There's more to third-party patching than SCCM 1806. Come see!

October 18, 2018

Chris Goettl | Director, Product Management, Security | Ivanti

Todd Schell | Product Manager for Patch | Ivanti

Given the new Third-Party Updates feature in Microsoft SCCM 1806, our Ivanti security experts are excited to share with you how Ivanti Patch for SCCM will continue to enhance your SCCM solution. With our plug-in, you can more easily patch third-party apps from the SCCM console with no additional infrastructure or training. For example:

  • SCCM 1806 requires that you subscribe to each catalog from each vendor. If there are any issues, you must go back to that vendor for support. Patch for SCCM consolidates all supported vendors and gives you one point of contact for automated patching information.
  • SCCM 1806 has a limited number of vendor catalogs, and each vendor must create its catalog specifically for 1806. Patch for SCCM makes available catalogs from a large number of vendors, and Ivanti adds additional vendors to address customer feedback and market demand.
  • Our new Patch for SCCM release, due out this month, can read in vulnerability scan results from any vendor, view the identified Common Vulnerabilities and Exposures (CVEs) and associated patches, and publish any missing patches to the update server for deployment.

This is just a quick look at the many benefits Patch for SCCM offers to enhance your SCCM experience. Sign up to learn about them all!


Chris: Good morning everyone. My name is Chris Goettl. And with me today is Todd Schell. Hi Todd.

Todd: Hey Chris.

Chris: How are you doing?

Todd: I'm doing good.

Chris: So today what we wanted to talk to you about is we'd like to go through a little bit about third-party patching in Microsoft System Center and specifically in talking about SCCM's 1806 release and the new third-party update feature that has released as part of that and how it differs from what we do at Ivanti. So we're gonna talk a bit about that and some of the differences there, some of the challenges that you would have if you use the NCCM feature versus how Ivanti does things. Let me get my slides advancing. There we go. So, first of all, let's talk a little bit about some of the history of SCCM and third-party updates and the Ivanti legacy and how we came about the direction that we took because I think it gives you a little bit of an idea of some of the technology choices we've made and why we do things specifically the way we do them.

So if you look at System Center, System Center 2003 had a feature that just allowed you to create a custom update. It was a pretty crude experience. It needed some additional work. So when Microsoft released SCCM 2007, they released SCUP, the System Center Updates Publisher, as an improved experience on being able to import a custom update into Microsoft System Center. So now I've got a better experience around being able to update and publish non-Microsoft applications updates through System Center. So Shavlik's a company that Ivanti actually acquired several years back. Shavlik had introduced the first commercial third-party update catalog. It was a SCUP catalog, but it combined many third-party applications all in a single SCUP catalog that could then be imported through that feature in...2008 is when we released that.

There were some limitations. Shavlik as a company had been a long time patch management vendor. We had built our own proprietary assessment and deployment capabilities. In fact, the Shavlik team was the original authors of the MBSA, the Microsoft Baseline Security Analyzer. That was actually a contract that Mark Shavlik and a few others wrote for Microsoft. And when that reached kind of a 2.0 generation, that technology became our agentless assessment engine. We have kind of a long-term legacy as a patch management vendor. What we found though is WSUS had some limitations, so whether...what you're doing when you publish through System Center is you're really publishing updates into WSUS. So there were limitations in this WSUS engine that we couldn't support all of the same products that we did in our standalone solution in the SCCM catalog.

So we took a look at that and in Microsoft System Center 2012, we looked at their third-party plug-in framework and we actually designed a plug-in that was a native plug-in for System Center. And it also was able to include Shavlik's proprietary deployment technology in there. This allowed us… Specifically at the time there were huge challenges with how to deliver Java updates and many Apple updates to environments. For those of you who had a lot of executives on iTunes early on, if you tried to deploy Apple iTunes out to your environment to keep that up to date because that's pretty much how everything had to sync through for your iPhone to get updates and everything, one thing that happened is if you try to do a silent update of Apple iTunes, it would break the iTunes install. You would start getting errors about Apple mobile support service and update service, all sorts of things broke.

So what we did was we actually built in our deployment technology there so that we could do what we call dependent actions. So this gave us the ability to take the vendor's installer, not modify it in any way but be able to wrap it using our proprietary technology and still be able to deliver that as an update through the System Center Configuration Manager interface. So that's a little bit of the backstory on how the update system within System Center has evolved over time here. Now, if we fast-forward to this most recent release, SCCM 1806, the 0.2 release that came out introduced this third-party updates feature. So we wanted to talk a little bit about that next and what it is doing to advance the evolution of third-party updates delivered through Microsoft System Center. So the third-party updates feature, very simply, it allows you to subscribe to partner catalogs in the configuration manager console and publish updates to WSUS, it doesn't sound too dissimilar from how SCUP worked.

