We help you save time, money, and improve IT security

Integrate Third-Party Patch Management in Microsoft ConfigMgr and Intune

How to Use Automatic Deployment Rules (ADRs) with Patch My PC Updates

Setting up automatic deployment rules for Patch My PC updates is simple. In the guide below, we will review the basics of ADR’s for Patch My PC updates and how you can include or exclude specific products.

Topics covered in this article:

How to Setup an ADR for Patch My PC Specific Updates in ConfigMgr

If you want to create an automatic deployment rule specific to Patch My PC third-party software updates, we recommend using the following criteria.

Superseded = No
Update Classification = Critical Updates, Security Updates, Updates
Vendor = Patch My PC

ADR creation patch my pc third-party updates in SCCM

If you want to include or exclude specific products in your ADR criteria, please see the section Excluding or Including Specific Products in Automatic Deployment Rules.

More InformationNote: Patch My PC uses a single vendor and product due to limitations on how many third-party categories and be published to WSUS. For more information, you can review Publishing operation failed, too many locally published categories.

One common mistake we see is when customers create a deployment package, they specify the WSUSContent folder and the deployment package source. If the WSUSContent folder is specified as the package source, ConfigMgr will automatically delete all the third-party update content published to the WSUSContent folder causing updates to fail to download into a deployment package.

WSUSContent folder as the Package source folder in deployment package

Each Time the Rule Runs and Finds New Updates

A common question we get is whether to use the “Create a new Software Update Group” or “Add to an Existing Software Update Group“.

Create a new Software Update Group (SUG)

  • Can assist with reporting in some cases.
    • Software Update Reports commonly target a SUG. When you have a SUG for each ADR run you can get good point-in-time reporting
    • The ‘release date’ of a patch can offer similar info, but if you care about the exact time a patch was deployed in your environment for the first time, creating a new SUG each time is your only option
  • Each SUG will have a smaller number of updates.
    • There is a limit of 1000 updates per SUG
    • Generally, this is not an issue for third party updates, as you will not have this many non-superseded updates

Add to an existing Software Update Group

  • Keeps count of Software Update Group’s low, one per ADR. No need to maintain SUG sprawl.
  • Can make it more difficult to do a staggered rollout of updates
    • If your ADR creates any deployment with a DEADLINE longer than your ADR evaluation period, you will see some machines potentially never update.
      • Example: ADR Runs and has a schedule set to daily
        • Creates deployment with a deadline in the future, 7 days for example, which will be 7 days from the time the ADR runs
        • ADR runs again the next day, previously created deployment now has deadline pushed out again based on settings. Machines targeted by this may never hit their deadline.
    • The key to keep in mind is the ADR will be using the same SUG, AND it will be overwriting the deployment for that SUG each run as well.

 

More InformationNote from Microsoft Docs: Decide whether to add software updates to a new or existing software update group. In most cases, choose to create a new software update group when the ADR runs. If the rule runs on a more aggressive schedule, you might choose to use an existing group. For example, if you run the rule daily for definition updates, then you could add the software updates to an existing software update group.

Excluding or Including Specific Products in Automatic Deployment Rules

In some scenarios, you may want to remove specific updates from an automatic deployment rule. You can use the title filter to exclude the specific update title from the ADR search criteria.

Here’s an example of an ADR that will deploy all Patch My PC updates with no filters:

SCCM ADR with No Filters

Here’s how you can add a title filter if you wanted to exclude any 7-Zip update from your ADR. Title: -7-Zip

ADR Exclude Title Filter SCCM

If you want to include specific products in and ADR, you can remove the before the title filter, as shown above. 

Removing/Filtering Specific Updates from Automatic Deployment Rules (Video Guide)

The video guide below describes how to use title filters to exclude products from ADRs with Patch My PC.

close

Get notified in real time when new third-party patches are released.

We don’t spam! Read our privacy policy for more info.