Applies to: Advanced and Patch Insights

All setup and configuration instructions are valid for both Advanced Insights and Patch Insights unless stated.

Applies to: Advanced and Patch Insights

Advanced Insights is a website portal for Configuration Manager. It is an Internet Information Server-based application that runs on-premises. Please read the documents in this section to review requirements for Certificates, Software and Network configuration.

Applies to: Advanced and Patch InsightsAdvanced Insights stores configuration data in a SQLite database. This database is created automatically by the application in the following location:

%ProgramData%\AdvancedInsights\Data\Api\AdvancedInsightsConfig.db

It is recommended to backup this file as it contains all of the configuration data for your Advanced Insights environment.

Applies to: Advanced and Patch Insights

Advanced Insights needs a valid SSL certificate to install and function. (the installer will verify the certificate is valid).

Supported Certificate types:

• Server host (FQDN) standard certificate.

• Wildcard certificate.

• Custom CNAME / Alias certificate.

• Self-signed certificate.

The certificate must meet the following minimum requirements:

• Support HTTPS / SSL.

• Has private key.

• Valid in-date (not expired).

• Enhanced key usage includes "Server Authentication".

• Only modern signature types are supported (e.g. SHA256). Legacy / weak signature algorithms, for example; 'SHA1', 'MD2', 'MD4', 'MD5 are not supported.

• Subject Alternative Name (SAN). The certificate SAN requirements depend on the chosen deployment configuration for the Advanced Insights URL.

  • Scenario 1 - Server Host name certificate.

    • For Advanced Insights URL deployment using server host name (e.g. https://server01.contoso.local) the certificate SAN must contain an entry which matches the FQDN of the host server where Advanced Insights is installed.

  • Scenario 2 - Wildcard certificate.

    • For Advanced Insights URL deployment using a wildcard certificate, an entry must be included in the certificate SAN that represents the wildcard certificate. e.g. ' *contoso.local'.

  • Scenario 3 - CNAME / Alias certificate.

    • For Advanced Insights URL deployment using a CNAME / Alias, (e.g. https://AdvancedInsights.contoso.local) the certificate SAN must contain an entry which represents the CNAME / Alias. e.g. 'AdvancedInsights.contoso.local'.

Certificate SAN values can be also verified within the certificate properties.

Examples:

# Advanced Insights valid certificate check.
Param()

$CertsToExclude = @("ConfigMgr SQL Server Identification Certificate","WMSVC-SHA2")

# Get the FQDN of the machine
$machineFQDN = [System.Net.Dns]::GetHostEntry($env:COMPUTERNAME).HostName

# Certificate filtering

# Algorithms to exclude
$Weakhash = @('SHA1', 'SHA1RSA', 'MD2', 'MD4', 'MD5')

$certs = Get-ChildItem -Path Cert:\LocalMachine\My |
    Where-Object {
        ($_.SignatureAlgorithm.FriendlyName -notin $Weakhash) -and
        ($_.EnhancedKeyUsageList | Where-Object { $_.ObjectId -eq "1.3.6.1.5.5.7.3.1"} ) -and
        ($_.NotAfter -gt (Get-Date)) -and
        ($_.HasPrivateKey -eq $true) -and
        ($_.FriendlyName -notin $CertsToExclude) -and
        (
            ($_.Extensions | Where-Object { $_.Oid.Value -eq "2.5.29.17" }) -and
            ($sanExtension = $_.Extensions | Where-Object { $_.Oid.Value -eq "2.5.29.17" }) -and
            ($sanNames = $sanExtension.Format(0) -split ', ' | ForEach-Object { $_.Split('=')[1].Trim() })
            
        ) -and
        (Test-Certificate -Cert $_ -Policy SSL)
    } -ErrorAction SilentlyContinue

#$certs.Extensions

Write-Host "############### The following certificates are suitable for Advanced Insights: ###############"`n
foreach ($cert in $certs) {

$SelfSigned = $false    
if ($cert.Issuer -eq $cert.Subject) {
$SelfSigned = $true
}

$sanExtension = $cert.Extensions | Where-Object { $_.Oid.Value -eq "2.5.29.17" }

$sanNames = $sanExtension.Format(0) -split ', ' | ForEach-Object { $_.Split('=')[1].Trim() }

Write-Host "Certificate Friendly Name: $($cert.FriendlyName)
Certificate Thumbprint: $($cert.Thumbprint)
Enhanced Key Usage: $($cert.EnhancedKeyUsageList)
Certitifcate validity: $($cert.NotAfter)
Private Key present: $($cert.HasPrivateKey)
Subject Alternative Name (SAN): $($sanNames)
Signature Algorithm: $($cert.SignatureAlgorithm.FriendlyName)
Self signed Certificate: $($SelfSigned)" `n
}

# List certificates not captured in $certs
$allCerts = Get-ChildItem -Path Cert:\LocalMachine\My
$uncapturedCerts = $allCerts | Where-Object { $_ -notin $certs }