Now, the biggest difference is they've changed the user experience a bit. Instead of being a separate kind of component bolted on to the side of SCCM, it's more baked into SCCM now. There's a number of things that you've gotta go in and turn on to get it all to work at every signed app. But ultimately, you're able to deploy third-party updates using the existing software update management process. The feature is already installed. All you have to do is enable it. So that's kind of the premise behind this 1806 feature. The problem is is there's still some caveats. There's some limitations to what it can do. One of the questions that since this release that's come up that...Todd, we've been asked this a number of times. So the question is, well, can't I just take your catalog and instead just import it using the third-party update feature within System Center. So now the challenge we've got there is several of those updates we've talked about, the proprietary way that we do that. We can't do that through the third-party update feature in SCCM. We still need our plug-in because it can't wrap those additional actions for us.

Todd: It severely limits us if we can go down that route.

Chris: Yeah. And we are talking probably a couple of dozen applications at least in our catalog that would not be supportable because of that. So these are applications that through WSUS, whether you're using the third-party update feature or trying to do these things through SCUP, you would not be able to support those out-of-the-box. So we're gonna talk about some of the challenges with this feature and why a plug-in like ours still goes beyond what you're gonna get with this out-of-the-box feature there.

So Ivanti patch for SCCM, here's some of the advantages of our catalog, and I apologize. The number of words on this slide is extensive. But let me kind of boil this down. The first and one of the most important things here is we have an extensive catalog of third-party updates, but these are all delivered from a single vendor. In the SCCM 1806 model, each vendor has to support their own catalog. Well, that means that you need to get the Adobe catalog. You need to get a catalog from Dell, from HP, from Oracle, from Apple. And we've got over 50 different vendors that we support and over 150 different applications that we support in our catalog. So you'd have to independently manage over 50 different catalogs to get the equivalent of what we do in a single catalog that you can manage all in one place. You also have a difference in relationship. If I have a problem with an Adobe update, I can't go to Microsoft to get that fixed. I have to go to Adobe to get that fixed. If I have a problem with a Java update, I have to go to Oracle to do that. If I have a problem with something else, well, many of them, first of all, those vendors don't even have a catalog yet. After they create one, then you have to manage each of those relationships with each of those individual vendors. So it becomes very cumbersome very quickly.

The install process. One of the things that Microsoft has said that they've done is, "Yeah, we took SCUP and we pulled it in so it's more part of the SCCM experience." There's actually quite a bit of work you need to do to enable this feature. So you've gotta go into many different areas of System Center and turn on different features and configure certain things. In the patch for SCCM install of our plug-in, we install the plug-in. We turn on many of the pieces that you need there and then we've got a configuration wizard that quickly goes through and identifies here's the things that need to be modified before you're able to publish third-party updates, all the same things you'd have to do if you were to turn on this feature in SCCM 1806. But we clean up the experience so that our customers as they get on board with this should get to the point where they can start publishing third-party updates in 15 minutes. That's our target for how quickly we want to be able to allow these customers to get up and running.

So SCCM 1806 has a limited number of vendors who have created catalogs today. I mentioned this a second ago. In the preview that they turned out just weeks ago, they had Dell and HP driver catalogs and then there was an Adobe catalog. Now, again, we've got over 50 different vendors that we support today. Not all of those vendors are gonna be incented to create an SCCM catalog. So there's gonna be a limit to how much content there's gonna be in the SCCM catalog. And it's gonna take a long time for those vendors to ramp up and do this. And then you've got all of those vendors releasing at different times. So you're gonna have to be aware of and manage that many different vendors in that many different catalogs. So again, with a single catalogue and with our content team doing all of the management work for you, you get a significant amount of burden taken off of your team and can continue going forward with doing the things that you need to do, which is publish and roll those updates out and then go back to your day job and get everything else done you need to do.

The third-party updates feature doesn't remove the dependency on the SCUP. So we talked about SCUP being kind of the legacy. Well, actually it' it's more of the advanced option. So the third-party updates feature set is going to take updates and without any modification be able to publish them into SCCM, into WSUS. But if you need to do something like edit and install switch or modify anything about that, you have to use SCUP to be able to do that. And there's many configurations where even SCUP may not be able to achieve all the things that you wanna do. So we've got a lot of customers who may do things like a custom transform for Adobe Reader or they might be modifying install paths or doing other things. With each one of those customizations, you have to take that catalog and still go back to SCUP, the legacy format of how you publish into system center to be able to do those modifications. So in our product, all of these editing capabilities are built right into the user experience. And 1806 is still limited by those capabilities of WSUS, which means that there's a number of third-party updates that will have difficulty updating or may not be supportable at all. And again, in the patch for SCCM plug-in, we wrap in our proprietary technology so that we can do some of those. So let's talk about a few of those examples. So, additional deployment actions that we do, Java is a great example. Java is one of the hardest applications to update.

Todd: I get more questions on that from our customer base than any other product by far.

Chris: Absolutely. So if you've ever tried to package up and deliver a Java update through SCUP previously, you probably came across some of these. Basically, if you push a Java update, the first thing that the installer does is it uninstalled the current version then it checks to see if Java is running and updates if it's able to do so. Well, what you end up with in most environments is the Java Runtime is always running. So at that point, you've uninstalled the Java Runtime. You failed to update because Java was in use. And at the next reboot, you suddenly have no Java at all, a very complicated scenario.

