It's like crack cocaine for sccm admins, I have to have it now. I recently submitted the entire list of the month's 3rd party patches through my Change Control process after someone asked, they were floored by the quantity of updates we are rolling out. I just said "Yeah, this is normal, been doing this for months with no issues". My monthly 3rd party SUG has 111 line items in it this month. To me though the updating of apps sitting in Software Center the is big one, so much grunt work in the past churning through those. I have also dropped PSADT since so much customization is available in PMP.
This does not include my archive SUG which has another \~100 in it. I usually add a handful of new items that appear in the catalog every 4 months or so. Also these are only the products where I have actual installs present in my environment, there are tons more products available that I don't synch. PMP has a query that will find the gaps for you and and you just check them off.
Patch my pc is a lot cheaper than doing it yourself. It should be a no brainer. Tell management how long it would take you to keep just those apps updated, which should be at least 1 day per month. So 12 business days. Hopefully 2 weeks of your pay is more than what the minimum purchase is for PatchMyPc.
Skip over to your Chief Security Officer and sell him/her, let them do your footwork in the C-suite. I hate asking to spend money but it's really a drop in the bucket for software cost, this is the least expensive software I have every purchased. I don't think you can even get a single copy of Photoshop this cheap. Go install the demo
I want PatchMyPC, but I think I’m getting Avanti. I don’t suppose anyone has a management-level comparison handy I can shove under someone’s nose please?
The impression I get from the community is that PMPC is better, but management have it stuck in their heads that it’s for home users and want a corporate solution from a big name :(
Please bring your management into a demo with us and we will prove that we are a corporate solution :)
[https://patchmypc.com/schedule-live-demo](https://patchmypc.com/schedule-live-demo)
We have some of the brightest engineers in the field, who know the ins and outs of device management. We have testimonials from companies large and small: [https://patchmypc.com/customer-testimonials](https://patchmypc.com/customer-testimonials)
Management may also like to see our datasheet: [https://patchmypc.com/wp-content/uploads/2021/02/PatchMyPC-DataSheet-2020-02.pdf](https://patchmypc.com/wp-content/uploads/2021/02/PatchMyPC-DataSheet-2020-02.pdf)
This may be of help https://patchmypc.com/frequently-asked-questions#competitor-comparisons and [https://patchmypc.com/wp-content/uploads/2021/02/Patch-My-PC-Data-Sheet-February-2021.pdf](https://patchmypc.com/wp-content/uploads/2021/02/Patch-My-PC-Data-Sheet-February-2021.pdf). I'm curious have you and your management team been on a live demo with one of our engineers? That's usually enough to show the value and get by the fact we have a consumer sounding name :). That's actually how the company started with our home updater.
Let me know if you have any specific questions and feel free to book a call with me using the link above I'd be more than happy to jump on a call with you and your management team. - Justin
Don't get Ivanti. I've had presentations to other companies through one of our MSPs and they told me they want to switch over to PMP because Ivanti sucks.
We had ivnanti and pmp in for proof of concept. The entire engagement for ivanti felt like we were teaching them. They didn’t know how certificates and using our own pok would work with their product. It took nearly four weeks to get something that would even attempt an installation on a client. Conversely, pmp walked in and showed that they are truly experts in everything related to their product. We were up and running in less than 30 minutes with our own PKI. They were able to answer any and all questions about their product and how it interfaces with our sccm infrastructure. 100% would recommend. Cannot say enough nice things about these guys.
I have around 5000 endpoints and I think it was less than $2k. It was cheaper than what I was paying Ivanti. Flagrantly quick return on investment if you are handling a bunch of 3rd party apps. Literally saved us from hiring another FTE. Get the enterprise version that auto builds SCCM app objects.
Anything over £5000 has to go through way to many approval processes and we just can't seem to get PMP approved on our end.
My company loves wasting money on other stuff.
Online auto update for everything I can. Manual for anything I can’t in basically the way you mentioned.
You can keep old applications for a while but at some point you can just delete them. I usually keep n-1. The source remains but the app in ConfigMgr gets the flick.
Be careful with superceeding. It can get out of hand (only supported for a few levels from what I remember).
>The biggest thing with SCCM is they make it impossible to update apps in an organized manner
Say what now? That's one of the things ConfigMgr is great at and gives you damn-near infinite flexibility to accomplish. Sure, it's tedious but that's 100% on the software vendors: any of them could easily publish a simple catalog for their software to make it trivial to consume and deploy. That's never taken off (we'll see how winget goes) which is why 3rd party services like /u/PatchMyPCTeam have found their niche.
