 10 to 12 products the month before as well so you'll be able to see the innovation that we're providing based on that customer feedback directly from that ideas portal that our customers are asking for and you can see all that progress and work with us directly through our roadmap now for this example we do also have a feature if you click this database scan icon we have a feature where you can automatically scan your config manager database and it will tell you based on the existing inventory that you have via hardware inventory being collected automatically on clients which one of the products that we support are already in your environment so all you have to do is put in your sql server for config manager in the database and when you click query we're going to go out and kind of query the add and remove programs for all your machines and we'll say hey based on all these devices you already have here's the products that we actually support in our catalog today that already exist in your environment so even before you start publishing or making updates or apps available you can have a good idea of the coverage that you're going to get through our product so from here you could say i want to select everything that i detected and you could enable them all in a single click now for demonstration purposes i won't do that because that would take a while for them to all publish but one additional feature that we have in this scan is we do have an option where let's say that there's a product that we've released in the future we have this feature where we can automatically query your database at each synchronization which by default will be every day and let's say that there's a product that's installed on at least one machine that would allow it to automatically be enabled so let's say that we release a new product that was requested by a customer and let's say that you had it published if it's on five machines or more we would automatically enable that to publish as an update in an application into configuration manager the useful benefit there is you wouldn't even have to come back into our tool we would just automatically enable things based on the criteria you define for any new features and products that come out in the future as well so that can be quite beneficial because really after you set up this publisher tool for the first time it's really going to be fully automated going forward and you would use all the default options in configman like your software update groups and or applications deployments and task sequences to deploy the apps and updates one final thing before we actually start publishing some updates we do have a feature where you can scan a cve list so if i click this database icon i've got a cv a cbe file it's just an excel sheet and it contains a list of different cves from a vulnerability scanner that we had so we can see just a lot of these different cve ids we have the ability in this tool where we can go and select that and click process what this will do is it will automatically scan and detect cves within that file and will tell you if there's any third-party patches that are either available in our in our catalog online or if they're already published to ws we'll tell you hey we detected based on that list you know this is the vulnerability for google chrome and this is the version that fixes it now one other thing to note if we don't know about a cbe we will tell you hey this is unknown we weren't able to detect this either in our catalog or for a third party update that's been published you may need to patch this some other method for example so what i'm going to do before i actually enable some products i want to go over some of the custom options that we offer so if i were to right click on the all products level i can apply these settings globally i can also apply the custom options at the vendor level so maybe we wanted to apply it to adobe products and then i can even apply it at a specific product level so what i'm going to do first is click on all products i'm going to say i want to globally enable a couple of these customizations so for example let's say i want to delete shortcuts for any product that i have i could right click and do that in a single click let's say that you want to turn off the self update feature for a product we could do that globally as well and then the last option that we have that can globally apply for all products that support these options is the installation logging so the installation logging feature can be quite helpful because this allows you to automatically add the installation logging command line to both msis and exes which can be beneficial if you ever have any updates or applications that are failing to install rather than getting a generic 1603 exit code you could actually have the vendor's log where you could understand why it felt so could it not update a registry key could it not update a file so you can get detailed logging for troubleshooting so what i'm going to do is i'm going to copy just the unc path and it's just a share that i have on the network and the last option that we have in this wizard is we could say let's say that a installation fails we could say for any update or app that tries to install that gets a non-zero exit code let's automatically copy that vendor's install log from the client running the install to like a central location for example so this could be a good way maybe the help desk to troubleshoot any updates that we detect are failing with the non-zero exit code so these are the three settings we're enabling all products what i'm going to do next is enable a update for chrome so we do have a device that has an outdated version of google chrome 64-bit now if i right-click on chrome there's three additional options that apply at the specific product level so we could do a custom pre or post script we could add custom command lines to the product or if it's an msi based installer we could add an mst transform to customize the way that update or app install would function so what i'm going to do for chrome specifically is i'm going to go to the pre and post script and i'm going to say anytime an update for chrome applies i want to apply a post update script that's going to set the home page for google chrome so if i look at this it's just the powershell script and all we're really doing here is setting a registry value under the chrome homepage location item that's going to set the home page for all users to patchmypc.com so this is just an example of if you did really have something specific to your company's environment that you wanted to apply to customize