Transcript
I am Garima Arora, product manager for the Azure platform team. Joining me today are Deepak and Amit. They're going to be diving into a high value topic, which is RMM patching improvements and manual controls. We'll just quickly look at the agenda and for those who are new to office hours, Deepak you can move on to the next slide, thank you. So a quick introduction of what office hours is. What we do, we provide a live product demo, followed by a focused Q&A. We look at new features, standard use cases, and most importantly, the best practices. Why we do it? We want to help you to master the platform, to increase your options, and we want a direct dialogue with you. Your feedback today informs what we build tomorrow. We are here for you every Wednesday from 11 a.m. to 11.30 a.m. EST, mark your calendars. Quick housekeeping, these sessions are recorded, all the registrants will receive an automated email within 48 hours following the session. These also go to YouTube, so you can always have the recordings and check those out. The rolling weekly schedules can be found on the university calendar. If you're facing technical issues, please let us know in the chat. There's a Q&A button on the right top with a question mark. Make sure you use that for any questions that you have. And with that, I'll hand over to Deepak. The floor is yours. Thank you. Thank you so much, Garima. So it's been a while since we talked about patching on office hours, and today we've brought two new features that we'll be talking about here. The first one is the approval groups feature, which went live a couple of months back. So the approval group is nothing but patch approvals and device group joined together. So as you can understand, it is essentially creation of scoped patch approvals or patch blocks that would override any partner-level approvals. This feature is live for both OS and third-party patching. It's pretty easy to set up, as you'll see in the demo in a second. It's easy to set up. You will also be able to manage these approval groups based on your priority and be able to set those priority orders for you to be able to manage your client. So I'll just quickly jump into a demo of how to set up an approval group. As I mentioned, approval groups is live for both OS and third-party patching. You can set it up from the patch approvals page under endpoints, patches, approvals. For this example, I'm going to stick with OS patching, and I'm going to specifically talk about this KB 5074109. This is one of the infamous KB from January 2026 where it was giving the unmountable boot volume error for Windows 10 and Windows 11. So because of it, as you can see, if I click on this KB, the connect-wise recommendation is disapproved, and we have blocked this. But what many people don't know is this issue is only occurring for physical devices. So what about my virtual devices? I have Windows 11 virtual devices that I would want these updates on. That's where approval groups comes in, where you can create a scoped approval for just your virtual device. Before creating an approval group, you need to know the scope for which you will be creating the approval group because based on that scope, you need to first make sure that a device group is created. So you can create a device group from this option right here under Endpoints, Groups. For this demonstration, I've already created a device group. So let's go ahead and see how we can create an approval group for this. So when I click on this update, I will have a three-dot ellipsis option available. Click on that, and I can click on Assign Existing Approval Group. Once I click that, it will present me with an option. I'm going to write the group name based on which this approval group can be identified. I'm just going to say Approved for VMs. So it's clear. I will set the approval as Approved. So the update originally is Disapproved at a partner level. For the scope, I'm going to approve this patch. I'm going to create my own. I'm going to select the group that I've created. So in this case, I've pre-created a group called Virtual Windows 11, and I'm going to click on Assign. Once I click on Assign, I would get a confirmation that approval group is created. Also, next to the update, I have an icon showing up indicating that this update has an approval group that's associated with one or more devices. Now while I'm on the screen, I can go ahead and create more approval groups if I want to, or if I want, I can go and manage those approval groups in the next tab called Approval Groups. Here you will see the update that we just created the approval group for. I can click on the approval group and see the information. It'll show me the devices for which the approval group is created. I can also click on this and see all of the devices. I'll be able to see any description that is added, what is the approval level, who it was created by, and when it was created. In this example, we can take it a step further. Let's say for all the virtual machines that I have, there are some critical machines where I don't even want to take a chance. I don't even want any issues to happen on them. So once again, I can go and create an existing, add an existing approval group. This time I'm going to call it Critical Devices Blocked, and I'm going to set it as Disapproved. Just a quick note for anybody who may be checking it in the future, and because I have already created a device group for this, I'm just going to call it Critical VMs. That is created, and then I'm going to click on Assign. So now I have created two