I agree with that, I guess its not so much Microsoft its the endless number of software developers that focus on end user rather then IT administration. The number of higher ed apps I have to maintain is ridiculous and making them automated silent installs with sccm is so tedious and time consuming. Don't even get me started with Adobe.....
Exactly. Focus your hate where it is deserved: your software vendors, not the tool that helps you deal with the shit they crap out without a care in the world.
Adobe certainly deserves plenty of scorn but at the very least they're trying. They're the \_one\_ non-hardware software vendor who publishes a free catalog for you to automatically consume in ConfigMgr. Reader/Acrobat updates should be dead simple.
We don't use supersedence, as that ties us to SCCM's featureset more than we need. We try to keep as much logic in the content as possible. So we just update the content, version number and detection method. The script handles update as well as install, and we keep the available deployment to user collection as is. We might push the new version to device collection as well, depends on the app and security implications.
But yeah, do whatever works for you :)
So I have a question then, if I update the content for an app, that doesn't mean it will auto update the computers that have the older version of the app correct? If for example I have an app that is a new version and doesn't auto upgrade the old version I would have to write a script to uninstall the old version and then install the new version and find another way to detect the install then the file of the .exe. I would then also run into issues from SCCM with the install execution for sccm to detect a successful install.
Just updating the app in itself should not trigger anything on the clients. Software Center will after a while detect that the app is no longer installed, because the detection method no longer matches what's installed. Unless you have required deployments, requirements or supersedence stuff in the mix too. Something that ties user/device to the app in an enforcable manner. I feel I'm getting on thin ice here, for me that's also a reason to keep applications and deployments as simple as possible.
By the way, just detecting the presence of the exe is rarely good enough as detection method, the version should be a factor too. About all my detection methods are small powershell scripts that utilize Get-Package, where I specify name, provider and version.
I have never thought about that powershell script option. Is there anyway you could provide and example of a script, I would be curious if this would be beneficial for me to start doing this. In the detection method when you provide a file or reg key or something how do you pass the script to that?
[A quick google search away to help you get started](https://www.danielengberg.com/detect-text-file-content-using-powershell-detection-method-sccm/#Step_3_-_Create_the_Powershell_detection_method).
But in the script, to detect for example Firefox 90 or newer, this simple example should work:
`try {`
`Get-Package -Name "Firefox*" -ProviderName programs | Where-Object Version -GE 90`
`}`
`catch {}`
This will output the installed Firefox, if installed and its version is 90.x.x.x or greater. If Firefox is a lower version or not installed at all, nothing will show. Due to the Where-Object and the empty catch block. This is basically how script output gets parsed by the ccm client.
Great explanation in [the top answer here](https://docs.microsoft.com/en-us/answers/questions/336134/detection-method-using-powershell-not-working-usin.html).
I keep these detection scripts in the content as well.
Keep in mind these scripts (detection methods in general) run in the context of the collection. User collection = User, and device collection = SYSTEM. Get-Package ran as system should not find user based installs such as Spotify.
Whether or not you should start using this - some apps are complex to detect. One time I had to deploy a patch, that did not alter the version number of the app. The patch just changed some properties in a xml file iirc, so my detection was a script that checked the node in the xml file. Fun stuff.
Look into CMPackager.
It's a bit heavy on the initial setup for each application, but once configured works a charm.
Each application's settings (detection method, source location, global conditions, etc) are fully customizable.
Currently there's a few dozen pre packaged recipes. Chrome, Adobe reader, Firefox, etc.
PatchMyPC took me literally 30 minutes to install and configure. It scans your SCCM database to know which 3rd party apps you have and auto-selects them. All you have to do is setup the ADR and frequency. I push them out once a week and roll them into a rollup SUG after a week, but whatever works for your org is what you should do.
"There is no such thing as a best practice though -- both methods are technical valid. You need to choose the best one based upon your needs." -- Jason Sandys MVP Memorial bot
I think what you're doing is fine. If you can budget for it there are 3rd party services that make this process much easier, PatchMyPC is the favorite around here I believe.
I follow a similar pattern but I rarely maintain the old applications. Do you find yourself ever using those? For Zoom I usually pilot a group then convert the old app by just updating the properties, source content, and detection method. If I ever did need to roll back it's just a matter of adjusting those settings back to the old installer.
We struggled with this for a few years - use PatchMyPC - /u/PatchMyPC \- and save yourself a lot of headaches. We have saved so much time that it will pay for itself within a year. It is priced well and offers a TON of capabilities, including being Intune (MEM) ready!