the way an application would work post update you could really get as flexible as you want so we offer you know powershell scripts you could do a batch file a vbscript you could even have an exe or an msi apply as a pre or post action as well so we'll go ahead and choose this and click ok so now anytime chrome updates it will ensure the home page is always what you want it to be and then the last update that we're going to apply is notepad plus plus 64-bit so for notepad we're going to right-click and we have this option where we can manage what to do if the end user has an application open when an update is trying to be applied through configuration manager so this is just the manage conflicting processes and this feature can be quite helpful there's a couple of options that we can apply within it so we could say if the application is running and it's open the default behavior is we're just going to try the installation anyways most products will work just fine in this scenario it just might require a pending restart if a file is in use and then you would just have your normal reboot prompt through software center we could also choose to automatically close the application so that would not notify the end user it would just automatically close it we could choose to skip the update if the app is in use or one of the newer features that we're going to look at today is we could actually send the end user a notification if they have the app open and an update needs to be applied now this isn't really necessary for most products it would only be ones where you know may have issues if they're open if you click this documentation link on this window as well we actually do document some of the products that we're aware of if they're open and in use by an end user that will actually call the third cause the update to fell and not apply successfully so as an example notepad plus plus which we'll be applying to this is one that we know if the end user has it open it will actually fail the update and give you a bad exit code so what we're going to do for this we're going to say let's notify the end user that they need to close the app let's give them the ability to snooze that notification up to three times so maybe they're you know coding a notepad and they don't want to close it right away they would be able to snooze that in addition to that we also have an option where you can do custom branding so let's say that you wanted to say your organization name for this example we'll say patch my pc patch my pc will say this requires your your org to close this app so by default if we said that we can preview it on the server that we're running on just to give you an idea of what that pop-up will look like for your end user now if you wanted to we could even do custom branding so if we click on set a custom manner maybe you have like a logo that you want to include to just improve the trust that your end user knows hey this is coming from my company for sure so just as an example if i look on my documents folder we do have kind of a fun gif file for dunder mifflin if i click on that you can just get an idea of hey you could apply a custom png or custom gif file if you wanted to have custom branding specific to your organization so that your end users know that this popup is in fact coming from you so i'll go ahead and just choose that prompt and then we'll do okay so now what's going to happen that this setting is enabled if an end user has notepad plus plus open and an update is being installed it's going to prompt them and say hey we need to close this because we need to update so that's the two that i'm going to enable as an update so once i start my synchronization these two are going to automatically publish into ws and then sync over to config manager as an update which could be used to update all your existing machines what i'm going to do next is actually enable an application so if i go over to my applications there's only a few options that we really need to apply the first one is where do we want to download the application content for any products that you enable so i've just specified a unc path and this is where any applications created from our tool is going to store the source files like the msis or the exe installers for the products that you turn on there's a few options that are just kind of specific to applications in general so for example do you want it to be run from a task sequence this would automatically check the box in the properties of the application which would be native to configman one of the more useful ones that some of our customers enable let's say that you use custom folders for organization for your apps in the options we could say let's apply it all patch my pc applications and let's move them to the patch my pc folder right away when they get created for example so i'll apply that setting and then there's a few other additional ones so you really want to control like what happens when a new update comes out for an application so the default behavior is let's say that google chrome version 89 came out and then version 90 came out the next day what would you want to happen to that previous version that previous application for 89. if you leave the default behavior what we do is we update the existing application in place so we would download the latest binary for google chrome 90 the msi we would modify the deployment type to point to that new content folder and then we would update all the metadata and detection methods for that deployment type to point to version 90. the benefit here is let's say that you have the the original application in a task sequence deploying version 89 once version 90 gets auto created and it just uses the existing app you could always ensure that new devices coming in your environment using the task sequence for that app are always getting the most secure up-to-date version of chrome now if you do require some change control and you're not okay with applications updating right away there's a second option where you could say let's create a brand new application for each new version that's available for chrome automatically the benefit to that is you do get a little more change control over when you actually want to deploy that rather than updating the existing deployments but then the downside is that you would have to go reassociate the application in your task sequence or redeploy the new application for version 90. so just benefits to each way just depends on your organization and what they prefer the last option is you could choose to only retain a specific number of old versions of an application so this would