So what we do at Ivanti is we actually will...we have detection, because of the dependent action capability that we've got, we wrap some additional steps into that install package that's published. At runtime, it's gonna detect if the JRE is running. If it is, it will do an install as a side by side install so that we don't disrupt the current Java runtime from running on that system. And on reboot, we have post reboot jobs that will go and clean up the old install now that the new install takes over. So it's a very clean and easy way for us to deliver that but would not have been possible without our proprietary technology, other examples, VMware Workstation and Player and then Oracle VirtualBox. All could be on systems in your development organization throughout your environment. And people could be running VMs and you might not wanna disrupt that VM. So if we have a situation where one of those needs updates, we can detect that that's running and schedule the update to happen on reboot rather than disrupting a VM that might be doing a critical task in that environment at the time. GoToMeeting, this one is another one where the GoToMeeting installer doesn't really behave all that well in a silent execution mode. So it doesn't cleanly stop and start the GoToMeeting service and will predominantly fail majority of the time when you try to update it silently. In our application, we have the ability to again wrap some additional commands in there to make sure and cleanly stop the service, update it, and then start the service up again after it's done.

If any of you are using Zoom or BlueJeans plug-ins for Outlook, this is another case where you could interrupt a user, their user experience if that Outlook plug-in is running. So we can do detection for, if Outlook's running, go ahead and schedule these updates after the reboot to prevent disruption of that user experience. And we've got other vendors like Skype, which actually, you've got difficulties with Skype, 7-Zip and Inkscape where updates don't really clean themselves up afterwards very well. They leave a bunch of garbage behind old install folders like orphaned files that will just sit there on disk at that point and down the road, it's taking up space. It's clutter. It's things that you don't need, could even leave things behind. So 7-Zip, it does have...actually, all three of these products have had security vulnerabilities over time. And leaving some of those components there, if somebody knows it's there and can take advantage of that, they may be able to continue using a compromised version of that if some of these bits are left behind. So, in cleaning this up, it's more of a kind of a security step as well as just good cleanup of the system. So those are just some examples of those additional deployment actions that we do with our technology in the mix, things that you would not be able to script and do very easily unless you completely repackage these updates every time you have to do a new one.

All right. So what else can Ivanti patch for SCCM do? Well, we talked about that easy installation and configuration. We talked about a single catalog, one vendor to deal with when you need some support. But we also have the ability to view updates and choose what to publish before anything is published into your system. With the SCCM 1806 feature, all metadata for all updates in all catalogs that you synched with gets published before you can even look at and choose what you want to publish full installs for. So what this ends up doing for those of you who have run into WSUS database growth issues, this can get quite cumbersome very quickly. Take a catalog like HP's driver catalog. So Todd, do you remember how many drivers are in that catalog today?

Todd: Many hundreds.

Chris: Actually, it's 4,400.

Todd: 4,400, wow.

Chris: Yeah. So think about this. If I import that HP catalog, all 4,400 drivers are going to publish metadata into my WSUS database.

Todd: So it's all or nothing.

Chris: It's all or nothing. I see the metadata for all of those before I'm even able to look in and say, "Oh, here's the 300 that I actually need for my environment." So I've got 4,100 drivers metadata in my WSUS database taking up space that I had no choice in the matter. If we were to import that same catalog, we can do so, like you look at all of the data in that catalog first and choose what you want to publish so that you don't publish anything to your database and start to increase that unnecessary bloat. WSUS, when it gets full, it becomes a very difficult support situation. For any of you who dealt with that, not a situation you wanna be in. So this is a complication that as you get to the point where you've got 50 different vendors' catalogs, dozens of products potentially in some of those catalogs, you don't wanna publish all of that metadata just to be able to decide what you wanna support. So our experience actually doesn't hit the database until you start to make choices about that. Now, we have a lot of automation around that. So when you start to make those choices, you can make those choices and set them and forget them. But it doesn't force you into that case where you bloat that database before you're even deciding what you actually need.

All right. So I kind of talked about this a little bit. But viewing our entire catalog before any metadata gets published into WSUS, again keeps the database clean, keep growth from becoming an issue, that ability to customize third-party updates without dependency on SCUP, all of that right in our editor so you don't have to do that. We also have a lot of additional features. Again, this is a mature plug-in. We've been doing this for several years now as just a plug-in and many years before that as a patch management vendor. So we know a lot of the hang-ups and hiccups and bumps down the road that people are gonna run into, the things like being able to edit that package, republish, re-sign an update, expire an update, have all those things just automatically happen and cleanup. One that we've added just recently in our 2.3 release was support for timestamp servers. So Todd, what was the biggest complication there?