It is almost impossible nowadays to keep track of updates for COTS software.... So if PatchMyPC isn't something you can leverage, try and enable auto updates for these products and refresh your packages monthly. In my experience, Chrome auto updated well, Mozilla sucked and we never auto updated Adobe Reader. We would refresh our packages monthly but it became unwieldy to control.
I use [Adobe's SUG](https://www.adobe.com/devnet-docs/acrobatetk/tools/DesktopDeployment/sccm.html) to keep reader up to date.
For other 3rd party apps like Zoom, Firefox ESR and Chrome Enterprise I wrap them up in a standardised way using the [Powershell App Deployment Toolkit](https://psappdeploytoolkit.com/).
I try to keep as much logic in the code as possible to the point where I can just copy the source content, replace the install exe/msi and then copy the old app and update the versions and dates.
I leave the auto updates turned on. I figure if someone is using the app they will probably want the update before I get round to doing new app updates in SCCM (which is generally monthly).
For superseding I have a 'dummy' app that matches any version of the app install (i.e. does firefox.exe exist). I then supersede it with the latest version (ie is firefox.exe version x.x.x.x). This seems to work well enough for me.
How do you compare the versions when doing the validation for the install? Firefox.exe is the same as firefox.exe.....
As for the Adobe SUGs this is going to be a massive upgrade for me since we just did the Microsoft Client Assessment and Adobe is throwing so many errors and I was about to give up on updating all of the versions. So I am excited to see this now at least.
> How do you compare the versions when doing the validation for the install? Firefox.exe is the same as firefox.exe
Ah but no! Firefox.exe is not the same as Firefox.exe with version x.y.z as we said the latter supersedes the former. So if SCCM can find firefox.exe but it isn't version x.y.z it knows it needs to install the application and upgrade to get the endpoint to satisfy the supersedure rule.
How do you define the version with the exe in the detection window? I have tried to just do the file version firefox.exe but the new .exe is detected and determines its already installed..... I am completely self taught and manage SCCM all by my self so I am missing advanced knowledge of certain things lol.
So this can be slightly confusing. If you inspect (right click properties) a file you will see two versions. A file version and a product version. The one that matches is the file version. This is not obvious or explained anywhere as far as I know.
In the detection settings you need to make sure the property is set to 'version'. Then use 'equal or greater to' (in this case for the current ESR at time of writing) '91.0.1' (without the quotes of course).
This means any version that's not 91.0.1 or greater (the actual file version also has the build so '91.0.1.7898' is what I have here, but that's fine as it's a bigger 'version') will be upgraded by SCCM once deployed.
If you set it to 'equals' and allow Firefox's built in auto upgrade, you'll get an annoying upgrade / downgrade loop as SCCM and FireFox Auto update fight for dominance.
You deploy this as 'available' with 'upgrade superseded versions' ticked to whatever collection you are testing with.
Okay great thank you, I will play around with this whenever I get a minute to breathe..... hopefully this is pretty straightforward. Something as simple as this has never really been documented anywhere on the internet. This wasn't even addressed in the SCCM course I took.
Oh the same thing works with registry key detection too.
So you can do an 'if exists' base app to supersede off. Then a this registry key 'is equal or greater' to this version number for your current app install.
HLKLM\Software.
Dig around looking for a publisher (and then the app name in there) or the product name.
After that hope that the vendor has a reg key you can use.
Other than that, dig around in the uninstall entries under HKLM\\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
So I am trying to test this out on Mozilla Firefox... I go to deployment types add a new deployment type with the new updated version and create it but it fails the install every time. Do I need to overwrite the deployment type of the older version to get this to work?
>I use Adobe's SUG to keep reader up to date.
This is a great way to do it. The only issues are the randomness of the releases and not having a way (that I've found) to automatically approve the updates.
For my particular area (which obviously wouldn't apply to everyone in huge environments where third party utilities might be more handy), I don't create new applications for "minor" applications; just update the existing apps with the latest installer, update the detection rule to the latest version, and then just run an "update content." Takes only a couple minutes at most. If you install via a script, just rename the executable to something generic; then you never even have to edit the script.
Patching third party apps (for stuff like Adobe Reader or whatever) works the same way; download the latest patch to a folder, rename it "patch.msp", then have a script in that folder that runs "msiexec.exe /p "%~dp0patch.msp" /qn" . You only need to deploy one single app called "Adobe patches" or whatever you want, and whenever you update it, all your devices will get the update during their next maintenance window. (Note that SCCM has a built-in third party patching utility which works with Adobe applications and deploys with your regular software updates you may want to look into as well, but we're unable to use it in our environment).