help make sure that if something happened we would retain the older version as well so you could always roll back to a previous build and then the final option is we automatically distribute it to your dps so that's really all there is to it same concepts apply for the custom right-click options so for the applications we could say you know let's delete shortcuts let's turn off self-updaters let's enable logging and we could just do this at the global level for those ones that we want to now one thing that you'll notice is for the apps there are are some additional options that are not available for updates that are really just corresponding to application features so for example we could say let's set custom categories this probably wouldn't make sense to do at the all products level because it's going to be probably an app by app basis if you did categories for config manager so this would be for example what would show up both for the admin categories of your applications in the console as well as the user categories which would show up in software center you can control that all via right-click you could also manage security scope so maybe only certain admins should only be able to see applications generated from us you could say you know maybe i don't want it to go in the default scope but i want to go to a different department scope for example and then lastly as from a right-click perspective you know you can control a few other things from the all products level all right so for this what i'm going to do for an actual base application i'm going to enable the 7-zip application for a new install so let me go ahead and right click that and then you know once we get to the product you even have more customizations that you can optionally apply so let's say for example i wanted to have 7-zip go to its own subfolder so we had patch my pc at the global level but maybe 7-zip you know i want to say i want to go directly into this sub-folder to keep that organized you could apply that directly at the right-click option for 7-zip so just a lot of different options that you can configure depending on what you need we'll also make it a featured application for software center so it shows up first and let me go ahead and apply this now what i'm going to do next is i'm going to go ahead and start a synchronization so that we can get these updates downloading and publishing in the background just so we can see this all happen in the demo but what would typically happen is this would just automatically sync by default every night at 7 00 pm so let's say that there's a new update that we've released on our end for any of the products you enable they're going to automatically publish into your environment based on your sync schedule and that's just going to automatically show up another feature that we have is if we detect that there are new updates published to wsus we can automatically trigger your software update point to synchronize so that you can see those updates showing up right away and then the only other real option that i have to cover would be the alerting so the alerting feature can be quite helpful because when new third party updates are being published real time you can choose whether or not you want to send email notifications to your staff or you can even post to a microsoft teams or a slack web hook to get notifications when things are happening real time so what we'll notice here in a few seconds once this update's published we'll see a notification get sent to one of my team's channels letting us know that the update for chrome was published real time once again any questions that come up feel free to use the chat or come off unmute i see that we had one about education pricing which it looks like wes has answered in the chat now from a release cadence we do release updates probably four to five times per week so for example if i look at yesterday we do have an rss feed that will show you all the updates that we've released for any any catalog that we do so for example like yesterday we had an update for thunderbird we can see it was a security update and we do also scan every binary through virustotal and then we post those results out so we could see for example you know results for thunderbird we could see for node.js and that will be available for every single catalog update that we do you'll be able to see that data so if i look at microsoft teams it looks like i do have some data going on here so we can see that an update for chrome was just published just one minute ago and we can also within that that web hook that we enabled we can get details about that specific update so we can go out to the vendor's release notes we could see that it was a critical severity and it was a security update if it did have any cves we can also directly click and go to the vulnerability database where you'll be able to see information about that specific vulnerability for the update that was published into your environment real time we can also see that our 7-zip application was created and that looks good so that's just kind of how those alerts will work if you wanted to stay up to date with that so if i come back over to configuration manager at this point we've kind of enabled the products and everything going forward would be totally automated so if i come back and look at all software updates i can see that that chrome update and that notepad update are already showing up in my console because i did have that option to automatically sync my software update point so we can see both of these are showing up and at this point they're really no different than a microsoft update so we could come in and we could add criteria we could say let's take a look at all patch my pc updates from here depending on how you create your update groups each month we could come in from a search and create our group but in our lab environment here we've actually got an automatic deployment rule that we already had set up so just for an example if i look at my adr i can see this is automatically deploying any non-superseded updates that are third party so if i click on preview on this we should see that chrome and notepad update showing up on this list and if i look at my deployment settings we have all the same options that we would have for microsoft and adrs as well so we've got three different deployments automatically going out we have two pilots and then we have our production deployment all with different deadlines so one two and seven days if i look at my actual deployment we're going to be able to choose all your existing options like your collections your deadlines whether or