Todd: Yeah, the big thing there is as your certificates expire in SCCM, all your patches have to be re-signed. And as they expire, it becomes a pain to do that. You have to go through individually select and re-sign everything. With our timestamp server, you have the ability to identify which patches you never want to basically expire. You can go out to an independent verified timestamp server identified in the product. We will pull that information in and sign those patches or those updates using the authentication from that timestamp server. Essentially, they never expired for you. So you can constantly use them.

Chris: Yeah, so the combination of that re-signing feature and that timestamp server make it so that your longevity of those packages that you're supporting becomes something you don't have to worry about. In the third-party update feature, if you need to re-sign an update, you actually have to completely republish that whole experience. So you have to basically expire the invalid now signing and then you have to go re-sign and republish that update. So it becomes very cumbersome if you don't have these more mature workflows built into the experience. There's a lot of thought, a lot of maturity in this plug-in that handles things that as you're evaluating today, you're not even gonna run into these. These are things that are gonna come a year, 18 months, 24 months down the road. And when they do come around, they're gonna be very painful. That's already all built right into the product. Now, we're just about ready to release a new version here. Ivanti patch for SCCM 2.4. We're in system test right now. In fact, sometime today or tomorrow, we're looking to get that final thumbs up and push out to production. But we wanted to talk a little bit about two very exciting new features that are coming in the latest release that again show the maturity and the experience that you get with this plug-in. So, the first one of those is software update groups. So, Todd, tell me a little bit about what's this feature doing.

Todd: Yeah. So software update groups obviously exist in SCCM today. They've been around forever, it allows you to group software updates into a common group that you can then push out with your ADRs. What we've done in the plug-in today is as part of the publishing process, we'll take a look at your existing software update groups that you already have in SCCM. You can add additional third-party updates directly into those or you can create new software update groups directly from within the plug-in itself. And from there, they can be...obviously, you'd wanna pull in the third-party updates themselves or you can do a hybrid if you want to as well. So we're automating that process, pulling it into the plug-in. And as part of the publishing process, they're automatically pushed into your update groups, once again, helping out there. You don't have to actually go into SCCM directly after you've published your updates. You can now do it ahead of time and do it as part of the publish process.

Chris: And for those of you who have published third-party updates before either through SCUP or if you've been playing around with the new third-party update feature in 1806, you know that each time that you have to wait for these sync processes to occur, there's a variable time element there that you can't predict. So you kind of set that in motion, go off, do something else, maybe grab a cup of coffee, handle a couple other incidents, and then come back and then add that published now title to your software update group. Well, in this case, we're automating those steps for you again.

And then this one, I'm actually...this is probably one of the most exciting features that we at Ivanti have done in the patch space for quite a while here. This is something that every company I've talked to is challenged with this type of prioritization. You've got your relationship between the security team and the operations teams. You've got to be able to take that vulnerability assessment that's done, all of the CVE IDs that were identified by Qualys or Nexus or Rapid7, it doesn't matter who it is, but the operations team now has to go and figure out how do we solve all those problems. Well, you go through 40,000 items in a report and you could burn a day easily duplicating and just identifying what do I need to actually roll out to my environment. And then you actually have to go into the system and figure out, "Can I get that update? Can I push that out?" Well, we built that in as a first-class experience here now and we're gonna show you that today. Now, Todd, you were out at Ignite here just a few weeks ago and you did a session where we demoed this and then you had a lot of people come by the booth and talk about this. Tell me a little bit about some of the buzz that was going on, some of the excitement around this feature.

Todd: Yeah. Oh, absolutely. I mean, the number of people that came by after I presented and talked about this new feature, they were talking about how much time they spend doing this. For some people, it's almost a full-time job. I mean, they're literally looking through these reports depending upon how often their security group provides them and they're spending time constantly going through, identifying the CVEs that have been identified in their reports, matching them up against a given update and then having to push them out through SCCM. So, an automated process like this, they said, "Basically, my job is kind of greatly, greatly simplified."

Chris: Absolutely, really excited about it. All right. Talking about this is great, but let's actually take a look at this. So, Todd, why don't you give us a quick demonstration of some of the features that we talked about especially that CVE report.

Todd: Okay, perfect. Okay. Let's wake this up. There we go. Okay. One of the things that we say about our plug-in is that essentially, if you know SCCM, you know how to use our product almost immediately. There's really no training involved. As you see here, Chris mentioned that it's fully integrated. We're using all the APIs that Microsoft has published regarding third-party plug-ins to SCCM. And you can see that under the software library tab, there are two additional tabs that we've added in here. Here's the Ivanti patch and here's a special one that shows the things that have been published over to your update point.

Chris mentioned that one of the advantages of using Ivanti for third-party updates is that you don't have to handle individual catalogs. But another important thing is that you don't have to be dependent upon those vendors that are gonna be supplying these individual catalogs for updates. Essentially, our team goes through looking at all the latest updates for the products we support and we generate a catalog and release an update to our catalog twice a week on a regular basis. Around Patch Tuesday, we do some additional releases to provide timely updates to you depending on the vendors that are releasing around Patch Tuesday. And also if there happens to be a zero-day announced and vendor that we support we'll push out a new patch, we will push that out as quickly as possible as well because we're constantly monitoring all those. So you're getting updates directly to our catalog essentially as fast as the vendors are releasing them. So just be aware of that as well.

