Patch Management Best Practices for MSPs
In today’s technology landscape, patch management is more important than ever for Managed Service Providers (MSPs). With the constant stream of new vulnerabilities and exploits being discovered, it is crucial for MSPs to have an effective patch management solution in place. Without a proper patch management solution, MSPs are leaving their clients’ systems open to attack. It may seem like it is fairly easy to install a few patches to a few devices manually, but in reality, it is not, especially when you have multiple clients. Well, to make this task a bit easier MSPs use RMM that constantly monitors what is going on with the endpoints and applications. While having an RMM solution (even with patch management functionality) is great, it is not enough for proper patch management. In this article, we want to share 5 best practices to optimize patch management for you and your clients. Patch Management Tips for Managed Service Providers Inventory. Being able to implement effective patch management starts with knowing exactly what devices you have. You as an MSP should make sure they have a complete overview of endpoints and software inventory on the regular basis (you can’t fix what you don’t know). This will help you know what needs to be patched and when. Track patch announcements from vendors. On average, companies have 110 applications in use and the majority of them are from other vendors than Microsoft – Adobe, Google, Amazon, etc. This means that staying on top of the latest update announcements from vendors plays a crucial role in effective patch management. Make sure to subscribe to security mailing lists and RSS feeds from third-party vendors to help ensure that the updates aren’t overlooked. Test patches before deployment. Applying patches does not always solve a problem: there is a risk that some things can go wrong with updating software. This can occasionally happen, even if the vendor extensively tested a patch before the release. Sometimes, the reason for a patch failure is that you install the patch and forget to reboot the system. A good way to mitigate this problem and not “break everything”, is to test the patch in a controlled environment before pushing it out to all endpoints. Regular reporting. Providing your customers with reports with patch management information like frequency, history, patch category, and resolution times on a regular basis will help build trust and long-term relationships with your clients. Automate as much as possible. This is perhaps the most important patch management best practice. Using a good third-party patch management tool can enable you to automate your patch management processes. Automating third-party patching can save your organization time and money. By automating the process, you can ensure that all third-party applications are up to date with the latest security patches. Automate third-party patch management of your customers with the right tool = Scappman For automated third-party patch management that is reliable and user-friendly, look no further Scappman. This 100%-cloud solution ingrates with Microsoft Intune and automatically installs all the necessary application updates for your customers. Scappman allows you to easily keep third-party applications updated across numerous client endpoints, with features like managing custom applications, automated log collection, customizable installation commands, creating a set of reg keys etc. For MSPs, Scappman provides a complete third-party patch management solution, that allows you to manage all your customers’ apps from one platform with extra functionality: Multi-tenancy support Partner Portal (invoicing, inviting customers, pop-up customization…) Advanced application management (app sets, users & group assignments…). Furthermore, there are more than 800 third-party applications in Scappman App Store, that are always up to date and secure to use. You can also upload your own application to the platform and manage it like any other application. If you’re an MSP looking for a cloud third-party patch management solution, try Scappman at no charge – a 15-day free trial is available!
Microsoft reveals new features to Windows Autopatch: app-based authentification, quality updates reporting and post-registration device readiness
In April, Microsoft launched the Windows Autopatch update service for business customers, making it generally available later in July. The main of the service is to take charge of update deployments and reduce the burden on IT admins. On Microsoft Ignite 2022, Microsoft introduced new features that are now available on Windows Autopatch. Windows Autopatch is a cloud service that automatically manages Windows 10/11, Microsoft 365 Apps for enterprises, Microsoft Edge, and Microsoft Teams updates for enterprises in order to improve security and productivity in organizations. This includes the creation of testing rings, monitoring health, and rolling back updates if needed. Windows Autopatch is aiming to make life of IT admins easier so they can focus on the tasks that matter, taking over patching Microsoft products. Now there is a new application-based authentication available in Autopatch through Microsoft Modern Management Management app. Thanks to this new certificate-based authentication, enterprise users can avoid the chore of rotating passwords or handling Conditional Access (CA) policies. Also, Microsoft has made the process of post-registration device readiness simpler. Previously, after running the Readiness assessment tool, your devices might have been sorted out into 2 tabs: Ready and Not Ready. Now devices that do not meet the prerequisites for Windows Autopatch enrollment are sorted in a “Not registered” tab whereas the devices with conflicting configurations are shown up in the “ Not Ready” tab. And it’s possible to get solutions tailored to each of them by clicking on the devices. Microsoft explains why this change is important: “We heard that making sure devices remain healthy and eligible to receive updates—and reporting on the status of those devices—was time-consuming (and expensive). With this update to the device registration flow, IT admins can easily detect and take action to remediate configuration mismatches or other issues in their environments that prevent devices from receiving software updates from Windows Autopatch.” And finally, quality updates reporting service has become available. Windows Autopatch reporting is designed to allow visibility into update status and device health, and offer insights into managed endpoints. The reporting offers data on update compliance as well as device and application performance. To see the quality update summary report go to Reports > Windows Quality Updates. All devices report shows the update status of all devices. All devices report – historical shows the update status of all devices over the last 90 days. Eligible devices report – historical shows the update status of eligible devices over the last 90 days. Ineligible devices report – historical shows why devices have been ineligible over the 90 days.
