• Welcome to Support Forum: Get Support for Patch My PC Products and Services.

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Messages - Andrew Jimenez (Patch My PC)


Updates deployed via WSUS are unable to patch user-based installs as they run as the SYSTEM account. This is a limitation of WSUS itself, and something we will not be able to change. Webex, and a few other applications in our catalog are a bit weird because even when they are installed as a User-based application, they still register themselves as a Machine-wide install. Because of this, our WSUS update for Webex does some file checks in addition to the MSI installation check. This can cause a lot of confusion, even for our support staff, as the applications look like they are installed as SYSTEM, but are not. In fact, trying to remove these installs using the SYSTEM account will fail, because the MSI is not registered System-wide (at the moment, I think this is hidden somewhere deep in WMI).

We have improved our user-based application compatibility by offering user-based apps under the ConfigMgr Apps/Intune Apps and Intune Updates tabs in Patch My PC.

Quote from: ekraus on May 17, 2023, 09:47:52 AMSo, I'm just running into this myself and, as Eddie78701 mentioned, it's a user install that appears in Hardware Inventory. This would mean, and I confirmed, that it has an entry in the HKLM area of the registry (HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall). Below is the IsInstallable Rules taken from Cisco Webex Meetings and modified for Webex; I used the version referenced in the original post. Is it possible that the detection of the update could be augmented to use something like this?

<bar:RegKeyLoop RegType32="true" Key="HKEY_LOCAL_MACHINE" Subkey="SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" TrueIf="Any">
  <bar:RegSzToVersion RegType32="true" Key="HKEY_LOOP_TARGET" Subkey="\" Comparison="LessThan" Data="" Value="DisplayVersion" />
  <bar:RegSz RegType32="true" Key="HKEY_LOOP_TARGET" Subkey="\" Comparison="BeginsWith" Data="Webex" Value="DisplayName" />
  <bar:RegDword RegType32="true" Key="HKEY_LOOP_TARGET" Subkey="\" Comparison="EqualTo" Data="1" Value="WindowsInstaller" />

Our current detection method for Webex for WSUS updates looks for the Webex MSI to be installed (which would be true on a user or machine-based installation) as well as files in Program Files. This ensures that the application to be patched is actually the machine-wide installation, and not the user-based installation. If we modified the applicability rules to look for the application in the registry like Webex Meetings, the update would install, but you would be left with 2 installations, one for the user, and one machine-wide.

Additionally, we have recently made some headway with these sort of apps by using our pre-scripts feature to remove the user-based applications with some help from PSADT. See the following script for an example: https://github.com/PatchMyPCTeam/Community-Scripts/tree/main/Install/Pre-Install/Remove-RemoteDesktopSystemUser

Using a ConfigMgr App deployment of Webex along with a prescript similar to the above (we'll work on getting that script up on the GitHub in the next day or so), should allow you to "migrate" an existing user-based installation of Webex to Machine-wide. I don't believe this will be a cure-all, however, as many security products flag user-impersonation as a malicious action, and may block such scripts.

I hope this has provided some background on the issue and the challenges we face when patching certain applications.
Unfortunately, there isn't a way to use this for an update, as the update would have to be applicable to the product already installed on the device.
Can you please submit a support request here: https://patchmypc.com/technical-support and please include the PatchMyPC.log from the Patch My PC installation folder?

I wouldn't say there is an "easy" way to do this today. For your example, you can deploy the 32-bit version of Notepad++ as an uninstall, and the 64-bit version as an install, and it should get your desired results (however the 32-bit version of notepad++ would have to be the latest version for the uninstall to be initiated). Alternatively, you could add a prescript to the installer for Notepad++ 64-bit to uninstall the 32-bit. We have a great prescript that you can use here

We also have an enhancement request like this here: https://ideas.patchmypc.com/ideas/PATCHMYPC-I-2506 this is a complicated request, but we have some ideas on how to implement it, and hope to do so in the future.
Hi Sheldon,

We typically add applications that are requested on our ideas page here: https://ideas.patchmypc.com/. Both CCleaner and Malwarebytes were requested as the free, and not paid versions. Additionally, these specific products were added quite some time ago and largely came from our Home Updater catalog. If you'd like us to also patch the paid versions of these applications, let us know on our ideas page, and we'll work to get them added!
Hello again, we've shipped the catalog with this command-line argument added!
Correct, the device restart behavior should be able to suppress the reboot that the update asks for.
With regards to the reboot even though REBOOT=ReallySuppress has been set: Setting REBOOT=ReallySuppress only prevents the app/update from forcing a reboot on the endpoint, it does not negate the need for a reboot. A 3010 exit code is still provided to ConfigMgr/Intune, and those tools will determine if or when a reboot occurs.

You can set the deployment in either ConfigMgr or Intune to show no notifications, and this should prevent the reboot notification from appearing on the endpoints.
I did confirm that this issue should not be occurring now. So the delete and recreate of the Intune update will resolve this issue for you.

This was an issue a while ago, and was fixed on our back end some time ago. I am not sure why it is occurring for you now! Delete the Intune Update and have Patch My PC recreate it, and you should see the errors go away. I am going to double-check our back end to ensure that nothing has changed to cause this issue for you.

Because those are user-based installs, typical updates as SYSTEM will not detect and update them. The easiest way to update those installs is to actually push the machine-wide Application install to those devices, the Zoom installer is pretty good at updating existing user-based installs with a machine-wide install. Once the machine-wide install is in-place, Patch My PC updates can then continue to update the product.
This is the first I am hearing of it. I know in the past that you could request larger storage size, however, our size limits were not primarily due to Intune, they are also due to WSUS, as there is a max file size limit for WSUS, and built-in to SCUP. We have some plans to increase the max file size, and background work is happening for that now, but I do not expect to support larger installers until next year at the earliest.

I just wanted to let you know that we shipped a split UniversalForwarder, if you deselect the UniversalForwarder 9, and select the UniversalForwarder 9.0, you should get the version now!