You'll notice in here I have some of those, the latest ones. We've done updates here on the 16th, the 15th. You'll see back to the 12th, the latest updates for the products that we support. Notice that this particular item here, I'm showing the latest, not published updates. So essentially, this is the wrong information that's coming out of our catalog as part of the normal update process. We post this content at Your SCCM system will be configured to go out and grab this information and pull it down and display it within this tab. And from here, essentially, you identify which of these updates you would like to publish over to your update point and include as part of that. So, for example, you can go in here and look at this particular product. Here's the information very quickly about the release, it talks about what we've superseded, what the latest release is. So we collect all this information for you ahead of time and provide all this information within the product itself.

Chris mentioned the ability to edit this information if you needed some customization around this. Typically, what we're doing as part of the installation is we're choosing a silent default for the most part as part of the installation process. We do advanced things, like Chris mentioned for Java. But typically, we'll go with kind of what the manufacturer recommends as a silent default. If you wanna go in and look at the rules specifically or edit the rules around this particular update, this is all the information available about this particular update. You can see if there's localized information. You can look at the list of superseded updates that are being addressed in here. This is the value that we provide as far as the installation rules and how we go about doing the installed update. You can go in here. And typically, this is where our customers will generally not touch this stuff. But what they will do is provide perhaps some custom installation, what they wanna put it in a different directory or they wanna pass some variables down to the installation process as well. So they might wrap a script around it. It can be a pre-install script to clean something up in their environment that they're aware of. It could be a post install script. So there are a lot of options here. And as Chris said, this is directly integrated into the product. So you're not having to go through that SCUP interface that we talked about earlier and go through that particular complexity.

So these are your updates, as part of this process, you would go through and you would select publish. Then at this point, you can choose how quickly you want to publish these over to your update point. These are a lot of options as far as how you wanna go about doing this. You wanna publish metadata only, so a lot of different options here around the whole publish process. Chris mentioned also some of the other abilities that we have in the product. So, for example, one of the things that we have here is shared settings. Notice over here there is the ability to create filters, and we call these smart filters. So you can build through and identify how you want to look for and group information. You can create a smart filter and then you can share this filter information off with other users on your system if you want to. So you can go through this shared setting functionality, so it's something definitely interesting there. From a scheduling perspective, you can actually roll groups of updates into these smart filters. You can group them here then and you can schedule a task. You can publish continuous updates related to each one of these filters. So, essentially, you can automate the entire process around. As we provide the latest updates for a given vendor, you automatically publish those off to your update point.

Chris: So I can take [crosstalk 00:30:13] and tell it to publish every time it finds a new one so that I know that it's just automatically gonna happen.

Todd: Absolutely. So your entire automation process depending upon your automatic deployment rules on the other side, it'll be automatically pushed out on whatever schedule you want.

Chris: Excellent.

Todd: Other things that Chris talked about. So as part of that publish process...sorry. One of the things you can do here is notice that this is where we add in the software update group. So you can go in here right now. You can select what update groups you want to include this particular update with over on your updates on your SCCM server. These are already created over on the server or I could create a new one. So I could go in here and create a new software update group and it would...automatically, you can choose whether you wanna publish. Once again, these options still apply to the software update group and they would be automatically created and added once again over there on the update point in a fully automated fashion. We're trying to complete multiple steps in a workflow and combine them into one easy process moving closer and closer to an automated installation, automated process for you.

Okay. Last thing, Chris talked about the ability to import CVEs and match them up to known patches. So we added this feature up here on the bar, import CVEs. Essentially, what you can do is any file that has plaintext information identifying CVE information, you can use as part of this import feature. So whether it's in HTML format, it's a CSV file, it's a plain text file that you've created for whatever source, we have the ability to go through, scrape through it essentially and identify associated patches. In this case, I have a small 62 Meg file that...

Chris: That's it?

Todd: That's all, it's a small one. I'm gonna read in the CVE information from this particular file and it's going to identify the CVE, got some old ones here, 2008, Chris, wow, and it matches those up with updates that address these particular vulnerabilities. So very quickly, it goes through and shows you exactly what patches you would need to apply on your endpoints. Notice over here. It also identifies...well, let me say down here at the bottom. Notice in this particular case, there were 4,880 CVE IDs. If you had to manually go through this report and identify the associated updates that address these, the answer is 1,369. Once again, I said earlier, like in my Ignite conversation, could be somebody's full-time job essentially going through and doing that. You'll notice that over here there are CVEs with no updates. This is because right now we are not looking at the Microsoft patches. Okay. These are most likely associated with Microsoft patches or possibly third-party products that we're not supporting in the catalog today.

Chris: Yes. This is actually a vulnerability assessment that was done using Rapid7 and it was also scanning Mac systems, Linux systems all in that same environment. So we got all the Windows updates, third-party updates, and everything here as well. But those Mac and Linux ones are the ones there on the right.