MC2MC Live – The Autumn edition | Antwerp, Belgium
No plans for Thursday evening? Scappman invites you to the live (free!) community event in Belgium! Date: October 20 (Thursday), 18:00 – 23:00 Location: De Burgerij, Sint-Laureiskaai 8, 2000 Antwerp, Belgium Website: Home – MC2MC Scappman will be sponsoring this event completely. Free drinks and food will be available. What is MC2MC? Microsoft Cloud and Client Management Community offers events with best practices about Modern Workplace solutions from Microsoft 365 to Azure.We are eager to bring the newest content and experience from our peers in a way that we can inspire everyone to work with new concepts of the modern workplace and the public cloud. Agenda for 20/10 18h00 – 18h45: Welcome and intro with food and drinks. There will be burgers and fries, be on time, food will only be presented between 18 and 18h45 18h45 – 19h30: The use of Artificial Intelligence in a real business scenario. Driving positive impact on Planet Sustainability by Frank Vanhamel (MC2MC) 19h30 – 20h15: Intune tips and tricks – the 2022 edition by Peter Daalmans (Enterprise Mobility MVP) and Tim De Keukelaere (Enterprise Mobility MVP) 20h15 – 20h30: Break 20h30 – 21h15: The NEW way of managing apps with MEM by Wout Vergauwen (Scappman) 21h15 – 22h00: Notes from the field: Microsoft Sentinel in real life by Thijs Lecomte (Microsoft Security MVP) 22h00 – 23h00: Live social with beer and wine
Microsoft Endpoint Manager is gone: Microsoft introduces Microsoft Intune product family
Microsoft Ignite conference takes place these days, and the company has already announced a lot of updates designed to help companies be more secure and productive. For enhanced endpoint management, Microsoft announced the advanced endpoint management plan that will include remote help, Microsoft Tunnel for Mobile application management, Endpoint Privilege Management, intelligent automation and data insights, and automated app patching and packaging – all based on Intune. Yes, not on Microsoft Endpoint Manager. The name Microsoft Endpoint Manager will no longer be used. That means, that from now on Microsoft refers to cloud management as Microsoft Intune and on-premises management as Microsoft Configuration Manager. The number of Intune-managed devices (including Windows, Android and iOS) increased by 60% last year. Nearly 50% of Microsoft-managed endpoints are now cloud-connected, compared to less than 20% in 2020. Because of the growing demand for the cloud endpoint management solution, Microsoft promotes the idea to move to the cloud for its new and on-prem customers. But it does not mean that Configurator Manager is dead. It will remain a part of Microsoft Intune product family and continue to be updated on the regular basis. But if you want to enjoy all the features coming from Intune, you have to move to the cloud. If you are interested in connecting your tenant to the cloud, Microsoft’s FastTrack can provide deployment assistance at no additional cost for eligible Microsoft 365 customers. To manage application installations and updates on Intune-managed devices in a new way, use Scappman. Scappman is a third-party application patching solution that automates the patching process for Intune-managed devices. Scappman eliminates the need for manual patching and provides a more efficient way to keep your third-party applications up to date. Read more about how to get started with Microsoft Intune: How-to guide: Getting started with Microsoft Intune (part 1) How-to guide: Getting started with Microsoft Intune (part 2) How-to guide: Getting started with Microsoft Intune (part 3) How-to guide: Getting started with Microsoft Intune (part 4)
South Coast Summit | Southampton, UK
Scappman in a Platinum Sponsor of South Coast Summit! Stop by our booth (booth #5) to ask your questions about Scappman, to see Scappman in action and, of course, to get some Scappman swag 😉 Come to our session and get a chance to win a Surface Go 3! Date: October 15 Location: Ageas Bowl, Southhampton, UK Website: South Coast Summit – A Microsoft Cloud Technology Conference What is South Coast Summit? Microsoft Cloud Technology Community Conference, focusing across the full breath of products. 