levels of approval group. Now, the way approval groups works is we calculate the, whenever it's time for deployment of this update, we start calculating it from bottom to up. Because in my use case, I first want it to exclude any devices, I will move my critical device blocked below, so that takes the highest priority. So any deployment on those endpoints for this update is automatically blocked. If any device doesn't fall in this group, it'll go check the next one above, and if there isn't one, it's going to go back and check if there's anything at a partner level, and it's going to do the deployment. So this is the hierarchy of approval groups, and you can basically create a number of these approval groups under each update that you want and manage the hierarchy or priority order of these approval groups. As I mentioned, this option is available for OS and third-party patching, so you'll see this option on both of them. The next feature that we have is called On-Demand App Installation. Now, this was something that was highly requested by a lot of partners, especially because this was something that they were running into issues with in the past, or they had to spend time setting up the scripts or tasks in the ASIO portal. So essentially, what we have opened up to partners is any supported application that you see under third-party patching, i.e. this screen right here, you can pick any of those applications and basically push that on any Windows endpoint. The best part about this is it doesn't need to be a Winget-supported device, because if you don't know, the new third-party patching or the improved third-party patching, the assessment does require Winget to be enabled, so Windows 10, Windows 11 machines are what's supported, but even if you have a non-Windows 10, Windows 11 machine, or let's say you have a server installation, or maybe an older OS, it doesn't matter. You can still pick up the application and push it on those devices, and that installation will go through, provided the application supports that operating system. So we'll just do a quick demo, and in fact, we'll take the example of Notepad++. That's one of those applications that's been in the news the last couple of days. Notepad++ had a major breach, and they recently released their 8.9.1 version, so I'm going to go ahead and push this application on a bunch of my sites. So I have this option called Install Application. This radio button is checked. I have to first choose which is the schedule I want to go forward with. So Install Now is an immediate push. Schedule is when maybe you want to do these deployments for a later period of time as a one-time push, so you can set it as schedule. For our example here, I'm going to go with Install Now. Click on Next. The resource selector also is improved because you just don't have devices here. You can also select sites. Sites allows you for a larger target group for deployment. We'll continue to get your feedback to understand what more that you're looking for here in terms of resource selection. So for now, we have sites available. For my deployment, I'm going to go ahead and pick up my... Let's see here. So I'm going to pick up a test site. Click on Next. I will be presented with a dialogue just showing me what is my selection, when is the patch going to deploy, what is the total set of resources that I'm planning it for. Do a confirmation. Click on Confirm. Once I do that, the task for application deployment is created. So any and all Windows devices on the site is now being attempted to install Notepad++. If these endpoints don't have Notepad++, they would get the latest version, that is the 8.9.1. If they do have an older version of Notepad++, that would get updated to 8.9.1. And you have a quick and nifty shortcut here. You can click on that, and it'll take you to the Schedule tab, where you can track the deployment of this, and the history is available. So you'll see the target resource right here. You can go to History, and you'll see we already have a few deployments that have gone through, some which have failed, but here's how you can see the history of those devices. You can click on this and see the endpoint is offline, so obviously that's not going to go through. So this, again, as I said, this is a very nifty feature, really would help you if you have some quick clients calling you to get some applications installed, want to do some troubleshooting of certain applications, this would be a great way to get that done. I also want to give some heads up on what's coming in third-party patching. Early March, we have the device details being launched for third-party patching. Again, a very highly requested feature, so you will be able to see what is it that we pulled in the assessment, so you don't have to just rely on the report. You can see that information right on the UI. And we'll also have a sort of a secondary option for manual deployment called as Update, where you can specifically target endpoints where this application is out of date and push the update onto that endpoint. And this manual update is expected by late March. Okay, so with that, these are the two features that we have available, and we hope that you try it out. Give us your feedback, because that will help us make the product more stronger and more efficient for your use cases. Amit, do we have any questions on the call that I can take? Oh, yeah, there are a couple of questions. Let's quickly go through some of them. So first one here is, can we set this up for a dynamic group? I think it's more about creating a dynamic group