not your users can see the updates in software center and then things like reboots and or maintenance windows these are all configurable and will work the exact same way that microsoft updates would be deployed cool so when that kicked off it automatically downloaded our content into an adr or a deployment package that automatically went out to my distribution points and we automatically had our deployment created along with those three different uh deployments so that's kind of what it would look like from the synchronization that happens from our publisher and then how that would flow into configman now if i go over to my applications i can also see that application for 7-zip is is showing up here as well so if i look on the properties of that app that we created we can also see things like the title for the app you know automatically created we can see the documentation the description the different keywords are just automatically filled out as well as the icon and then we can see we automatically check the box to make it featured based on that right click option if i look at my deployment type you know we'll be able to go out and kind of look at where the content is for this app so it put it in that that folder that we created for our package source file cool awesome so uh what i'm going to do is deploy the application to my all users collection so by default when these apps get created they're not going to be deployed so i'm just running a powershell script that's going to deploy it as available to all users just so that we can see what this looks like in software center so if i refresh i can now see i've deployed that as available and we'll see what that looks like in software center so what i'm going to do now is i'm going to jump over to my client that's part of this configman environment so if i look at my updates tab i can see that this machine is part of my pilot group so that means the deadline is set for tomorrow since we made that one day from now and since i made it available for the end user to see in software center we do have the ability where we could start the installation for these updates ahead of the deadline so if i take a quick look i can see that i have google chrome i can see that i have version 77 currently installed and for this demo we have 88 available so what i'm going to do is go ahead and look at chrome and let me just open up google chrome so i can see that i do not currently have any custom home page we're just going to google.com and i can also see that i have the google chrome icon on the public desktop so those two right-click options that we enabled where we said we want to delete the shortcut and we also wanted to set the home page we'll take note of that when we apply the chrome update so i'm going to go ahead and start that installation and if you also remember we enabled the logging option via right click as well so what we're going to see is a new folder get created in ccm logs and that's where the actual verbose log of chrome's msi is going to get placed on this client so we should hopefully see that kick in so here's the folder that we automatically created and here's the actual verbose logging of the msi now in the event that let's say that this this failed for some reason that's when we would also copy this log to that unc folder if you enabled that option so we could have all the failed logs in a single location now in addition to the vendors log we do also have a patch my pc log that will monitor both the installation as well as any custom actions that you applied for that so for example we can see that chrome just got installed in our log file which also uses cm trace formatting we can see it took 29 seconds to run the google chrome msi we can also see that we deleted the public shortcut desktop after the install completed we set three different registry values to disable updates based on that right click that we applied so we set the you know three different updates in the google chrome policy key to turn off self updates and then lastly we went ahead and run that custom powershell script that set the google chrome home page so if i come back to my desktop i can see the shortcut automatically got deleted but if i were to launch chrome we'll see that the powershell script set the home page for all my users to patchmypc.com so that's where you can get very customizable based on the needs that you have within your environment okay and we can now see that google chrome is up to date if i were to refresh adam remove programs we're going to go from 77 to version 88 here as well now if i come back for notepad what we'll notice is i currently have notepad plus plus open in the background i'm going to go ahead and kick that off and what we should hopefully see is we're going to get the dialog saying hey your company needs notepad closed because there's an update and this is because i applied that right click because i knew that if i didn't close notepad for this specific product the update would actually fail so they could either click close and update directly here or they could snooze the update up to three times if they were to just close it directly from the application itself we'll also detect that and start the installation automatically for them so if i come back and look at that same log file what i'll see is the notepad plus plus i'll see the installation happening it took a total of one second to complete that update and if i come back and add or remove programs i'll be able to see notepad went from 791 to 792 using the software updates feature all right and then lastly on my configman client i'm going to go ahead and kick off my actual application installation so just since it's available it would never automatically install but i could come in and kind of kick that off now what we should hopefully see here is we'll see that installation kick off and then back in my install logs i think i enabled the installation logging for the 7-zip as well we should probably see the 7-zip show up here in a second where we can see the verbose msi log from 7-zip as well there we go and then we can see that installation taking place and it was exit code 0. so now i should if i refresh i should see 7-zip showing up now and that was just a normal deployment via collection so i could just go ahead and launch that and any of the apps or the vast majority of apps that we support should also have the uninstall method defined in the deployment type so you could even deploy these apps as an uninstall type if you wanted to get rid of specific apps as well and we can see it's now gone cool all right awesome so that's what the config manager