In this post I will cover the steps to configure Patch My PC. We will explore all the options that you see while configuring Patch My PC.
Before you proceed further, you must first install Patch My PC publishing service on your computer. I have covered the installation of Patch My PC here. So I suggest you go through the installation post first and then begin with Patch My PC configuration.
Steps to Configure Patch My PC
When you launch Patch My PC publishing service, the tool has got lot of options. I will take your through most of the options in detail and this should make it easy for you to configure PatchMyPC.
PatchMyPC General Settings
You start configuring PatchMyPC with General Settings. This is a one time configuration and most important among all the other steps.
Under General settings tab, you mainly specify the catalog URL and activate your catalog subscription. If you have already purchased a license, paste your catalog URL and click the Validate URL button.
To configure the publishing service in trial mode, click the “Use Trial Mode” checkbox.
If the catalog URL is valid, it should display “This catalog subscription has been validated“. Licensed to “Owner info” and expiration date. Click OK.
Patch My PC Certificate Management Options
Under Certificate Management, you got some options.
- Show Certificate – Displays the WSUS Signing Certificate.
- Import PFX Certificate – Use this option if you want to use a publicly created code-signing certificate.
- Export Certificate – Exports the WSUS signing certificate.
- Generate a Self-Signed Certificate – Generates a self-signed certificate. Requires configuration in SCCM.
In order to publish updates to WSUS, you need a WSUS signing certificate (Code-Signing). This certificate can either be a self-signed or issued by a third-party or even internal certificate authority.
If you see No Certificate found in WSUS certificate store on this server message, you need to configure the signing certificate.
WSUS Signing Certificate Configuration
First of all go to Software Update Point component properties and click Third Party Updates tab. Select the option “Enable third-party software updates“.
If you are running SCCM 1806 or above, you can enable the option for “Configuration Manager manages the certificate“. With this option enabled, SCCM will automatically generate the signing certificate during the next software update point sync. You can monitor the cert creation process by opening wscyncmgr.log file.
Most of all if your software update point is installed on a separate server, WSUS must be configured in HTTPS. Click Apply and OK.
Enable Third Party Software Updates in SCCM
To enable third-party software updates under client settings
- Launch SCCM console.
- Go to Administration > Overview > Client Settings.
- Edit the client settings and click Software Updates.
- On the right pane, select Yes to Enable third party software updates.
Reopen the Patch My PC tool and now click Generate a Self-Signed certificate. You can see the Code-Signing certificate validate with expiration date.
Under Logging options you have :-
- Logging Level – Choose what you want to log such as Debug, Information, Errors or Warnings.
- Open PatchMyPC.log – An useful log file while working with Patch My PC tool.
- Open wsyncmgr.log – Opens the wsyncmgr.log file.
After you configure General Settings, click the Update Rules tab. Here you enable software updates for publishing. The tool has got some cool options such as Arrows to expand or collapse products.
The Database Search icon, you can scan SCCM products already installed product and enable detected products. Lastly the Search option where you can find products and vendors by name.
You can select the products from the list or jump to next step.
If you want to scan list of supported products packaged in SCCM, click the database icon.
Enter the SCCM server name and database name. Click Query at the bottom.
The query displays the supported applications that are packaged in SCCM. From the list click Select All (alternate option – you may select only the apps that you need) and then Enable Selected Products to select the applications to deploy updates via Patch My PC.
Under Update Rules, when you right click All Products, you see a list of publishing options.
- Publish updates using Full Content – Publishes the full content of the update to WSUS. Full-content includes metadata and the update binaries and is required in order to download and deploy the update in WSUS/SCCM.
- Metadata only – Publish only the metadata, update binaries are not published.
- Auto Kill conflicting processes before installing update – This is a really a good option. The application processes will be auto-closed before the update installs.
- Skip Update installation if conflicting processes are running – Select this to skip an update if the app is running, will retry at next software update deployment and evaluation cycle.
- Delete Shortcut(s) – Deletes the public desktop shortcut(s) for a product.
- Disable self-updater – Self-explanatory but I would recommend not to enable this option.
- Manage update logging options – You can choose the folder path where you want to store the install log files.
- Republish Update(s) – Do not use this option unless you have issues with publishing the updates.
Configure Application Rules in Patch My PC
The Application Rules tab allows you to auto-create and update applications in SCCM. These applications can be deployed using SCCM. You can deploy it to a collection or even via task sequences.
To configure Application Rules, you need Enterprise plus subscription.
First of all check the box “Automatically create applications in SCCM for initial installation“. Click Options.
Specify the SMS provider server and source folder (UNC). Within the source folder, the service will create a sub-folder named Applications. When Patch My PC creates an application, you will find the application inside the Applications folder.
Application Creation Options
Under application creation options, you will find some useful options.
- Allow applications to be installed from install application task sequence group.
- Allow clients to use distribution points from the sites’s default boundary group.
- Code-sign the PowerShell detection method script using the WSUS signing certificate.
- Do not include the version in the application name, so the application name doesn’t change after updates.
- Move applications to the following folder in the applications node of the console.
Content Distribution Options
Under this option, you can configure Patch My PC to automatically distribute the content for any newly created applications.
In addition to that, if you have got distribution point groups, you can specify them by clicking Add Distribution points groups button.
Some extra settings for applications. You can leave them to default.
- When a new version of an application is released delay the in-place application upgrade by x days.
- If the product doesn’t support the application model, create the base install as a package.
Finally select the applications and click Apply.
Under Sync schedule you specify the time when the publishing service will download the latest catalog metadata and auto-publish new updates and applications for enabled products.
The default schedule is Daily at 7 PM, change it as per your requirements. If you want to disable sync and manually sync every time, there is an option available.
You can also configure the publishing service to sync the SCCM software update point if new third-party updates are published. However this requires SUP to be co-located on the site server. Click Apply.
Proxy & Notifications
Under Proxy settings, you can specify the proxy server info (if you have got one) else the default option is Don’t use proxy.
To enable Email reports, click Send Email Reports and configure your SMTP options. When configured, you will receive an email about any newly published updates. The mail also includes Titles, Classification, Severity, CVE-ID’s, Catalog Expiration Details. Click Apply.
Since I am configuring Patch My PC in my lab setup, I won’t be using the email reports feature. May be I will publish another post on configuring the SMTP settings and will show you how the reports look.
Patch My PC Advanced Options
Under Advanced Options, you have four options.
- Modify Published Updates – Use this option to modify published third-party updates.
- Local content repository for licensed products – Specify a local Content Repository for Licensed products that is used for products behind a paywall requiring a manual download.
- SSRS Dashboard reports – With this option, you can install SSRS reports to Reporting Services Point site system role.
- Standalone WSUS Mode – Select this option when you don’t use SCCM to deploy updates. All the updates will appear in the WSUS Console.
About Patch My PC
In the About tab of patchmypc tool, you see important options such as version details, release history, technical support. You can also submit application request if you don’t find any apps within the list.