on the fly rather than associating an existing one. Yeah, fair point. So today, the option that you have available is any static group and device group that is available. We are looking, as I said, we are still looking at feedback in terms of how partners are using it. This is something that's new, and definitely we have it on the horizon to be able to give you options to basically create these groups on the fly, create these criterias on the fly, just like we do with your policy groups. So yeah, that is definitely on our horizon. Perfect. All right, next up is, will third-party patching, the manual deployment option, is going to be something that they can use it as a script function? Yeah, yes. So that's, again, great question. The manual deployment option that we have right now is a first phase of giving you additional control. We do eventually want to make it as part of the ASIO platform. So once we expose these functionalities, you will be able to create a path or script and just pick up any of these supported applications, plug it into your monitors, create something recurring. You can go, there's n number of possibilities, n number of use cases, and you can try to use that in any way possible. But that is something that we have in our roadmap. Stick around and see what else comes. Yeah, something on a similar line, there's another question that says, would they be able to do it from the devices page? That's, again, something, because the moment we make it available within the ASIO platform fully, yeah, you can always pick it up from any screens that allows you for automation and push those applications. So again, something that will be in our horizon. Yeah. An interesting question. Are we supposed to use the improved third party patching or third party patching or both? Can you elaborate that? Yes. So for your Windows endpoints, the improved third party patching should be the go-to option. Today, Windows 10, Windows 11 is what we have opened it up for. For most of the partners, that is what is the, like desktops are the devices that they're using it for. But for Mac devices, we didn't get, it's not an option. So you would want to stick with the legacy third party patching. But if you have a Windows device, especially a Windows desktop, you would want to make sure that you're on the new and improved third party patching. It is much more efficient. There's a lot more titles available. You have a lot more flexibility and all these new features available. All the new UI changes that will be coming in is all going to be for the new third party patching. Yeah. A few more questions. Can we use that manual deploy to install an application if that's missing? Yes. Yes. The manual deploy does install any application that is missing. If it finds the application as outdated, it will try to update it. All right, that's good. Let me pick the next one here. Can we force patch only machines with installed, for example, notepad++ overriding existing policy in order to update it? It seems like we have to run a manual patch deployment. Does it overwrite the... Yeah. Yes. Yeah. So anything manual always overrides your policy that is set up. Just like we have with OS patching, third party patching is exactly the same. Manual actions, on-demand actions will always override. It doesn't take into consideration your approvals. It doesn't take into consideration your policy that is set up. That is really, you're picking up an application and just pushing it. All right. Next question. When will the third party patching catch up option coming? It's coming soon. We do have a lot of partner feedback on this. So we will be introducing that as an option in future. I'm assuming sometime in Q2, we should be making those changes. So you will see OS patching, third party patching sort of having the same sort of behavior in terms of the overall improvements of success and being able to catch up to devices that have missed their schedule and have come up from online. This one is going to be pretty interesting. If you can help, I'm sure a lot of partners are going to be benefited by that. As with the third party patching, would they be able to do some sort of a pilot group where they can test it and confirm before they open up for a larger set of endpoints? So if you think about the way how approval groups work, this is something that it's achievable today. It's just going to take a little bit of additional effort. So you can create a device group or dynamic group with a flag called testing or pilot group. And you can create an approval and just approve it for that pilot group. And as you've completed your testing, you can create another approval group for the other set of devices. Let's call it first alpha group, beta group, and so on and so forth. So you can have these sort of a ring releases happening. But as a specific, in the past as well, we've had a lot of partner feedback around having some sort of a controlled group or a ring release sort of an approach available. So we are exploring that. But for now, you can use approval group in conjunction with the custom fields and the device group to achieve almost the same set of results. All right. We'll take a few more questions. In terms of vulnerability and not disapproving patches, is there a way of flagging this in the vulnerability ticket? We'll have to check that with the cybersecurity team on what their plans are. Seems like good feedback. I would appreciate it if you can just put that within the partner feedback user echo and we'll see how many more partners are looking for a feature like