Todd: Okay. Suppose we wanna narrow this down a little bit, and I wanna for example just pull up iTunes so I can go through and find anything that's related to iTunes if that's what I'm interested in from this particular...

Chris: Sixty two unique updates. So our iTunes installed in this environment are kind of out of date.

Todd: Yeah. Select visible updates from the main window. So from this point, what I've done essentially is notice that I'm back over into my normal workflow from showing my Ivanti patch flag...screen rather. I've created a filter that I've called included for now. That's what the CVE import feature does by default. But essentially, from this point now, I have all these things selected and I can go through and publish these over to my update point. I can go in and selectively choose which ones I want to do further refinement. I can create a smart filter and put it in a scheduled task. Now, one of the really nice things about this, all of these are just for one product. These CVEs are missing in multiple different versions, but really, all we need is the latest one. So if we sort by the created date or the iTunes version, we can just publish the latest one and take care of our entire problem in one shot.

Chris: Because we've got all that superseded data included in here, we've got that hierarchy, that relationship in our metadata, you can easily go and take care of all 62 of these unique items with probably a single update.

Todd: Exactly. That's pretty much for the CVE, the patch from this feature. One last thing I wanna mention before I turn it back over to Chris. We talked about catalogs. We've been supporting the import of other catalogs since the day the product was released essentially. So if you have other catalogs that you want, for example, to include that we are not supporting, and notice here I've included, for example, the HP catalog, you may want those drivers, we have the ability to go through, pull those in as well in a very easy fashion as opposed to, like Chris said, via the difficult setup or the more complex setup under the 1806 third-party updates. So we can do that for you as well through our product. Chris, with that, I'll turn it back over to you.

Chris: Excellent. So we did wanna do a couple more things here. Oh, I'm in the VM yet. Let me minimize that guy here. There we go. Now I'm switching back and forth again. All right, back to here. There we go. So we did wanna talk about a couple other things. Here at Ivanti, we don't stop as just being a solutions vendor. We've been around the patch business, I mean, literally going back to the roots of Microsoft starting up their patch program there. If you look back at our history here, the technologies that you're looking at were built by the Shavlik product team way back in the day. Some of these people including Mark Shavlik, the founder of that particular company, started out as Microsoft developers. We had the guy who started the trustworthy computing team that was building the initial Windows patch content, Eric Schultz, came over to Shavlik as well and started our content team. So we've got a very long history and lot of expertise around patch management. This has been carrying through to today as well. We've got a team of content experts that know the ins and outs of how to update and manage Microsoft updates, third-party updates, cross-platform into Mac and Linux as well.

One other thing that we do is we bring a lot of that expertise out to the industry as additional information that people need. So, Todd and I, and we've got support from many other people on our team that pulls all this together, we host a monthly Patch Tuesday webinar, so not only do we provide solutions but also expert guidance. We summarize and bring together the things that people have to go looking for and struggle to try to pull all together, but we do this on a monthly basis. In fact, we do it on a weekly basis. We've got digests about all the things that we're doing, known issues in the industry that we go through on a regular basis. When you look to Ivanti for our technologies, you also get a trusted adviser, an expert in the domain and you get a lot of additional information. So, Todd, when we go through the webinars each month, what are some of the things that really kind of stand out that we provide there?

Todd: Yeah. During the webinar, for example, we'll talk about the fact that Microsoft releases different kinds of updates. They do security only updates. They do monthly roll-up updates. They do cumulative updates under Windows 10. Models are slightly different. So we get a lot of questions around what are you seeing this month. Are there known patch issues with the latest cumulative update for Windows 7 for example? A lot of times, they get more details. For example, Microsoft gives guidance on, "Oh, you have to install this service stack update before this particular update." So we'll be answering those kinds of questions and talking about the latest known issues as part of that webinar. There's a wide audience from people who are new to the patch side to people who are asking very detailed questions. And like Chris said, we have Brian Secrist on the call with us who does that weekly blog telling you what's happening between the Patch Tuesdays. But he's also helping to answer those technical questions that are really, really needed by our customer base.

Chris: Absolutely. It's a very highly followed webinar series and a lot of people find value out of there including non-Ivanti customers as well. So we do invite you all to take a look at that webinar series. You can go out to that. Erica has shared that link out to the group here as well. And last, we did want to provide you guys with a special offer today. For those of you who are not using Ivanti patch for SCCM today and might be evaluating it or interested in looking at the technology here, we do have an offer good until the end of this year. It provides you a free 30-day full license of our product, not just a trial license, not a limited license, not a fixed [inaudible 00:39:45] account, but we're saying that if you come to us and say, "I've got 1,000 machines, I've got 10,000 machines, I've got 30,000 machines and I wanna take your product for a spin," we're gonna give you a full license of our product for 30 days. We also have as part of this offer a 20% off opportunity here for you. So, if you're interested in that, there is a link on the slide here, Erica, if you grab that one as well and share that out with the group. But we'll have this presentation available after today's webinar as well where you can go and get to that forum if you're interested and submit that.