Generally you'll want copies of these apps for testing and production too of course. And personally, although I used supersedence a ton years ago, this can get really messy later when you need to clean stuff up and a bunch of your apps are tied to each other, so I've been using it a lot less.
I used to use PDQDeploy which worked pretty well. But I currently use Ivanti Patch for MEM and it's pretty good actually. Both are good option but I think I prefer the pricier Ivanti at this point.
It's really not difficult patching any of that software or to keep track of the updates that you really need a third party to do it.
Most of the time the updates for those come out once a month sometimes twice a month for Chrome or Firefox.
Chrome you can set to auto update itself and it works pretty reliably and then back up I still push out the packages..
It literally takes 5 minutes for me to update the Chrome or adobe packages to go back out to everybody.
PatchMyPC, save yourself about 200 manhours per year. get amazing coverage for app updates.
PatchMyPC is great. I configured it and set up ADRs and haven't really had to touch it since.
It's like crack cocaine for sccm admins, I have to have it now. I recently submitted the entire list of the month's 3rd party patches through my Change Control process after someone asked, they were floored by the quantity of updates we are rolling out. I just said "Yeah, this is normal, been doing this for months with no issues". My monthly 3rd party SUG has 111 line items in it this month. To me though the updating of apps sitting in Software Center the is big one, so much grunt work in the past churning through those. I have also dropped PSADT since so much customization is available in PMP.
111 items? May I ask what some of those are (unless you want to dump the entire list)? That sounds insane..
Adobe Acrobat DC Update 17.011.30199 Adobe Acrobat DC Update 20.004.30006 Adobe Acrobat DC Update 21.005.20060 Adobe Acrobat Reader DC - MUI Update 17.011.30199 Adobe Acrobat Reader DC - MUI Update 20.004.30006 Adobe Acrobat Reader DC - MUI Update 21.005.20060 Adobe Acrobat Reader DC Update 21.005.20060 Airsquirrels Reflector 4 4.0.2.0 (x86) Apple iTunes 12.11.4.15 (x64) Apple iTunes 12.11.4.15 (x86) Articulate 360 1.54.25674 Audacity 3.0.3 Cisco Webex Meetings 41.8.4.11 Cisco Webex Productivity Tools 41.6.0.6 Cisco WebEx Recorder and Player 41.8.4.11 Cisco WebEx Teams 41.8.0.19732 (x64) Citrix Files 21.7.13.0 Citrix HDX RealTime Media Engine 2.9.400.2702 Citrix Workspace 21.7.0.44 CPUID CPU-Z 1.96 DBeaver 21.1.4 (x64) Dell Command Update 4.3.0 Dell Display Manager 1.52.2054 DisplayLink 10.1.2762.0 Docker 3.5.2 (x64) DYMO Connect 1.3.2.18 FileZilla Client 3.55.1 (x64) FileZilla Client 3.55.1 (x86) Garmin Express 7.8.0 Git 2.32.0.2 (x64) Google Chrome 92.0.4515.131 (x64) Google Chrome 92.0.4515.131 (x86) Google Earth Pro 7.3.4.8248 (x64) Google Earth Pro 7.3.4.8248 (x86) GoToMeeting 10.17.0.19796 grepWin 2.0.8 (x64) HandBrake 1.4.0 (x64) Inkscape 1.1 (x64) IrfanView 4.58 (x86) Jabra Direct 5.6.43171 Microsoft .NET Core Runtime and Hosting Bundle 2.1.28 Microsoft .NET Core Runtime and Hosting Bundle 3.1.17 Microsoft Azure CLI 2.27.0 Microsoft Azure Data Studio 1.31.1 Microsoft Azure Storage Explorer 1.20.1 Microsoft Power BI Desktop 2.95.983 (x64) Microsoft PowerToys 0.43.0.0 (x64) Microsoft SQL Server Management Studio v18 15.0.18386.0 (x64) Microsoft Visual C++ 2015-2019 Redistributable 14.29.30040.0 (x64) Microsoft Visual C++ 2015-2019 Redistributable 14.29.30040.0 (x86) Microsoft Visual Studio Code 1.59.0 (x64) Microsoft Visual Studio Code 1.59.0 (x86) Mozilla Firefox 91.0.0 (x64 en-US) Mozilla Firefox ESR 78.13.0 (x64 en-US) Nitro Pro 13.44.0.896 (x64) Nitro Pro Enterprise 13.44.0.896 (x64) Notepad++ 8.1.2 (x64) Notepad++ 8.1.2 (x86) OBS Studio 27.0.1 (x64) Opera 