# Output the uncaptured certificates and their unmatched properties
if ($uncapturedCerts.Count -gt 0) {
    Write-Host "############### The following certificate properties are checked: ###############`n
    1. Enhanced Key Usage
    2. Certitifcate validity
    3. Private Key present
    4. Certificate in exclude list
    5. Subject Alternative Name (SAN)
    6. 'Test-Certificate -Policy SSL' cmdlet is used to check certificate is valid for SSL and root cert can be validated
    7. Signature Algorithm = sha256RSA (Minimum)" `n

    Write-Host "############### The following certificates have one or more property values which are not suitable for Advanced Insights: ###############"`n -ForegroundColor Yellow
    foreach ($cert in $uncapturedCerts) {
        Write-Host "Certificate Friendly Name: $($cert.FriendlyName)
        Certificate Thumbprint: $($cert.Thumbprint)"

        Write-Host "Unsuitable Certificate Properties:"

        # Check Key Usage details
        $SANObjID = $cert.EnhancedKeyUsageList | Where-Object { $_.ObjectId -eq '1.3.6.1.5.5.7.3.1'}        
        if (!$SANObjID) {
            Write-Host "1. Enhanced Key Usage (requires 'Server Authentication') value found: $($cert.EnhancedKeyUsageList)"
        }
        if ($cert.NotAfter -le (Get-Date)) {
            Write-Host "2. A valid, in date certificate is required: Expiration Date found: $($cert.NotAfter)"
        }
        if ($cert.HasPrivateKey -ne $true) {
            Write-Host "3. Private Key present?: Not Found"
        }
        if ($cert.FriendlyName -in $CertsToExclude) {
            Write-Host "4. Certificate in exclude list: Friendly Name: $($cert.FriendlyName)"
        }

        # Check SAN extension
        $sanExtension = $cert.Extensions | Where-Object { $_.Oid.Value -eq "2.5.29.17" }
        if (!$sanExtension) {
            Write-Host "5. Subject Alternative Name (SAN) requires at least one entry matches the server FQDN or is a wildcard which matches the server domain name e.g. '*.internaldomain.local. SAN value(s):: Not Found"
        } else
        
        {
            $sanNames = $sanExtension.Format(0) -split ', ' | ForEach-Object { $_.Split('=')[1].Trim() }
            if ([string]::IsNullOrEmpty($sanNames)) {
                Write-Host "5 Subject Alternative Name (SAN) requires at least one entry matches the server FQDN or is a wildcard which matches the server domain name e.g. '*.internaldomain.local. SAN value(s): $($sanNames -join ', ')"
                }
        }
        

        if (!(Test-Certificate -Cert $cert -Policy SSL)) {
            Write-Host "6. Test-Certificate SSL Policy: Failed"
        }
        if ($cert.SignatureAlgorithm.FriendlyName -in $Weakhash) {
            Write-Host "7. Certificate signature algorithm requires a minimum of SHA256 RSA. Legacy / weak algorithms e.g. 'SHA1', 'MD2', 'MD4', 'MD5 are not supported. Signature Algorithm found: $($cert.SignatureAlgorithm.FriendlyName)"`n
        }
        Write-Host
    } Write-Host "############### Certificate Check End ###############"
} else {
    Write-Host "No uncaptured certificates found."
}

Example PowerShell outputs:

Applies to: Advanced and Patch Insights

Server Operating System Requirements

• Windows Server 2016 and later

• 1.5 GB of free disk space

• Minimum 1 CPU Core

• Minimum 8 GB RAM

Windows Server Components and Features

• Internet Information Services (IIS)

• WebSockets (will be added automatically by the installer if missing)

The following is an example of 'OPTIONS' HTTP Verb 'Not allowed' This configuration will prevent the Advanced Insights install from completing successfully.

Additional Software Components

• IIS CORS Module 1.0

• ASP.NET Core Hosting Bundle 8.0

• SQL Server ODBC Driver 17.6 (minimum)

• IIS URL Rewrite 2.1

Configuration Manager SQL Server

• Configuration manager SQL Database must be SQL Server 2016 SP1 or later. We strongly recommend ensuring the latest cumulative update is applied to your SQL Server.

• Database Compatibility Mode must be at least 130 for the Threat Analytics dashboard to load. You will see a warning if this is not met.

⚙ Installation

To help get you started, we provide a few different guides (documented or video) to help you install the Patch My PC Publisher.

Don't feel like going it alone? You can schedule a setup call with a Patch My PC engineer to help you install correctly first-time in your environment.

💿 Download the Publisher MSI Installer

Configuration Manager Install

Are you installing the product with Configuration Manager? No problem, click the link below for our Configuration Manager guide! The guide includes a text-based version, video, and the ability to directly schedule a setup call with an engineer!

Intune Install

Are you installing the product for Microsoft Intune? No problem, click the link below for our Intune standalone guide! The guide includes a text-based version, video, and the ability to directly schedule a setup call with an engineer!

📄 Release History

Curious about what fixes and new features we've added to the Publisher? You can check out our release history in the release history section for our Production and Preview releases:

You can also stay up-to-date by subscribing to our catalog release newsletter and RSS feedback to find out the moment we update our catalog with new products and updates!