13th-15th October 2022, The Ageas Bowl, Southampton South Coast Summit 2021 was the largest community conference focused on Microsoft products and services of the year. A three-day event for IT professionals and end users, working with Microsoft technology. South Coast Summit focuses on all key pillars of the Microsoft ecosystem: Business Applications, Modern Work, Security & Compliance, through to Microsoft Azure. Thursday 13th October – Watch Microsoft Ignite 2022 in-person with your fellow peers, as we stream multiple sessions throughout the day. Friday 14th October – Hands-on workshops and Power Platform Hackathon, limited to 300 attendees. Saturday 15th October – South Coast Summit 2022 – welcoming all 1,400+ attendees, 50 exhibitors, and 110 speaker sessions. South Coast Summit follows a similar structure to other IT conferences and Microsoft events such as Microsoft Ignite and Future Decoded; with sessions delivered by subject matter experts from Microsoft, Microsoft MVPs, and Microsoft Partners. expert speakers, and a large exhibition of sponsors’ associated products and services. Admission includes breakfast, lunch, tea, and coffee. Session: The NEW way of managing applications with Microsoft Intune Join Scappman’s CEO, Wout Vergauwen, for the informative session about automated application management in Microsoft Endpoint Manager. In this session, we’ll give you a walk-through of Scappman and its capabilities and show you what makes it so different from the existing Application Management solutions. Scappman is a 100% cloud and agentless platform that plugs into Microsoft Endpoint Manager and fills the gaps of that product. Scappman is able to deliver ANY Windows app to your MEM environment thereby adding functionality like application update rings, updating of available Company Portal apps, user interaction when the app is in use, multi-tenancy, application sets, etc. Come to the session and get a chance to win a Surface Go3! ⏰ 15:00 – 15:40 ? Theatre 3 See you in Southampton!
How-to guide: Getting started with Microsoft Intune (part 1)
Microsoft Intune is a cloud-based mobile device management (MDM) and mobile app management (MAM) service for businesses ready to take on challenges to productivity, security, and compliance in this modern era of BYOD (bring-your-own-device). It’s affordable and easy to use, and best of all, it’s wholly extensible and flexible. This guide will take you through setting up Microsoft Intune, show you how to enrol devices, and, most importantly, demonstrate how to deploy your supported apps. If you’re switching to Intune as your MDM and MAM platform, you’ll find this guide especially handy. Part 2 – User and Group management in Microsoft Intune, assigning licenses Part 3 – Setting up a configuration policy, Company portal and application management in Microsoft Intune Part 4 – How to configure devices in Microsoft Intune Before you start with Microsoft Intune Before setting your Intune account up, let’s review some technical requirements. Supported licenses. To use Intune, you need a Microsoft 365 subscription. Intune is compatible with the following licensing plans: Microsoft 365 E5 Microsoft 365 E3 Enterprise Mobility + Security E5 Enterprise Mobility + Security E3 Microsoft 365 Business Premium Microsoft 365 F1 Microsoft 365 F3 Microsoft 365 Government G5Microsoft 365 Government G3 It’s also possible to sign up for a free 30-day Intune trial. Supported OS and Browsers. Intune is an MDM service. Thus, it supports different operating systems: Vendor OS Apple Apple iOS 13.0 and later, Apple iPad OS 13.0 and later, macOS 10.15 and later Google Android 6.0 and later Microsoft Windows 11 (Home, S, Pro, Education, and Enterprise editions), Surface Hub, Windows 10 (Home, S, Pro, Education, and Enterprise versions), Windows 10 and Windows 11 Cloud PCs on Windows 365, Windows 10 Enterprise 2019 LTSC, Windows 10 IoT Enterprise (x86, x64), Windows Holographic for Business, Windows 10 Teams (Surface Hub), Windows 10 version 1709 (RS3) and later, Windows 8.1 To perform Intune tasks, you must use Microsoft 365 admin center or Azure portal. To gain access to these web portals, you have to use the latest version of the following browsers: Microsoft Edge Safari Chrome Firefox. After confirming you have Intune-supported OS and browsers, you can set up Microsoft Intune tenant. Sign up to Microsoft Intune Before using Microsoft Intune for your organization, you must first configure Microsoft Intune tenant. If you do not already have access to Intune portal, you can sign in for a free 30-day trial. If you’re