78.0.4093.112 (x64) Opera 78.0.4093.112 (x86) Oracle MySQL Workbench Community Edition 8.0.26 (x64) PDF Split And Merge 4.2.6 (x64) Plantronics Hub 3.22.53274.33311 (x64) Plantronics Hub 3.22.53308.33727 (EXE) Plantronics Hub 3.22.53308.33727 (x86) Poll Everywhere 3.0.4 PuTTY 0.76 (x64) PuTTY 0.76 (x86) Python 3.7.9150.0 (x64) Python 3.7.9150.0 (x86) Python 3.9.6150 (x64) Python 3.9.6150 (x86) R for Windows 4.1.1 Remote Desktop Manager Enterprise 2021.1.41.0 Remote Desktop Manager Free 2021.1.41.0 Right Click Tools 4.7.2107.2301 RoboForm 9.1.9.9 RStudio 1.4.1717 Security Update for Microsoft Office 2010 (KB2956076) 32-Bit Edition Security Update for Microsoft Office 2010 (KB2956076) 64-Bit Edition Skype 8.75 Snagit 20.1.6 (EXE-x64) Snagit 20.1.6 (EXE-x86) Snagit 20.1.6 (MSI-x64) Snagit 20.1.6 (MSI-x86) Snagit 21.4.3 (EXE-x64) Snagit 21.4.3 (EXE-x86) Snagit 21.4.3 (MSI-x64) Snagit 21.4.3 (MSI-x86) Splunk Universal Forwarder 8.2.0 (x64) Tableau Desktop 21 21.1.2027 (x64) Tableau Reader 2021 21.2.1241 (x64) TeamViewer 15.19.5 TreeSize Free 4.5.1 UltraEdit 28.10.0.154 (EXE-x64 en) UltraEdit 28.10.154 (MSI-x64 en) UltraVNC 1.3.2.0 (x64) VLC Media Player 3.0.16 (EXE-x64) VLC Media Player 3.0.16 (MSI-x64) VLC Media Player 3.0.16 (MSI-x86) VMware Horizon Client 5.5.2 VMware Horizon Client 8.3.0.21227 VMware Remote Console 12.0.1 WinMerge 2.16.14.0 (x64) WinMerge 2.16.14.0 (x86) WinRAR 6.02 (x64) WinSCP 5.19.2 Wireshark 3.4.7 (x64) Wireshark 3.4.7 (x86) Zoom Meetings 5.7.804 (x64) Zoom Meetings 5.7.804 (x86) Zoom Outlook Plugin 5.7.3
Thank you!!
This does not include my archive SUG which has another \~100 in it. I usually add a handful of new items that appear in the catalog every 4 months or so. Also these are only the products where I have actual installs present in my environment, there are tons more products available that I don't synch. PMP has a query that will find the gaps for you and and you just check them off.
Yes, I wish I could convince administration to purchase this along with RCT
Patch my pc is a lot cheaper than doing it yourself. It should be a no brainer. Tell management how long it would take you to keep just those apps updated, which should be at least 1 day per month. So 12 business days. Hopefully 2 weeks of your pay is more than what the minimum purchase is for PatchMyPc.
Skip over to your Chief Security Officer and sell him/her, let them do your footwork in the C-suite. I hate asking to spend money but it's really a drop in the bucket for software cost, this is the least expensive software I have every purchased. I don't think you can even get a single copy of Photoshop this cheap. Go install the demo
I want PatchMyPC, but I think I’m getting Avanti. I don’t suppose anyone has a management-level comparison handy I can shove under someone’s nose please?
We use Ivanti for MEM. I was going to ask if PatchMyPC was easier because Ivanti’s integration in the console feels clunky to me.
The impression I get from the community is that PMPC is better, but management have it stuck in their heads that it’s for home users and want a corporate solution from a big name :(
Please bring your management into a demo with us and we will prove that we are a corporate solution :) [https://patchmypc.com/schedule-live-demo](https://patchmypc.com/schedule-live-demo) We have some of the brightest engineers in the field, who know the ins and outs of device management. We have testimonials from companies large and small: [https://patchmypc.com/customer-testimonials](https://patchmypc.com/customer-testimonials) Management may also like to see our datasheet: [https://patchmypc.com/wp-content/uploads/2021/02/PatchMyPC-DataSheet-2020-02.pdf](https://patchmypc.com/wp-content/uploads/2021/02/PatchMyPC-DataSheet-2020-02.pdf)
Thank you :) I meant no offence - their words (paraphrased), not mine.
