Patch Management

Well.

I install Choco + the apps clients use + .net3.5 via choco.

Then I run ABC-Update every week automatically via toolbox and alerts.

I have only been using simplehelp for a few months now. Choco for installing client apps in windows, ABC-Update for updating. I have sort out a XOS update script, but still trying to sort out homebrew for client app installs, but script not running as root user.

I’m still looking for a ticketing system, looking at osticket, but can’t close a ticket by email as I would really like to log stuff, i.e email at start of ABC-Update to create a ticket then email at end of script that closed the ticket. Anybody can suggested ticketing system that could do that?

I believe Spiceworks Helpdesk can do that for you. I’ve not used it in a few years so can’t say with certainty that functionality still exists, but would assume it does. In addition to the helpdesk, Spiceworks Community is a great IT resource.

We use Request Tracker and manage tickets almost exclusively with email. https://bestpractical.com/request-tracker

I still use Spiceworks for my helpdesk - there is only me. Never bothered with the device management side. Sadly development of Spiceworks has hit a bit of a hiatus. They’ve been working on a new web version for years but it’s not feature rich yet.

Does Request Tracker put an icon by the clock so they can click on it and open a ticket? And it auto-populates the machine info? I’m using osTicket and my users hate opening tickets because it’s too many clicks and you have to login, then they don’t provide the machine info. I’m thinking of switching to Syncromsp for all of my machine management, but it’s $1,200/yr per tech.

I don’t personally use it that way. I know there is a REST api where you could likely accomplish that. Our users just literally send an email with their issue. Depending on your email program you could potentially create a macro to start a new email with the required info. Or even a simple mailTo program with prefilled info.

Can I get the command line you use? When I run it on my test computer it never seems to finish.

What email do you send?

Thanks!

Were you asking what mail command to use? If so something like the following:

start “” "mailto:requesttracker@YOURDOMAIN.com?subject=computer:%computername%&body=%computername% is broken and needs fixing%0D%0A%0D%0ARegards,%0D%0A%0D%0A%username% "

I am not sure what computer info you want transmit but you could easily create a windows shortcut on the desktop that runs this if you leave off the start and “” at the beginning.

Here is one of our ABC-Update scripts with email reports.

ABC Update - List and install all missing Security Updates from WSUS with reboot.

You can modify it for other required options from ABC-Update

ABC-Update.exe /S:WSUS /A:Install /R:3 /C:SecurityUpdates /Q: IsInstalled=0 AND isAssigned=1 /Log:C:\Support\ABC-Update.Log /MailTo:you@yourdomain.com /MailFrom:abcupdate@yourdomain.com /MailServ:mail.yourdomian.com:25 /MailUser:abcupdate@yourdomain.com /MailPwd:Passwordhere

I use the PSWindowsUpdate module, to update via the tool box.
You can use “Install-Module PSWindowsUpdate” to actually install it.

You can use this command to get applicable updates:
Get-WUList -MicrosoftUpdate

You can use this command to apply the updates:
Get-WUInstall -AcceptAll -Install -MicrosoftUpdate -IgnoreReboot

You’ll probably want to schedule a reboot with Task Scheduler.
It works extremely well, there is more information on: http://woshub.com/pswindowsupdate-module/

Alternatively you can use “Get-Command -Module PSWindowsUpdate” within Powershell, then use:
Get-Help <Get-WUInstall, etc.>

It has a suite of functions that help with scheduling as well, also determining if you need to reboot the system with Get-WURebootStatus

I’m going to add a script for folks to use PSWindowsUpdate more effectively.

Set-ExecutionPolicy -ExecutionPolicy Unrestricted -Scope Process -Confirm:$False -Force
If(-not(Get-InstalledModule PSWindowsUpdate -ErrorAction SilentlyContinue)){
    Install-PackageProvider NuGet -Confirm:$false -Force
    Set-PSRepository -Name 'PSGallery' -InstallationPolicy Trusted
    Install-Module PSWindowsUpdate -Confirm:$False -Force
}
Import-Module PSWindowsUpdate

Get-WUInstall -Install -AcceptAll -AutoReboot -MicrosoftUpdate

This script for the toolbox detects if PSWindowsUpdate module is installed, and handles the install of the PowerShell module, then installs all the updates. This is just an example, please modify this to your needs. I have a few variations of this with more complex logic to deal with bad updates.

Hi Roy,

Sorry im terrible with scripting. What would need changed to prompt for a restart rather than autoreboot? Also, will this script run without displaying anything to the end user? Will it also install build updates or just normal windows updates?

Simon,

Sorry for the delayed response, I have mine set to do a monthly digest when it notifies me.

You would change “-AutoReboot” to “-IgnoreReboot”

That has the net effect of ignoring the reboot request, and not asking you because this power shell module will ask questions if you are not explicitly providing inputs at the command line.

Roy

How are you getting on ? Do you still use ABC ?

Does it stop auto updates so that they can only update when I want them to? Even if the user clicks 'check for updates in Windows settings ?

Thanks.

Following this. I really do not want to go full RMM and would love to use this functionality. By the way does anyone else use SH (perhaps for the remote access component) AND an RMM for everything else?

@Mike_Tills

I think you should keep a goal of reducing the number of information sources in your environment. You should have a primary or definitive knowledge location. It doesn’t matter what that solution is, but keeping that number low or integrated into each other so one becomes that primary source is worth considering.

If the RMM becomes that, make sure you do the leg work so you are not double entering data. Simple-Help arguably can track alot of information on it’s own if you do the leg work to make integration possible but I also use another system to track data like that.

Roy

You can do this by adding a registry entry or a GPO to disable windows updates. Or put in a fake wsus server address. Then in your abc script, before you run it. Turn off the registry entry and restart update services.

You can find the GPO or registry entry by googling it online. I can look through my scripts if you cant find it through google.

OK, I think SimpleHelp is great!

But we are moving more into ‘security’ and keeping systems up to date as we have clients that need cyber essentials. I really need to manage the whole windows update process along with 3rd part applications.

Ideally I need to see a list of the updates in one windows that have been performed on each machine and updates needed as well as if the machine needs a reboot. I also need to cover 3rd party applications.

I have been using chocolatey for this, but again there seems no easy way to compare installed versions and new ones released.

It seems from what I have found is to look for a new RMM, but just want to check in case i am missing something??

This is a tricky one. SimpleHelp doesn’t do patch management. They focus more on remote access.

For patch management make sure when looking, look at exactly what 3rd party programs they support. Not everything is usually covered, so make sure they cover the apps you want to check/update. I have heard that https://www.tanium.com/ does well at patch management, windows, and third party, but I have not personally used them.
I also like PDQ inventory and deploy https://www.pdq.com/, but it is based more per site than if you have a bunch of clients from different locations. Let us know what you choose.

If you want to stick purely with simple help for an all-in-one solution, it will take a bit of work scripting things out through Powershell.