Implementing Ivanti Patch for SCCM (Part 5): End-to-end Demonstration

Implementing Ivanti Patch for SCCM (Part 1): Introduction, Planning and Installation
Implementing Ivanti Patch for SCCM (Part 2): WSUS Code Signing Certificate
Implementing Ivanti Patch for SCCM (Part 3): Ivanti Settings
Implementing Ivanti Patch for SCCM (Part 4): Publishing a Third-Party Update
Implementing Ivanti Patch for SCCM (Part 5): End-to-end Demonstration

With all the configuration done, in this final part of the guide I am going to demonstrate how to patch Google Chrome, Adobe Acrobat Reader DC and Power BI Desktop using Ivanti Patch for SCCM.

Client preparation

For this end-to-end demonstration I have prepared a Windows 10 client running Google Chrome 75 (June 2019), Adobe Acrobat Reader 2019.008.20071 (October 2018) and Power BI Desktop (October 2019 release). I will be aiming to update all three applications using Ivanti.

Publishing the updates

Note: You may have already published Google Chrome while following the instructions in Part 4. If you did, just skim past those bits in this part.

Open the SCCM console and navigate to Software Library > Software Updates > Ivanti Patch. Search for Google Chrome, and then click on the New SmartFilter button. Fill it in with the following details:

Scope: Shared
Filter name: Google Chrome
Match all of the following rules:
Product contains Google Chrome
Is Superseded does not contain Yes

Google Chrome Smart Filter

Click Save.

Next create a smart filter for Adobe Acrobat Reader DC using the following details:

Scope: Shared
Filter name: Adobe Acrobat Reader DC
Match all of the following rules:
Product contains Adobe Acrobat Reader DC
Is Superseded does not contain Yes

Adobe Acrobat Reader DC Smart Filter

Click Save.

Finally, create a smart filter for Power BI Desktop using the following details:

Scope: Shared
Filter name: Power BI Desktop
Match all of the following rules:
Product contains Power BI Desktop
Is Superseded does not contain Yes

Power BI Desktop Smart Filter

Click Save.

With all three smart filters ready to go, click Scheduled Tasks in the ribbon. Create a new scheduled task for Google Chrome with the following details:

Description: Google Chrome
Schedule: Daily, Tuesday, 21:00:00
Publish the updates selected by this filter: Google Chrome (Shared)
Do not add updates to a Software Update group
Schedule the task to run as: Your Ivanti service account

Create Scheduled Task

Click OK to save this task.

Next, create a scheduled task for Adobe Acrobat Reader DC using the following details:

Description: Adobe Acrobat Reader DC
Schedule: Daily, Tuesday, 21:00:00
Publish the updates selected by this filter: Adobe Acrobat Reader DC (Shared)
Do not add updates to a Software Update group
Schedule the task to run as: Your Ivanti service account

Adobe Acrobat Reader DC Scheduled Task

Click OK to save this task.

Finally, create a scheduled task for Power BI Desktop using these details:

Description: Power BI Desktop
Schedule: Daily, Tuesday, 21:00:00
Publish the updates selected by this filter: Power BI Desktop (Shared)
Do not add updates to a Software Update group
Schedule the task to run as: Your Ivanti service account

Power BI Desktop Scheduled Task

Click OK to save this scheduled task.

Open Windows Task Scheduler and navigate to Task Scheduler Library > Ivanti > Patch and select each scheduled task in turn and click Run in the actions pane on the right. Switch back to Ivanti in the SCCM console and monitor the status column for each of the three products, watching as each one gets packaged and then published.

Once that is done, click Synchronize Software Updates in the ribbon and monitor the wsyncmgr.log file to see when it completes. When it has completed, click on Manage Products in the ribbon and subscribe to all three vendors.

Subscribe to all vendors

Click close, and once again click Synchronize Software Updates. This time the updates will be synchronised with SCCM and will appear in All Software Updates when the sync has completed.

Go to Automatic Deployment Rules and click Create Automatic Deployment Rule in the ribbon. I am going to create a single ADR for all third-party updates; however, you may choose to separate products out as you see fit.

Name the rule All Third-Party Updates and select the collection that contains your clients. Select to have new updates added to an existing Software Update Group each time is runs. On the search criteria screen, select Product and choose Adobe Acrobat Reader DC, Google Chrome and Power BI Desktop. You should also add Superseded and change it to No. Click preview to see the patches that will be gathered by these criteria.

Search criteria

Click Next and select to run the rule on a schedule. Customise the schedule and select that it should run monthly, on the second Wednesday of the month (or, whatever schedule is suitable for your organisations patching policies).

Update schedule

Click OK to accept the schedule and click Next. Decide when you want the updates to become available (typically immediately after they are deployed) and when you want the installation deadline. On the next screen, decide if you want the updates to appear in Software Center or not, and what clients should do when the deadline is reached.

Continue through the wizard, selecting a deployment package to add these updates to (or creating a new one) and finally complete the wizard. If you’re ready to get the patches out right now, select the new ADR and click Run Now.

Back on the client

After leaving this for a few hours to give my client time to run a software update scan, I checked Software Center to see what updates were waiting for me…

Updates in Software Center

Just what I was hoping to see! After clicking Install All and waiting a few minutes, all three updates install and my third-party software on this client is up to date. If I left this configuration in place, next month I would expect to see these patches appear automatically, as the Ivanti scheduled task would run, followed by the Automatic Deployment Rule in SCCM that would deploy them to my client. This is assuming the vendors release new versions of this software by the time the tasks run.

If you have read this whole series, or even just parts of it, I hope this has been useful in helping you implement Ivanti Patch for SCCM or argue the case for it. Products like this make it very easy to patch third-party software using SCCM and it is as important nowadays to patch software from third parties as it is to patch Windows. Sometimes, it is even more important!

 

Buy Me A Coffee

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s