side of things are going to look like uh what i'll do before we jump into the reporting i'll jump over and show you how the intune functionality works as well so if i open up microsoft intune i can see that i currently have one application showing up here so what i'm going to do is go over to my intune apps tab so this is going to be the the section of the same software that will allow you to publish both updates and apps to intune so we do have an option where we can bulk delete different applications so i'm just going to go ahead and click my search here and this will dynamically connect into your intune tenant using microsoft graph and you could select bulk actions on different applications in your tenant so what i'm going to do is just delete that 7-zip application that was left over from another demo and then if i were to refresh now i can see that's now completely gone so the functionality that we have for intune really works the exact same way so we have our apps and then we have our updates and you can just control which ones you want to enable we do also have a scan feature in intune as well similar to configuration manager where you can connect into your intune tenant and we can query the msi based applications that you have installed and you can also enable that for products that we have now in our lab we only have google chrome so it's not going to be populated all that often but this would work the same way where you could automatically enable products for intune based on them being detected and just can be helpful for that initial scan to see which products map up we also have all the same right-click options so let's say we wanted to get rid of shortcuts let's say that we wanted to disable self-updates and we wanted to enable logging so these are all customizations that can apply both for intune updates and apps just like we had for configuration manager okay so for the applications for intune i'm going to enable 7-zip just like i did for configman and we also have some right-click options specific to intune so one of the things that we can do either at a specific application level is to assign it to different groups within azure ad now rather than doing this at the app level we could also do this at the all products level let's say that you wanted all your applications to show us available rather than having to go into intune after we create them we could automatically create the assignments for you to either different groups within your azure id or we could say we want to make it available for all licensed intune users so i'm just going to say i want it available for everybody you do have some customizations like once you select the group we could control things like deadlines if it was required as well as reboot behavior by just clicking the assignment we could also choose whether or not we want to show notifications these all correspond to the options available within the intune assignment that we can automate for you okay and then for the intune updates i'm going to just jump over here similar concept you can choose which right-click options you may want to apply so i'm just going to enable the same three and then i'm going to enable the notepad plus plus update for my intune update so go ahead and right click that and then i want to add the option to manage the process and i want to say i want to notify the user here we can see the the branding kind of copied over from what we previously did for our configman updates as well okay and then what we'll also do is for our all of our updates let's say that we wanted to make them required so that they evaluate against all your intune devices i'm just going to say i want these updates to all be required and then we'll see which ones are available based on the requirements and the detection that we have within those updates if you wanted to you could also create multiple different assignments for the updates as well so let's say that you wanted to test it maybe for the first testing group you would say i want to install this right away but then maybe you create another group for production and you could stagger that group out for let's say three days from now so you could try to catch any issues prior to it going out to all your machines but for this example i'm just going to say i want to deploy it right away okay and then okay so what i'm going to do is go ahead and enable debug logging just so we can see what happens when we connect into intune a little more and i'm just going to run a one-time synchronization again now this would of course automatically synchronize if you just use the schedule but what we'll see here is we'll see it downloading the application from intune and then we'll actually see us connect to your intune tenant and upload the content and create all the assignments for you so good question is there any visual indicator of what right-click options are assigned to specific products so today what you would have to do to see that information so if we went to notepad for intune updates you would have to go through right click and you could see it here now in the advanced tab we do have an option where you can export all the apps you've enabled and specifically what right-click options they've got on so if i were to export this it would export to a csv file and i put on my desktop and then from this csv file i would be able to see all products that i have enabled and then i would be able to see every single right-click column for which ones have been turned on this would probably look better in like excel but this will be a quick way you could export everything at once and then get a good indicator of which customizations that you've applied okay cool so if i look at the log we'll be able to see like things happening we could see the content uploading to intune we could see the assignments get created so if i come into my intune tenant and if i've refreshed my applications now we'll see these are all created and deployed now let me go ahead and power up one of my intune clients and we'll see what this looks like in company portal when these updates and applications start to apply all right but while we're in the intune console if i were to go in and click on my 7-zip app we'll see that we have all the the same type of options that we had for configman apps as well so we can see things like the name the description we have keywords version icon so the icon will automatically show up in company portal and then lastly if i look under my applications i can see that we also have that available deployment that we did for all enrolled devices if i look back at my apps i can also see the update