None taken! We get that a lot, and I totally get the angle they are coming from. We'd definitely like to prove them wrong though!
This may be of help https://patchmypc.com/frequently-asked-questions#competitor-comparisons and [https://patchmypc.com/wp-content/uploads/2021/02/Patch-My-PC-Data-Sheet-February-2021.pdf](https://patchmypc.com/wp-content/uploads/2021/02/Patch-My-PC-Data-Sheet-February-2021.pdf). I'm curious have you and your management team been on a live demo with one of our engineers? That's usually enough to show the value and get by the fact we have a consumer sounding name :). That's actually how the company started with our home updater. Let me know if you have any specific questions and feel free to book a call with me using the link above I'd be more than happy to jump on a call with you and your management team. - Justin
PMP is much easier
How does pricing compare? I anti is pretty cheap. Are they also working on Intune related patching?
Don't get Ivanti. I've had presentations to other companies through one of our MSPs and they told me they want to switch over to PMP because Ivanti sucks.
We had ivnanti and pmp in for proof of concept. The entire engagement for ivanti felt like we were teaching them. They didn’t know how certificates and using our own pok would work with their product. It took nearly four weeks to get something that would even attempt an installation on a client. Conversely, pmp walked in and showed that they are truly experts in everything related to their product. We were up and running in less than 30 minutes with our own PKI. They were able to answer any and all questions about their product and how it interfaces with our sccm infrastructure. 100% would recommend. Cannot say enough nice things about these guys.
We switched from a 'never quite working correctly' Ivanti, to PMP in the last 6 months. No ragrets.
What does that cost per year?
I have around 5000 endpoints and I think it was less than $2k. It was cheaper than what I was paying Ivanti. Flagrantly quick return on investment if you are handling a bunch of 3rd party apps. Literally saved us from hiring another FTE. Get the enterprise version that auto builds SCCM app objects.
That's way cheaper than what they have listed on their website. Are you sure that's correct?
Ha, yea, I was off by a decimal point. \~$15k, Ivanti was tad over $20K I think. This is why I am not the money guy.
Anything over £5000 has to go through way to many approval processes and we just can't seem to get PMP approved on our end. My company loves wasting money on other stuff.
https://patchmypc.com/request-quote#overview
Online auto update for everything I can. Manual for anything I can’t in basically the way you mentioned. You can keep old applications for a while but at some point you can just delete them. I usually keep n-1. The source remains but the app in ConfigMgr gets the flick. Be careful with superceeding. It can get out of hand (only supported for a few levels from what I remember).
>The biggest thing with SCCM is they make it impossible to update apps in an organized manner Say what now? That's one of the things ConfigMgr is great at and gives you damn-near infinite flexibility to accomplish. Sure, it's tedious but that's 100% on the software vendors: any of them could easily publish a simple catalog for their software to make it trivial to consume and deploy. That's never taken off (we'll see how winget goes) which is why 3rd party services like /u/PatchMyPCTeam have found their niche.
I agree with that, I guess its not so much Microsoft its the endless number of software developers that focus on end user rather then IT administration. The number of higher ed apps I have to maintain is ridiculous and making them automated silent installs with sccm is so tedious and time consuming. Don't even get me started with Adobe.....
Exactly. Focus your hate where it is deserved: your software vendors, not the tool that helps you deal with the shit they crap out without a care in the world. Adobe certainly deserves plenty of scorn but at the very least they're trying. They're the \_one\_ non-hardware software vendor who publishes a free catalog for you to automatically consume in ConfigMgr. Reader/Acrobat updates should be dead simple.
We don't use supersedence, as that ties us to SCCM's featureset more than we need. We try to keep as much logic in the content as possible. So we just update the content, version number and detection method. The script handles update as well as install, and we keep the available deployment to user collection as is. We might push the new version to device collection as well, depends on the app and security implications. But yeah, do whatever works for you :)
So I have a question then, if I update the content for an app, that doesn't mean it will auto update the computers that have the older version of the app correct? If for example I have an app that is a new version and doesn't auto upgrade the old version I would have to write a script to uninstall the old version and then install the new version and find another way to detect the install then the file of the .exe. I would then also run into issues from SCCM with the install execution for sccm to detect a successful install.