using a work or school account to access the trial, use it to sign in and add Intune to your subscription. Otherwise, you can create a new account to use with Intune. To sign up, go to the Intune set up account page, enter your email and click Next. Add your name, business phone number, company name and size, and country. Click Next. Add your business entity’s domain name and check for its availability. As you can see, now your domain consists of your company name and onmicrosoft.com. Later we’ll discuss how to set up a custom domain. And finally, create your username and password and click Sign in to complete setting up your Intune account. Once subscribed, check your email, and verify your account using the provided link. Usually, after verification, you’ll be redirected to the Endpoint Manager Admin Center. If not, here’s the link. To sign in to Microsoft Endpoint Manager, your account must have either Global Administrator or Intune Service Administrator (aka Intune administrator) permissions in Azure AD. Intune as MSM authority Immediately after signing in, you must configure mobile device management (MDM) authority to Intune. This configuration may occur automatically. You’ll see an orange banner indicating whether this is the case. The MDM authority setting defines how you manage your company devices. Important note: You must set the MDM authority before enrolling devices. To choose MDM authority, click on the orange banner or go to Tenant Administration > MDM Authority. Check your MDM Authority set under Choose MDM Authority, and then you can set MDM authority to Intune MDM Authority. Add custom domain in Microsoft Intune (optional) When your organization subscribes to Microsoft Intune, you get a unique domain name hosted in Azure Active Directory. Your new domain will follow this format: your-domain.onmicrosoft.com. your-domain is the company name you chose when you signed up, and onmicrosoft.com is the standard suffix assigned to your account. Instead of using this domain name provided by Azure Active Directory to access Intune, you can configure a custom domain for your organization. Sign in to your Microsoft 365 admin center account to configure a custom domain name. On the navigation panel, choose Setup > Domains. Choose Add domain, type your custom domain name, and click Next. Next, verify that you are the domain owner as indicated in the previous step. You can do this by sending a verification email or adding a TXT record. Once the domain is verified, you can check your default domain. Now you’ll see that your domain is listed as Healthy.
AppManagEvent 2022 | Utrecht, the Netherlands
Scappman in a Gold Sponsor of AppManagEvent 2022! Feel free to stop by our booth to ask your questions about Scappman, to see Scappman in action and, of course, to get great Scappman swag 😉 Date: October 7 Location: Jaarbeurs, Super Nova, Utrecht, The Netherlands Website: AppManagEvent – The Industry Event for Application Packaging, Application Deployment, Workspace Security and Endpoint Management. What is AppManagEvent? AppManagEvent is the annual industry event around application management. It gives IT Professionals and IT Decision Makers a status&future update on the leading technology, tools, strategies, insights and trends around Application Management. For 2022, the themes are Deployment, Security, Application Virtualization, MSIX, Win10/11/365 management, Identity Management, IT Infra, and much more. One day with great Speakers, Tech Content, Solution vendors in a professional atmosphere and inspiring location. Session: The NEW way of managing applications with MEM Join Scappman’s CEO, Wout Vergauwen, for the informative session about automated application management in Microsoft Endpoint Manager. In this session, we’ll give you a walk-through of Scappman and its capabilities and show you what makes it so different from the existing Application Management solutions. Scappman is a 100% cloud and agentless platform that plugs into Microsoft Endpoint Manager and fills the gaps of that product. Scappman is able to deliver ANY Windows app to your MEM environment thereby adding functionality like application update rings, updating of available Company Portal apps, user interaction when the app is in use, multi-tenancy, application sets, etc. Add the Scappman session to your schedule on Yellenge app! ⏰ 11:15 – 12:00 ? Expedition room See you in Utrecht!