for 7-zip that has been created here as well i can also see that's been assigned to all my devices as required now the the key difference between the updates and apps is that for our software updates we we create a requirement rule that says this application for the update for notepad should only apply if notepad is already installed and if it's less than the current update that we have so this would only apply if notepad's there and if it's less than version 7.9.2 that's why we were able to deploy this update to all devices and we wouldn't have to worry about it actually installing or updating unless there's already an old version so that's kind of what the core difference is between the updates tab and the intune apps tab is they're just going to function a little different where we have a requirement for the update but if we were to deploy the app for all users that would be something that would always install for example okay so i've jumped over to one of my intune clients and in company portal we can see hopefully in the next minute or two we'll be able to see this this policy kick in sometimes it can be a little bit slow for the device to kind of sync up and get policy from intune so let me just try to log in once more and we'll see if i can get that running a little faster but while we're waiting for that to actually show up what i'll do is i'll jump back to the server and i'll go over some of the reporting options that we have for configuration manager and intune so if you're using config manager and you're using the software updates feature we do have some ssrs dashboards that you can upload from the advanced tab of our tool so you just come in here and choose to upload our dashboards and this will allow you to report on both third party updates as well as microsoft updates directly using your configman reporting instance so if i were to look at our main dashboard this will show you compliance for both microsoft updates as well as third third-party updates within your environment so for example we'll see that within this lab we have four workstations and we have one server within our environment we then have compliance broken out by month so for all our workstations we can see we're 45 compliance for updates that were released in the month of september we also have the same dashboard for servers and then there's just a variety of overall compliance charts that can be quite helpful so if i come in and look at my september updates i can click that graph and this will show me all the updates released in september both third party and microsoft updates so for example that mozilla thunderbird update that we saw got released yesterday via that rss feed we can see it's required on four machines in this environment if i were to click on that depending on how deep you drill in we might take you into some of the native configuration manager reports where you can get very specific so for example i could go look at what four machines require that specific update for example in addition to that main dashboard we also have one that only shows third party updates same exact report but it filters down to only third party there's some where you can limit to a specific update group so just a variety of different dashboards we do also have some power bi dashboards available so if you are using power bi if you go to our website you can download some of the power bi compliance dashboards created from our team and you'll be able to use those as well so if i come in and search for power bi you should be able to see both the power bi dashboards that we've created for microsoft intune as well as the ones that we have for config manager i can find that huh interesting there we go all right so this is an example of the reporting dashboard we have for our intune power bi dashboard so you can see both updates and applications and you can see you know what their installation status is now we are limited to what data microsoft graph and intune has um so you'll be able to see some basic statistics like how many machines have this update required and how many of them have it installed but we it's not going to be quite as rich as some of the config manager options with how rich the data is there for example and then let's take a look and here's an example of the power bi dashboard we have for configuration manager as well so i'll include the links here and you can check out these dashboards too these are actually available for download even if you're not a customer of ours where you can use both the power bi or ssrs dashboards for compliance reporting okay so jumping back to my intune client i can see that we actually have the update for notepad showing up here as well so if i look at that i can see that we've already got a couple minutes that have passed on our timeline so i can currently see that i have notepad plus plus 7.91 so it's currently open and this would function the same way that my client did in config manager so if i were to close it we'll be able to see that update automatically kick off and if we were to look at the log files we would see all the customizations applying here as well for that update cool there we go we could see the shortcut just got deleted and if i open notepad back up we'll be able to see that that's now up to date and then if i click on my refresh we can see that we went to 7.9.2 now it looks like the available assignment isn't quite showing up so that's probably just some delay on the intune policy so i'll just skip that for demonstration purposes um and then at this point i'll just follow up with kind of the the wrap up which will be kind of the pricing our product offers and then we'll open up for any q a so if you were interested this looked uh like it might be a good fit for you the trial would probably be the best place to start and then from a pricing perspective what i demo today which would include both the apps and updates for config manager and intune would be our subscription that three and a half dollars per year per device so just for a rough kind of idea of what pricing would look like just be aware that if you would fall under our min pricing which would be for the enterprise plus basically 2500 per year just be aware that would be the starting point if you fall under the devices that would equal that we then have our intune subscription that would be if you're cloud only it's two and a half dollars per year per device and then the enterprise one which most of our customers aren't on at this point that would only include the software updates feature of our tool so that would allow you to update your existing apps that are already out there