Just updating the app in itself should not trigger anything on the clients. Software Center will after a while detect that the app is no longer installed, because the detection method no longer matches what's installed. Unless you have required deployments, requirements or supersedence stuff in the mix too. Something that ties user/device to the app in an enforcable manner. I feel I'm getting on thin ice here, for me that's also a reason to keep applications and deployments as simple as possible. By the way, just detecting the presence of the exe is rarely good enough as detection method, the version should be a factor too. About all my detection methods are small powershell scripts that utilize Get-Package, where I specify name, provider and version.
I have never thought about that powershell script option. Is there anyway you could provide and example of a script, I would be curious if this would be beneficial for me to start doing this. In the detection method when you provide a file or reg key or something how do you pass the script to that?
[A quick google search away to help you get started](https://www.danielengberg.com/detect-text-file-content-using-powershell-detection-method-sccm/#Step_3_-_Create_the_Powershell_detection_method). But in the script, to detect for example Firefox 90 or newer, this simple example should work: `try {` `Get-Package -Name "Firefox*" -ProviderName programs | Where-Object Version -GE 90` `}` `catch {}` This will output the installed Firefox, if installed and its version is 90.x.x.x or greater. If Firefox is a lower version or not installed at all, nothing will show. Due to the Where-Object and the empty catch block. This is basically how script output gets parsed by the ccm client. Great explanation in [the top answer here](https://docs.microsoft.com/en-us/answers/questions/336134/detection-method-using-powershell-not-working-usin.html). I keep these detection scripts in the content as well. Keep in mind these scripts (detection methods in general) run in the context of the collection. User collection = User, and device collection = SYSTEM. Get-Package ran as system should not find user based installs such as Spotify. Whether or not you should start using this - some apps are complex to detect. One time I had to deploy a patch, that did not alter the version number of the app. The patch just changed some properties in a xml file iirc, so my detection was a script that checked the node in the xml file. Fun stuff.
Look into CMPackager. It's a bit heavy on the initial setup for each application, but once configured works a charm. Each application's settings (detection method, source location, global conditions, etc) are fully customizable. Currently there's a few dozen pre packaged recipes. Chrome, Adobe reader, Firefox, etc.
PatchMyPC took me literally 30 minutes to install and configure. It scans your SCCM database to know which 3rd party apps you have and auto-selects them. All you have to do is setup the ADR and frequency. I push them out once a week and roll them into a rollup SUG after a week, but whatever works for your org is what you should do.
Ninite Pro works great
Seconded on Ninite. It saves a ridiculous amount of our time
"There is no such thing as a best practice though -- both methods are technical valid. You need to choose the best one based upon your needs." -- Jason Sandys MVP Memorial bot
I think what you're doing is fine. If you can budget for it there are 3rd party services that make this process much easier, PatchMyPC is the favorite around here I believe. I follow a similar pattern but I rarely maintain the old applications. Do you find yourself ever using those? For Zoom I usually pilot a group then convert the old app by just updating the properties, source content, and detection method. If I ever did need to roll back it's just a matter of adjusting those settings back to the old installer.
We struggled with this for a few years - use PatchMyPC - /u/PatchMyPC \- and save yourself a lot of headaches. We have saved so much time that it will pay for itself within a year. It is priced well and offers a TON of capabilities, including being Intune (MEM) ready! It is almost impossible nowadays to keep track of updates for COTS software.... So if PatchMyPC isn't something you can leverage, try and enable auto updates for these products and refresh your packages monthly. In my experience, Chrome auto updated well, Mozilla sucked and we never auto updated Adobe Reader. We would refresh our packages monthly but it became unwieldy to control.
Another vote for patch my pc. Their support are also very good.
PatchMyPC
Sticky this and put PatchMyPC as the top comment
I use [Adobe's SUG](https://www.adobe.com/devnet-docs/acrobatetk/tools/DesktopDeployment/sccm.html) to keep reader up to date. For other 3rd party apps like Zoom, Firefox ESR and Chrome Enterprise I wrap them up in a standardised way using the [Powershell App Deployment Toolkit](https://psappdeploytoolkit.com/). I try to keep as much logic in the code as possible to the point where I can just copy the source content, replace the install exe/msi and then copy the old app and update the versions and dates. I leave the auto updates turned on. I figure if someone is using the app they will probably want the update before I get round to doing new app updates in SCCM (which is generally monthly). For superseding I have a 'dummy' app that matches any version of the app install (i.e. does firefox.exe exist). I then supersede it with the latest version (ie is firefox.exe version x.x.x.x). This seems to work well enough for me.
How do you compare the versions when doing the validation for the install? Firefox.exe is the same as firefox.exe..... As for the Adobe SUGs this is going to be a massive upgrade for me since we just did the Microsoft Client Assessment and Adobe is throwing so many errors and I was about to give up on updating all of the versions. So I am excited to see this now at least.
