In connection with another article about Deploying Windows Updates via the Command Line, I have come to notice that it is not the end-all we thought it once was. With the Roll-Up Updates for Windows 7, 8.1, and 10, I have found a better way to deploy updates.
The patch management features in System Center Configuration Manager (SCCM), which is now bundled with Intune in a product called Microsoft Endpoint Manager, can help administrators manage the complex tasks of tracking and applying updates. SCCM includes a set of integrated tools for updating software manually or automatically, as well as controlling when and how patches are deployed. SCCM offers other management functionality, giving IT a single tool to carry out many of the tasks associated with administering Windows computers.
Admins can configure Security Controls to automatically run scheduled recurring scans and deploy any missing patches that are detected during the scans. Security Controls can detect and categorize software and hardware, track asset inventory over time and control a computer's power state, such as shutdowns and restarts. It also gives admins a way to run PowerShell scripts to carry out tasks or automate operations. The REST APIs integrate Security Controls with other products and support remote access and control while offering a method to automate operations.
Security Controls generates multiple reports that provide a variety of information, such as the installed OSes, machine power states, patch deployments and status and machine compliance. Admins can use database queries to generate custom reports. Security Controls can display applications and their services and components, as well as import the Common Vulnerabilities and Exposures (CVEs) list. It can also show which patches are related to each CVE.
Kaseya VSA is a cloud-based remote monitoring and management service that includes patch management capabilities to install, deploy and update software on Windows and macOS machines. It uses policy-based patch management that automates and standardizes software maintenance. Admins can approve, schedule and install patches as well as schedule regular network scans for analyzing computers and automating software updates.
Kaseya VSA has a centralized console to assist with patch management operations, including uninstalling and repairing software. Admins can scan computers for missing patches, view a summary of the patch status for each machine and exclude patches from specific machines. Kaseya VSA can also run procedures before or after updates. For example, an admin can use a procedure to automate setting up a newly added computer.
ManageEngine, a division of Zoho, offers Patch Manager Plus, a versatile patch management tool available as on-premises software or as a cloud service. It supports Windows, macOS and Linux endpoints, along with more than 850 third-party applications. Admins can carry out patching operations from a single interface and use the vendor's pre-built packages to streamline the process. They can also automate patch deployment for OSes and applications.
PDQ Deploy uses a centralized console for installing, uninstalling, updating, repairing and making other changes across the network. The console also provides access to the pre-built application packages. In addition, PDQ offers a command-line interface for working with packages.
For most deployments, admins will use the scheduling capabilities to deploy packages at specified intervals. They can also create automatic deployments for new package versions as they become available from the package library. In addition, PDQ Deploy can send an email with details about patch deployments, including which computers or software were updated and which systems might need more attention. Admins can also access built-in reports that provide deployment and scheduling information.
Patch Manager provides extensive support for third-party applications, while enabling IT to use its existing WSUS or SCCM infrastructure. Admins can create pre- and post-update package scenarios to verify third-party patch deployments. Patch Manager includes the Custom Package Wizard for admins to build packages for any application, without the need for complex scripting or the System Center Updates Publisher. SolarWinds also offers pre-built, pre-tested application packages that admins can quickly deploy through WSUS or SCCM.
PDQ Deploy on the other hand is the vehicle to actually deploy software in your environment. PDQ Deploy works with PDQ Inventory in that it uses the collections created in Inventory as the groupings it can use to actually deploy software.
As you can see, the process to deploy Windows Updates with PDQ Deploy is super easy and requires only a few clicks. PDQ Inventory allows finding all machines that need the updates, and then you use PDQ Deploy to deploy the updates that are needed.
To help track the client installation process, install a fallback status point before you install the clients. When you install a fallback status point, it's automatically assigned to clients when they're installed by the client push installation method. To track client installation progress, view the client deployment and assignment reports.
If you've extended the Active Directory schema for Configuration Manager, the site publishes the specified client installation properties to Active Directory Domain Services. When CCMSetup runs without installation properties, it reads these properties from Active Directory.
To modify the behavior of the client installation, specify command-line options for both CCMSetup.exe and Client.msi. Make sure that you specify CCMSetup parameters that begin with / before you specify Client.msi properties. For example:
This command installs the client with no additional parameters or properties. The client is automatically configured with the client installation properties published to Active Directory Domain Services, including these settings:
Use Configuration Manager to create and deploy a package and program that upgrades the client software for selected devices. Configuration Manager supplies a package definition file that populates the package properties with typically used values. Customize the behavior of the client installation by specifying additional command-line parameters and properties.
This procedure is for a traditional client that's connected to an intranet. It uses traditional client authentication methods. To make sure the device remains in a managed state after it installs the client, it must be on the intranet and within a Configuration Manager site boundary.
If you deploy the clients in different hierarchies, remove the trusted root key. Also provision these clients with the new trusted root key. For more information, see Planning for the trusted root key.
Clients that are managed over the internet must communicate with internet-based site systems. Ensure that these clients also have public key infrastructure (PKI) certificates before you install the client. Install these certificates independently from Configuration Manager. For more information, see PKI certificate requirements.
Provision client installation properties for group policy and software update-based client installations. Use Windows Group Policy to provision computers with Configuration Manager client installation properties. These properties are stored in the registry of the computer. The client reads them when it installs. This procedure isn't normally required, but it might be needed for some client installation scenarios, such as:
A group policy administrative template named ConfigMgrInstallation.adm is supplied on the Configuration Manager installation media. Use this template to provision client computers with installation properties.
Patch management tools are cybersecurity solutions that identify software applications running on outdated versions. They then proceed to deploy and install the corresponding patch, which can enhance security, fix bugs or add new functionalities, depending on the intent behind its release.
Stating this top 5 with a freebie, PDQ Deploy is a free patch management tool for Windows devices only that can also be upgraded with a paid subscription. However, it can hold its own in terms of update deployment without you having to pay for extra functionalities.
The free version of PDQ Deploy can install much-needed software patches from over 200 applications. In addition to this, it offers the possibility to configure updates remotely and implement a customized multi-step patch deployment strategy.
Automate your patch management routine.Heimdal® Patch & Asset Management SoftwareRemotely and automatically install Windows, Linux and 3rd party application updates and manage your software inventory. Schedule updates at your convenience; See any software assets in inventory; Global deployment and LAN P2P; And much more than we can fit in here...Try it for FREE today30-day Free Trial. Offer valid only for companies.
Users may select the software they wish to install and, if necessary, update specific machines and establish their desired schedule for deployment. PDQ will automatically and quietly apply updates once the deployment has been scheduled without disrupting end users.
I understand that when deploying an application via this toolkit with SCCM or PDQ Deploy, it will prompt the user about closing programs or deferring.But, if there is no user logged in, will the package continue to run/install?
You will want to use the Application Model, not the standard package deployment. I prefer the Application Model for obvious reasons, but mainly because I use the same deployment for both users and systems. This way users can simply go to the Application Catalog and download/install the app themselves and if I NEED to deploy the app to systems for whatever reason, then I have that option as well without having to create a separate application. All I would need to do is simply create a separate deployment instead. The Application Model is MUCH better in this respect than the older standard package deployment and using PS App Deploy makes it even easier. 2b1af7f3a8