So, at this time, we do wanna take some time here to answer any questions that you guys might have. And it looks like we do have a few here. So, Todd, let's see. One of the questions here from Asher is could you uninstall packages with this plug-in. That depends upon SCCM and what the vendor has built into the product. The answer is yes, you can as long as the vendor has provided that capability. Keep in mind here that essentially, we are a full front end product. We support all the third-party patches combining them into software update groups. And from that point, it's up to SCCM to handle the deployment and installation of those updates based on the rules we include but yes. The answer is yes. Depending upon what the vendor provides, we do provide uninstall support for some and rollback. Joel has a really good question here. Where can I get information on how to use the timestamp server feature to assist with certificates expiration?

Todd: Yeah. Just go to our user guide. If you go to our home page at and go under I believe resources, Chris, you can see that all of our documentation is online and you can take a quick look at that and read through it. It'll give you all the information you need.

Chris: Yeah. Let me get the link here for that one and drop it in as well. It might take me a second to find it here quick. So while we're doing that, I'll ask the next question here and have Todd start to answer that one while I keep looking. So the next question is from David. Is there any dependencies between SCCM 1806 and your new version 2.4? I already have 2.3 installed. Do I need to upgrade one or the other first?

Todd: Now, you can go directly to 2.4. And by the way, for those of you who are running our product, this will actually show up as 2.4 update 2 when we do this particular release. We're already tested and running on top of 1806. No problem there.

Chris: Actually, it looks like 2.4 is now available for download from the download center.

Todd: Really?

Chris: Yeah. All right. Oh, and the help system's up there. They're nearly there. They're probably getting things all ready. You're gonna see the updates for the new product. All right. So you may already see 2.4 documentation up there. So I was just gonna do a search for that timestamps server and see if I can get the link for the help topic. I didn't find it. All right. I'll have to keep looking for that real quick. We do have it whether it's in the help system or whether it's in the KBMR [SP] community. I believe we've got something that describes for detail about that. All right. I think that might be all of the questions. Oh, wait. What type of file format for CVE, the CVE import are supported? Do we get a specific report on this plug-in? So it doesn't matter what vendor, also it doesn't matter what file format. I have personally tested reports from Qualys, from Rapid7, from BeyondTrust, and from CrowdStrike and also in formats CSV, XML, and text. Really the only requirement there is you need to have CVE content in that file and it just needs to be a clear text file. It can't be encrypted or password-protected. We need to be able to scrape it. But predominantly, most of the customers that we've talked to usually it's a CSV format and report that you get, so, yeah, absolutely. Literally that 64 Meg file that had 40 or 450,000 line items in it.

Todd: Wow.

Chris: Yeah. That was a specific Rapid7 insert sample that we created. Let's see, well, a couple other questions here. Does the plug-in bring a dashboard of things we deploy via this plug-in? So SCCM does have some challenges around reporting. For that, we actually do have another technology called Xtraction. With our Xtraction product, you actually get a variety of different dashboards right out-of-the-box but also the ability to click, drag and drop and create new dashboards and things as well. So with our SCCM plug-in, you could look at Xtraction with the SCCM connector and you can get very robust, very rich reporting. You can even craft that reporting to specific roles within your organization. So the operations team can see the slice of the world that they wanna see. The security team can see a more CVE specific view. The management tier, and executive tier can see a more summary level view of that data.

Now, this is not limited to just the patch portion of SCCM. It's reporting across all of SCCM. So you can do asset reports. You can any other aspects of SCCM you wanna report on. Xtraction is also not limited to SCCM. We have connectors for over 60 different products including most Ivanti products as well. It's a way to be able to bring together multiple data silos there. But Asher, to answer your question there, we've got a beautiful product that can solve your problem there called Xtraction. A question from Bradley. We currently run DSM with advanced patch management. Is this the patch management solution under the endpoint security pillar from Ivanti? Some of the same technology is available here. What you're seeing in this case, Bradley, is you're seeing our SCCM plug-in which takes a lot of the content we create, which we basically make a slightly different variation on so we can plug that into the SCCM, basically the WSUS detection engine but then our packaging technology to deploy those out. But it's basically our third-party catalog in SCCM. In DSM, you're using that Ivanti Windows patch engine but you're using the full proprietary scan and deployment capabilities there. This is kind of if you guys were looking at or have an SCCM environment, this is taking all that same extensive third-party catalog of goodness and delivering it directly through SCCM rather than through DSM.