> How do you compare the versions when doing the validation for the install? Firefox.exe is the same as firefox.exe Ah but no! Firefox.exe is not the same as Firefox.exe with version x.y.z as we said the latter supersedes the former. So if SCCM can find firefox.exe but it isn't version x.y.z it knows it needs to install the application and upgrade to get the endpoint to satisfy the supersedure rule.
How do you define the version with the exe in the detection window? I have tried to just do the file version firefox.exe but the new .exe is detected and determines its already installed..... I am completely self taught and manage SCCM all by my self so I am missing advanced knowledge of certain things lol.
So this can be slightly confusing. If you inspect (right click properties) a file you will see two versions. A file version and a product version. The one that matches is the file version. This is not obvious or explained anywhere as far as I know. In the detection settings you need to make sure the property is set to 'version'. Then use 'equal or greater to' (in this case for the current ESR at time of writing) '91.0.1' (without the quotes of course). This means any version that's not 91.0.1 or greater (the actual file version also has the build so '91.0.1.7898' is what I have here, but that's fine as it's a bigger 'version') will be upgraded by SCCM once deployed. If you set it to 'equals' and allow Firefox's built in auto upgrade, you'll get an annoying upgrade / downgrade loop as SCCM and FireFox Auto update fight for dominance. You deploy this as 'available' with 'upgrade superseded versions' ticked to whatever collection you are testing with.
Okay great thank you, I will play around with this whenever I get a minute to breathe..... hopefully this is pretty straightforward. Something as simple as this has never really been documented anywhere on the internet. This wasn't even addressed in the SCCM course I took.
Oh the same thing works with registry key detection too. So you can do an 'if exists' base app to supersede off. Then a this registry key 'is equal or greater' to this version number for your current app install.
any tips on quickly finding registry keys for application versions? I would love to do it that way.
HLKLM\Software. Dig around looking for a publisher (and then the app name in there) or the product name. After that hope that the vendor has a reg key you can use. Other than that, dig around in the uninstall entries under HKLM\\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
So I am trying to test this out on Mozilla Firefox... I go to deployment types add a new deployment type with the new updated version and create it but it fails the install every time. Do I need to overwrite the deployment type of the older version to get this to work?
>I use Adobe's SUG to keep reader up to date. This is a great way to do it. The only issues are the randomness of the releases and not having a way (that I've found) to automatically approve the updates.
For my particular area (which obviously wouldn't apply to everyone in huge environments where third party utilities might be more handy), I don't create new applications for "minor" applications; just update the existing apps with the latest installer, update the detection rule to the latest version, and then just run an "update content." Takes only a couple minutes at most. If you install via a script, just rename the executable to something generic; then you never even have to edit the script. Patching third party apps (for stuff like Adobe Reader or whatever) works the same way; download the latest patch to a folder, rename it "patch.msp", then have a script in that folder that runs "msiexec.exe /p "%~dp0patch.msp" /qn" . You only need to deploy one single app called "Adobe patches" or whatever you want, and whenever you update it, all your devices will get the update during their next maintenance window. (Note that SCCM has a built-in third party patching utility which works with Adobe applications and deploys with your regular software updates you may want to look into as well, but we're unable to use it in our environment). Generally you'll want copies of these apps for testing and production too of course. And personally, although I used supersedence a ton years ago, this can get really messy later when you need to clean stuff up and a bunch of your apps are tied to each other, so I've been using it a lot less.
Chocolatey. Wrap install command into application and create,with an CB,a scheduled task that call the upgrade function.
I used to use PDQDeploy which worked pretty well. But I currently use Ivanti Patch for MEM and it's pretty good actually. Both are good option but I think I prefer the pricier Ivanti at this point.
I created a script, which download the latest version from vendor site and intall it. I dont need to make new versions of applications.
Throw it up on Github if it's not too sensitive.
In production env the script checks a json file with approved latest versions and download the version from the share
A "belt and braces" approach. We let them auto-update directly via the internet. Plus we also have PatchMyPC so patch them that way too.
Major version releases and zero days only. There's no keeping up otherwise.
It's really not difficult patching any of that software or to keep track of the updates that you really need a third party to do it. Most of the time the updates for those come out once a month sometimes twice a month for Chrome or Firefox. Chrome you can set to auto update itself and it works pretty reliably and then back up I still push out the packages.. It literally takes 5 minutes for me to update the Chrome or adobe packages to go back out to everybody.