this. I'm pretty sure cybersecurity would also want to get some feature added over there. All right. Let's pick one. So I did see something about custom applications. I'm not sure if that got answered already. It caught my eye. Yeah. So the question over there was will we ever be able to deploy custom applications to the new third party patching? So the answer is yes. That is something that we are actively exploring. So we're waiting for a couple of more pieces to be ready before we can make that available. But essentially, yes, that is within our roadmap for this year to be able to give you an option to select or set up your own application. You give us the parameters. We will also be giving you some stories so you can host this application as necessary. You tell us the latest version and we will push that application for you. So that's definitely in the roadmap. All right. You want to pick a few more that you can see if you like it? Yeah. I'm just quickly going through. There's one about file hosting. Amit, if you want to take that. When is file hosting coming? Oh, that's kind of associated thing what you just talked about, the custom application. So the whole idea, we are planning and working it up on our side is to come up with a file hosting solution where you can upload your files. Once it's uploaded, it may be used for third party patching, may be used for scripting, may be used for any other function where you want to download and maintain those files out here. So the teams are working on that. It's on our roadmap. So we are trying to get some more detail so we can come up with some dates and the timeline that can be made available for partners to start utilizing that out. Thank you. All right. Let's pick this one. Does third party patching use Winget repositories or does it use ConnectWise repositories? So we do use Winget's repository so that we are just looking up the application. So we use Winget to ensure that we are looking at the right application signatures. So we are not missing out based on some string matches or something like that. So Winget is used for that app signature. We are using the Winget repository to ensure that we have the application version correct. We have the source of the application correct. So that's what we're using Winget for. But as far as the deployment goes, that uses ConnectWise RMM because there are a lot of limitations in the way Winget operates when it comes to deployment. You do need to have a user logged in. You do need to make sure that, you know, there are certain things that need to work for Winget to be able to deploy this application. So that's where we are. Actually, the CW RMM is the one that's doing the application deployment, which is where we are able to do manual deployment on non-Winget supported OS as well. All right. Let's pick a few more. Is there a way to manually apply a third-party patch on your devices that only have that application installed and not devices that don't have it installed? Yes. So that is part of the roadmap. As you can see on the screen, the manual update option, that's expected in late March. That's exactly what it's going to do. You will be able to see the number of devices that it's outdated on. You will be able to select the option. So if I can just go back here to third-party patching. You will have an option right next to this. So I go to deploy. So the radio button exists here as a first parter. So you're going to have an option called this update, and that will take you to another flow that will specifically target the devices that are outdated. All right. I think there are a few more questions, but we'll go through them at a later phase, and we'll answer those things once it's available. Okay. Thanks, Deepak, and thanks, Amit, for supporting on those questions. On your screen now, you'll see a QR code for ConnectWise YouTube channel. This is a great place where you can replay all these sessions and, you know, deep dive into the content. We'll pause for, like, about five seconds here so you can scan and subscribe. Okay. Thank you. Next, basically, we are having a University Day on 12th and 13th of February. This is an in-person event which helps you in deep, in-depth product training where you can collaborate with experts to enhance your product knowledge. The full event agenda is available on our website, and there's a QR code where you can actually look up for the details and sign up if you're interested. So, again, we'll wait for, like, five seconds for you to scan and see the details. Thank you. So these are the upcoming scheduled topics. You know, if you're wondering what's coming up in the next sessions, you'll find our scheduled topics in a few places, actually, which is university calendars, and you can look for in-app notifications directly within the platform or on your PSA account. Upcoming ones are on 11th, BCDR, and then we have Azure Discovery Tool on 18th, and on 25th, we have product and invoice custom fields. So here are actually the QR codes for registering on to all of these sessions. So we'll wait for a few seconds there again for you to scan and check all the details, and you can sign up directly right now. Okay, finally, we actually hope to see you again next week, and these sessions, don't forget, are on every Wednesday at 11 a.m. EST. Thank you all for joining us today and for your great questions. The questions which were not answered, we'll get back to you on one-on-one and make sure we answer all the things there. Thanks for all the feedback there. Have a productive rest of your day. Thank you. Thank you.