All right. David had a question here. Is there any dependencies...oh, no, I already answered that one. Here we go. Will the CVE to patch list creation function be available in Ivanti EPM? Good question, so, yes. For those of you who are on the patch for Windows product, this will be in our November early access release that we've got coming out here shortly. February, that will be GA and then for EPM customers, the CVE import feature, it should be in the 2019.1 release. So we're doing this in many of our patching technologies. But yeah, that's the kind of the order that we're expecting to see all those come out in. Each of these are on a slightly different release cadence, so they aren't all at the same time. So Asher had another question. Do we get to demo the plug-in? Yes, so absolutely, from our website. Let's see here. I will go and pull up. I'll actually show you guys a couple of things while we're over at the website. Sure, I'm used to my snap features from...all right. Here we go. Under resources on the website, you're gonna see things like the Patch Tuesday page where we've got a whole bunch of stuff like the sign up for our next Patch Tuesday webinar, links to our infographics, webinar and blog and presentations and stuff up there. So that's some of that Patch Tuesday content I was talking about. From our webinars page, you see other things like the Patch Tuesday webinar and like this webinar here, which you guys found.

Todd: Who is that guy?

Chris: I don't know. He looks pretty young though. Everybody gives me crap right now. I gotta get a new image there because I got a lot more gray in my beard than I used to. But if you go to the resources and over to free trials, here you'll be able to see many of our products. But you can get a free trial of many of our security products including patch for SCCM's plug-in and their select products, SCCM. The stock trial here is 60 days and 5 products that you can activate in the catalog. But if you go to that special offer link that we talked about here in the webinar, that one will actually go into a slightly different queue. Somebody will follow up, ask you a few more questions about what you need. But you're going to actually get the full SCCM catalog for 30 days. So you won't be limited to just five products to play around with. You'll actually get access to more of that and for your full environment. So the standard trial, 60 days, 5 products, if you do that promo, you get access to a more extended trial in this case. All right. Let me see if we've got any other questions. Oh, this one also a very good one. This is always good to note. Does the plug-in extend the SCCM database schema in any way? The answer to that question is no. What you're seeing is these...when you look at what's in our catalog, you're seeing a rendered view of our catalog. That is not in the database at all yet. When we publish, we're publishing directly to database tables and schema that already exists. We're not modifying that in any way.

All right. I think...oh, we got one more here from David. If I'm using patch for SCCM to patch all my servers but not workstations, will there be any kind of conflicts if I wanna start using SCCM 1806 only for workstations? That is a good question. You're publishing from two different catalogs, so depending…like if you're publishing the same products from two different catalogs, those are gonna collide. If you're publishing certain products for the server side and then you're publishing different products for the workstation side, as long as they're different products, they would not collide at all. If you are trying to do the same like if you're trying to do job on a workstation and a server, that particular update would collide at publishing time because when it gets to the database, it's Java version 9 latest build that's being published. So that metadata will likely collide. So that one, David, it probably would warrant a little bit of investigation to see if that type of side-by-side configuration would work given your circumstances. All right. A lot of it will probably depend upon the updates you selected and first in wins. I think we would probably have to take a look at that and see if there are any erased conditions or anything like that.

Todd: Right, right.

Chris: Okay. I think we've answered all the questions. So I would like to thank everybody for joining us today, a lot of good questions. Again, I think we're very excited about the 2.4 release, the CVE feature especially...

Todd: Absolutely.

Chris: ...again, the buzz from our current customers and people we've been talking to is when can I get it? I can't wait to be able to start using that feature, just a huge time savings on that one alone, not to mention the other capabilities of the plug-in. So thank you again for joining us today. Again, the presentation will be available on our webinars page later on today and the link for that special promo is in the chat. If you wanna grab that real quick, please do. And it's a great opportunity to be able to use the product to its full potential.

Todd: Yeah. So for those of you who might need the video recording as well, that will also be available on the webinar page here later today.

Chris: Oh, one more question came in from Asher. So we can update Mac and Linux servers. That is something where this plug-in is extending SCCM which is still Windows. Ivanti has Mac and Linux technology where we can patch that today. So Asher, when I talked about that Xtraction product as well, we can actually provide you with a product that can patch the Linux, UNIX, and Mac platforms that you've got and with Xtraction be able to pull SCCM and our standalone product into one reporting interface to show it side-by-side. One thing we are working on right now is a tighter integration between the patch for SCCM plug-in that you're seeing today and our Ivanti security products that we're gonna be doing a tighter integration between there but that's gonna make it so that there will be a better relationship between the SCCM platform and our standalone product to provide that Mac and Linux support. So, yes, we have that capability today, a loose integration at a reporting level today, but we will be bringing it tighter together at a product level over time here. All right.

Todd: One last thing, Chris.

Chris: Yeah.

Todd: Asking for the timestamp information. If you do go to our support page and look into product documentation and choose patch for SCCM, you can go online and look at timestamp and it will pull up the timestamp server.

Chris: Right, right. Yeah, a mistake I was making. Apparently, it didn't like the fact that I put a space between time and stamp.

Todd: Very special.

Chris: So my search found nothing. You found five things. So if you do the search on the live help page, timestamp server is under a number of those topics there telling you how to use that, excellent. Thank you everybody for joining us. Thanks Todd.

Todd: Thank you.

Chris: That's very informative. All right. Thanks everyone. Bye-bye.