SCCM - How to automatically manage application updates without ADR

[altu]

Hi,

This post is just an inquiry for information and to gain some insights on best practices and to see how others are doing stuff.

During our onboarding session a couple of months ago, we didn't enable Updates for SCCM.
Meaning: Only Applications will be updated.
Also, I am one of those who is not a fan of ADRs anyway.

However, PMPC does not deploy the new versions automatically to the same collections as a previous version, like it is the case in Intune.

We have, during our onboarding session, set this option:
Create a new application without modifying any previous applications.

The default option, which is "Update existing applications metadata, deployment type, etc..." doesn't sit right with me.
I feel more comfortable having one or two previous versions of the application, just in case I need it.

I am wondering if ADRs are really the only feasible way to automate this in SCCM? Or should I change the way SCCM Applications are deployed.

I like what is happening in Intune...
You have a regular app and an Update app. The Update app has a requirement script which makes sure the app is only updated if the requirement is met.

[Adam Cook (Patch My PC)]

Hey altu,

What you've observed is expected behaviour; we do not have have anything in the Publisher to manage deployments for ConfigMgr Apps like we do for Intune.

Like you've alluded to, SCCM has built-in capabilities to automate the deployment of software updates via ADRs. Software updates are also the best way to do patching with SCCM, instead of Applications.

Software updates have built-in logic to only apply the update to devices which need it; this enables you to deploy any third-party software update in SCCM to all devices, and the patches will only install on devices requiring the update. For example, if you deployed a Google Chrome x64 third-party software update from SCCM to a device which does not have  Google Chrome x64 installed, the update will do nothing have return "not required" / "not applicable".

You also don't have to use ADRs to deploy software updates with SCCM, you can deploy software updates just like you do any other Microsoft updates in SCCM; you could manually create the SUG, add updates to it, deploy it to a collection, download updates into a Deployment Package and distribute it to your DPs. However, ADRs do automate all of this effort.

You can even automate waved / ringed / phased deployments with software updates in SCCM, and especially so using ADRs, which you cannot with Applications - this is (IMO) an industry-wide best practice for patching; to deploy updates to test devices or power users first, before deploying them to everyone else.

The functionality to preconfigure the assignments for Intune exists in our product because Intune has no concept for automatic assignments, like SCCM does with ADRs.

If your SCCM devices are co-managed and the Client Apps workload is moved to Intune, you can absolutely start leveraging our Intune integration. If you prefer to keep things with SCCM for now, then of course it's possible.

We have an article here which discusses configuring an ADRs in SCCM, specifically for third-party updates:

• https://patchmypc.com/how-to-use-automatic-deployment-rules-adrs-with-patch-my-pc

I hope this helps.

[PS_Alex]

Wanted to add to Adam's reply what has been posted on https://patchmypc.com/base-install-update-options-explained

Instead of activating Create a new application without modifying any previous applications, one could select the default option Update existing application's metadata, deployment type, detection method, and content files, and configure an adequate retention policy (Retain up to X previously created applications) to keep a number of older apps versions, in case they are needed.

The deployed application would always be the latest, and if mandatory deployments are set, they would also trigger an update.
BUT (and it's a big but), just as described in the blog post, mandatory deployments would be reevaluated and applied immediately, as their deadlines would be reached. So no concept of rings/waves -- all targeted devices would be updated simultaneously.

Really, the cleanest way to update existing assets with SCCM is to leverage ADRs.