• Welcome to Support Forum: Get Support for Patch My PC Products and Services.
 

Automatic dynamic updates with CVE's

Started by steadybird, October 27, 2024, 05:22:25 PM

Previous topic - Next topic

steadybird

Hi All!

I understand that dynamic assignments exist and can be leveraged to target certain groups based on defined rules.
What I am hoping to do though is automatically deploy updates only if a CVE is present.

So I could turn on the daily sync schedule but that it will only actually assign the new updates if a CVE exists.
Otherwise it will either not publish at all... Or will publish without any assignments.

I will then perform my standard monthly manual sync at which point outstanding non-CVE related patches will be published and assigned. My CIO does not want us fully automating it. Only approved for standard updates at the beginning of the month.

I have discussed this somewhat with support and have been informed that PMPC does not support this, or similar, workflows. But I am wondering if there is some creative use of existing functionality that I could cobble something together that may begin to approach the desired outcome?

Maybe something like running two instances of the publisher? One with my usual config that I manually run monthly... The other with zero standard assignments configured and only the dynamic CVE assignments. This second instance set to automatically sync daily.

Is this possible? How would the two instances interplay with each other? Would they recognise Intune apps published by each other?

Is it even possible to have dual instances even on separate machines?

Any other ideas?

Liviu (Patch My PC)

Hey Steadybird,

That's quite a pickle.  ;D

This is the best option I can think of:

Configure Dynamic Assignments only.
Run the sync daily.
If the criteria for dynamic assignments are met (the update has CVE), it's assigned.
If it's not met, publish the update to Intune without any assignments (keep the 'Manage assignments') option empty.
Then, once a month, manually deploy the PMPC updates that don't have any assignments.
You would have to go to Intune Apps --> Options --> and uncheck these 2 options:
  • Copy the assignments from previously created applications when an updated application is created
  • Delete the assignments from previously created applications when an updated application is created
It's important to do that, as when new updates without CVEs are published, you don't want the assignments to be automatically copied by the PMPC Publisher.
https://patchmypc.com/intune-application-creation-options

I would also make sure I retain a few older versions in this setting:

  • Delete any previously created updates when a new update is published

I would retain 4 or 5 at least.
When you manually deploy the software at the beginning of the month, and you are doing a daily sync, if you configure the setting to NOT retain older versions, your manually assigned one will be deleted.

This is not pretty by any means, but it will do the job.

QuoteThis second instance set to automatically sync daily.

Is this possible? How would the two instances interplay with each other? Would they recognise Intune apps published by each other?

Is it even possible to have dual instances even on separate machines?

It is possible to have two instance of the PMPC Publisher, but that will not resolve the issue, as the updates will still be published to the same Intune tenant.
The resolution I mentioned above should be the best option I can think of, given your requirements.


steadybird

Thanks for the response.

By "manually deploy" does that mean going into Intune and filling in the assignments manually to the existing (but empty assignment) non-CVE published apps?

The reason I was thinking of dual instances of the publisher was that doing so I would think it would enable me to fully automate one instance for CVE dynamic assignments only.

Then use the other for my monthly manual sync process and let this instance manage the assignments as they are currently.

I would assume this would duplicate packages in Intune for sure... But the end objective would be to get CVE patches out on an accelerated timeframe and not wait for the monthly process.

Liviu (Patch My PC)

Hi Steadybird,

I have given this some more thought.

You could use two PMPC Publisher consoles. I ran a test in my lab to make sure this works fine.

On VM1:
  • Select some Intune Updates.
  • Use dynamic assignments to deploy any updates that have a CVE and run the sync daily.
  • Any updates that don't have a CVE will still be published.

On VM2:
  • Select the same Intune Updates as on VM1. If you customize the software using right-click options, customize them exactly the same to avoid conflicts.
  • Configure the sync to run monthly.
  • Configure the 'Manage assignments' right-click template.
  • When the sync runs, if the Intune Updates are already published in Intune, they will just be assigned according to the 'Manage assignments' template.

I have tested this just now, it works fine.
The only note I have is to configure the 'Intune Updates' with the same right-click options on both VMs.

steadybird

Thank you for your insight.
Did it behave as I suspected in that each instance would have its own separate set of applications published to Intune?

Or did both instances recognise and attempt to enforce their own configs to the same published applications?
Resulting in your above commentary regarding customising the same settings to avoid conflicts?


Liviu (Patch My PC)

Hello steadybird,

I apologize for not replying, I somehow missed your message.

QuoteDid it behave as I suspected in that each instance would have its own separate set of applications published to Intune?
You can only publish an app from the PMPC Catalog to Intune once. Whichever PMPC console publishes it first takes priority. If another console tries to publish the same app, it will detect that the app is already published and won't create a duplicate.

However, if the second console is set up to manage assignments (like user or device groups), those assignments will still be applied. There won't be conflicts, but it's a good idea to use the same right-click settings in both consoles to avoid issues. (if applicable, Modify Command Line, Manage conflicting processes, any custom scripts, etc)

For clarity:

Console1 handles Dynamic Assignments - sync runs daily - publishes updates that meet your CVE criteria.
Console2 handles Manage Assignments - sync runs monthly - publishes updates that weren't published by Console1. Sets assignments according to your "Manage assignments" right-click setting.
Both consoles should otherwise have the same settings when it comes to other right-click options.

steadybird

Thanks for taking the time to chat about this. Very appreciated.
The workflow you've laid out actually sounds like a reasonable workaround with the only real downside being needing to double configure settings.