but it wouldn't include the ability to create and package our brand new applications over in the applications node so that's kind of an overview of what the pricing structure would look like and then at this point i would just open up for any questions so if anyone wants to come off on mute so there's a good question in the chat so is licensing based on the total clients in the environment or only ones using patch my pc so if we look under our faq page i'll also include this in the chat window as well we're pretty flexible as far as what does a device mean so for example in this section let's say that you have non-windows devices right so that's going to be something we wouldn't support because we're only windows so mac linux or maybe you wanted to exclude specific machines that would never get third-party updates maybe servers you don't want to patch in your environment that's totally fine basically when you go through and tell us you list the number of devices that you intend to use our third-party updates or applications on is third-party patching only available through sccm question from nick no so if you're using standalone ws we have an option in our updates menu where you can enable the standalone wsus mode so this would allow you to publish into a non-config manager environment that you have wsus in or of course if you're an intune you could use the updates functionality within our win32 apps to deploy updates using that mechanism as well if you did want to connect just another question here probably the best way is going to be you can schedule a live demo so if you wanted to see maybe a bit more or you wanted to get more details about the product from a technical perspective you could do a live demo so this would be an hour-long session where you can ask questions about our product we could walk you through a demo similar to what we did here if you have questions kind of related to pricing you could go right to a request a quote form and then you could get pricing that's kind of official you know we do we do include pretty upfront pricing here but if you just wanted for budgeting purposes you could contact our team by doing a quote or if it's something more that's just generic you just want you just have a question for us you could use the contact us form and then lastly if you are a customer or you're in a trial and you need support you would be able to open a support case using this open support form so that's kind of the main ways that you could reach out or if you just wanted to email directly support could be support at patchmypc or if it's a sales question you can email directly for cells at patchmypc.com cool does anyone want to come off unmute to maybe ask a question i see we're getting quite a few in the chat if anyone wanted to unmute feel free and we could take some over voice as well uh let me use this opportunity so actually we are using tcp since a long time for one of our customers so we are facing some recent issues that it is not getting synchronized uh for all the recent third party updates so we are only managing the third party updates from pcp so we are facing some sync issues so i got some answers from here saying that we can connect to this log that is called patchmypc.law so is it going to reside on the same server where we have installed this pcp um yes i mean if you're using our product patch my pc yep it would be where you have our publisher installed that's right um now i don't are you using patch my pc or using a different product ah you're using that's my pc so cool yeah so wherever you have our publisher installed that would be where you could go and open the log file now the only exception to that would be if you're publishing our catalog directly using the party software updates catalog node there is the possibility that you know if you are using this instead of our tool we find that about 95 of our customers use our publisher tool which i'm showing here but it is possible that you could add our catalog directly here you just wouldn't get the customizations where it would not be the patchmypc.log it would be a built-in sccm log but probably for your specific question sounds like it's more support related what i would recommend just reaching out to support patchmypc.com or opening a case here and then one of the support engineers probably someone that's actually monitoring the chat would be able to go in and we could set up a remote support session and make sure that we get you going for whatever issue that you're having for sure perfect thank you so much thanks for your help yeah absolutely and then if you if you wanted to um you could also like if you're having a problem kind of finding that log file if you go to our docs.patch docs.patchmypc.com we do have this log reference guide i'm going to go ahead and include this in the chat window and this will include all the different logs so here's where you can kind of understand the main log that we have for publishing it would be wherever that installation directory is so this may help as well but yeah i definitely recommend a sport case we'll be able to get you going in no time thank you so much for all this information i think you'll be able to resolve it i was looking for it thank you so much yeah perfect absolutely any other questions not really a question but um i wanted to mention that um patch my pc really saved us a butt load of time when our sccm environment kind of self-destructed and we had to rebuild from scratch because our apparently our backups were no good and it was able to look at our environment once clients started coming back in and say oh look you've got these 500 apps installed do you want to auto and auto create the apps for us and get the updates rolling again and that just got us back up on our feet a lot quicker than it would have and saved us a lot of pain and suffering and and you know bad times and so that being a current pmp customer i really appreciated that fact yeah that's awesome super glad to hear that uh things are going great for you all right well if there's nothing else i'll uh turn it over to frank now our team will be on the chat window and we are doing an ms mms or mms miami raffle we'll do that after cody and andrew's deep dive session for wsus

Info

Channel: Patch My PC

Views: 1,416

Rating: undefined out of 5

Keywords: CLESCUG, Third-Party Updates in SCCM, Microsoft Endpoint Manager Third-Party Updates, patch java in memcm, intune third-party updates, memcm java updates, sccm java patch, adobe patching sccm, patch my pc memcm

Id: RE_XnD0eP2g

Channel Id: undefined

Length: 58min 52sec (3532 seconds)

Published: Tue Sep 14 2021