Known issues and considerations when using Scappman
Events and Webinars
Events and Webianrs Find out about upcoming and past events of Scappman Upcoming events Webinar: Introducing Discovery & Autopatch features The Discovery & Autopatch features are finally live! Join Scappman for this webinar to learn how to manage your apps in Intune in a few clicks. Read more No upcoming events! Past events All Post Cybersecurity Microsoft Intune MSP Tips Patch Management MC2MC Live – The Autumn edition | Antwerp, Belgium Belgium No plans for Thursday evening? Scappman invites you to the live (free!) community event in Belgium! Date: October 20 (Thursday),… Read More > South Coast Summit | Southampton, UK United Kingdom Scappman in a Platinum Sponsor of South Coast Summit! Stop by our booth (booth #5) to ask your questions about… Read More > AppManagEvent 2022 | Utrecht, the Netherlands Netherlands Scappman in a Gold Sponsor of AppManagEvent 2022! Feel free to stop by our booth to ask your questions about… Read More > Subscribe to the Scappman newsletter Don’t miss the latest updates about third-party patch management in Microsoft Endpoint Manager
How-to guide: Getting started with Microsoft Intune (part 4)
In the last part of our guide “Getting started with Microsoft Intune” we’ll walk you through the process of device configuration in Microsoft Intune. Part 1 – How to sign up for Microsoft Intune, configure MDM authority to Intune, and create a custom domain Part 2 – User and Group management in Microsoft Intune, assigning licenses Part 3 – Setting up a configuration policy, Company portal and application management in Microsoft Intune Configuring devices in Microsoft Intune Now everything is ready to enroll a device to Microsoft Intune. As previously stated, it’s possible to enroll corporate and BYOD devices with various OS (Android, iOS, macOS, Windows). Let’s take the enrolling process of the Windows device as an example. There are three ways to enroll a Windows device in Intune: Automatic enrollment. CNAME registration. Windows Autopilot. Automatic enrollment Automatic enrollment lets users enrol their Windows 10, 11 devices in Intune. For this, users must add their work account to their BYOD device or join corporate-owned devices to Azure AD. In the background, the device registers and joins Azure Active Directory. Once registered, Intune manages the device. To enable automatic enrollment, login to Microsoft Endpoint Manager admin center; go to Devices -> Enroll Devices -> Windows enrollment -> Automatic Enrollment. Next, configure MDM User scope and/or MAM user scope: None – MDM automatic enrollment is disabled. Some – groups are selected for automatic enrollment. All – all users can automatically enroll their devices. Once done, click Save. CNAME To enroll a Windows device using this method, you must create a domain name server (DNS) alias (CNAME record type) that redirects enrollment requests to Intune servers. To put it differently: In trying to connect to Intune, users must enter the Intune server name. The first step is to create CNAME DNS resource records for your company’s domain. For example, for the domain contoso.com, we would make a CNAME in DNS that redirects EnterpriseEnrollment.contoso.com to enterpriseenrollment-s.manage.microsoft.com. If the company uses more than one UPN suffix, you need to create one CNAME for each domain name and connect each to EnterpriseEnrollment-s.manage.microsoft.com. For example, users at Contoso use these formats as their email/UPN: [email protected]. [email protected]. [email protected]. It might take up to 72 hours to process the changes to DNS records. Once all the changes are processed, you must verify CNAME – go to Devices -> Windows -> Windows enrollment -> CNAME Validation. In the Domain box, enter the company website and then choose Test. Windows Autopilot configuration Windows Autopilot makes enrollment of devices simple. With Microsoft Intune and Autopilot, you can give new devices to the ned users without building, maintaining and applying custom OS images. The enrollment process with Autopilot consists of 3 main steps: adding a device, creating of autopilot device group and autopilot deployment file. 1. Adding a device Firstly, you have to create a CSV file to identify Windows devices and import it into Intune. In the Microsoft Endpoint Manager admin center, go to Devices -> Windows -> Devices (under Windows Autopilot Deployment Program -> Import. Under Add Windows Autopilot devices, import your CSV file. It can take several minutes. Once import is complete, go to Devices -> Windows -> Windows enrollment -> Devices (under Windows Autopilot Deployment Program ) -> Sync. A message displays that the synchronization is in progress. The process might take some time to complete, depending on how many devices you’re synchronizing. 2. Autopilot device group The next step is to create a device group and put the Autopilot devices you just added. In the Microsoft Endpoint Manager admin center, choose Groups > New group. In the Group blade choose Security for Group type, enter Autopilot Group for Group name, and choose Assigned for Membership type. Afterwards, choose Members and add the Autopilot devices to the group and click Create. To know more about Group management in Microsoft Intune read this blog. 3. Create an Autopilot deployment file Now you must create a deployment profile so that you can configure the Autopilot devices. In the Microsoft Endpoint Manager admin center, go to Devices -> Windows -> Windows enrollment -> Deployment Profiles -> Create Profile. On the Basics page, enter Autopilot Profile for Name and Test profile for Autopilot devices for Description. Set Convert all targeted devices to Autopilot to Yes. This makes sure that all devices in the list get registered with the Autopilot deployment service. Allow 48 hours for the registration to be processed. Select Next. On the Out-of-box experience (OOBE) page, for Deployment mode, choose User-driven. Devices with this profile are associated with the user enrolling the device. User credentials are required to enroll the device. In the Join to Azure AD as box, choose Azure AD joined. Configure the following options: End-user license agreement (EULA): Hide Privacy settings: Show User account type: Standard. Click on Next. On the Assignments page, choose Selected groups for Assign to. Choose Select groups to include, choose Autopilot Group. Select Next. On the Review + Create page, choose Create to create the profile. Now you can now distribute the Windows devices to your users. When they sign in for the first time, the Autopilot system will automatically enroll and configure users’ devices.