📅 Schedule a Live Demo

If you're just getting started and need help learning the product no problem we can give you a live interactive demo where we will explain everything you need to know about our product from a deep dive inner workings of the product to licenses and security. 🔒

🤝 Schedule a Guided Install

So you've seen a demo, and you're ready to try the product out in your environment. To get you started off right we offer a FREE guided installation of the product in your environment. We strongly encourage all customers to bring an engineer along for the ride to ensure you get the maximum value out of our product and to ensure smooth sailing. ⛵

❓ Schedule Review Call for Q&A

Something seems not quite right? Maybe you want to brush up and learn about all those cool new features we've been releasing since the last time you had a demo. No worries, you can schedule a review call any time you like and our team will be happy to help you study up and help make sure your environment is in top shape. 🎩

💁‍♂️ Support Case

When all else fails and you can't find the answers you need we will always be there for you. While we do have a lot of written knowledge articles sometimes those just aren't enough. If you ever find that to be the case, or something is going disastrously wrong you can always open a support case with our talented team of experts.

🏫 Resources

Not everything always works in pure documentation format and for this, we have some links to our most commonly used resources on our website including

📚 FAQs

Got questions about licensing, subscription types, or how we handle security? Don't worry we get asked those questions all the time.

🏠 Homepage

Ready to head on back to our home page? Don't worry we booked you a ride there.

🚘 Roadmap

Curious about where we are going and what we are planning to do we make all that information publicly available on our live roadmap.

💡 UserVoice

Is there something we are missing? Maybe a new document, a new feature, or a new app? If you head on over to our user voice you can submit new ideas for us and make recommendations.

🤝 About Us

Want to learn more about who we are and what we do? Head on over to our About Us page to learn more about who we are and our company's core values.

Applies to: Advanced and Patch Insights

Advanced Insights requires a valid SSL certificate to bind to the application websites and supports the following types:

• Server host (FQDN) standard certificate.

• Wildcard certificate.

• Custom CNAME / Alias certificate.

• Self-signed certificate.

Certificate configuration scenarios

• Scenario 1 - Server Host name certificate.

  • For Advanced Insights URL deployment using server host name (e.g. https://server01.contoso.local) follow steps described in section:Standard Server host name certificate

• Scenario 2 - Wildcard certificate.

  • For custom Advanced Insights URL deployment using a wildcard certificate (e.g. *.contoso.local) follow steps described in section: Wildcard certificate

• Scenario 3 - CNAME / Alias certificate.

  • For custom Advanced Insights URL deployment using a CNAME / Alias, (e.g. https://AdvancedInsights.contoso.local) follow steps described in section: CNAME / Alias certificate

• Scenario 4 - Self-signed certificate.

  • For Advanced Insights URL deployment using a Self-signed certificate follow steps described in section: Self-signed certificate

Standard Server host name certificate

Select the certificate which represents the server host name (FQDN).

Once selected, no further certificate configuration is required.

Click Next to proceed to the Advanced Insights SQLite Database page.

Wildcard certificate

Select the certificate which represents the wildcard certificate.

Click the 'Set CNAME / Alias' button.

In the CNAME / Alias configuration page, the installer will automatically pre-populate the domain wildcard property from the selected certificate.

The CNAME / Alias property value box will need to be updated with a chosen CNAME / Alias prefix. For example:

'AdvancedInsights.corp.contoso.local'

Then click 'Set CNAME - Alias'.

Click Next to proceed to the Advanced Insights SQLite Database page.

CNAME / Alias certificate

Select the certificate which represents the CNAME / Alias certificate.

Click the 'Set CNAME / Alias' button.

In the CNAME / Alias configuration page, the installer will automatically pre-populate the CNAME / Alias property based on the available SAN entries from the selected certificate.

In this example, the selected certificate has one SAN entry which has been automatically pre-populated:

Confirm the CNAME / Alias configuration by clicking the 'Set CNAME / Alias' button.

Click Next to proceed to the Advanced Insights SQLite Database page.

Self-signed certificate

To deploy Advanced Insights using a self-signed certificate, on the certificate selection page, click the 'Create Self -Signed Cert' button:

The installer will then automatically proceed to the Advanced Insights SQLite Database dialog page.

Applies to: Advanced and Patch Insights

Run the installation

Download the latest installer for Advanced Insights by clicking the link below.

You can view the release history for Advanced Insights on our release history page.

Start the installation by double-clicking the downloaded AdvancedInsights.exe

Prerequisites Screen

Once the installation starts, you will likely be greeted by the prerequisite screen in our installer wizard, click Next.

Select Prerequisites

Any required prerequisites are listed. These can all install without requiring a restart. Confirm the requirements and click Next.

License Terms and Conditions

Once the required prerequisites have been installed, you must accept the Terms and Conditions of use. Tick the "I agree" box and click Next.

Installation Folder

Advanced Insights requires approximately 1.5GB of storage space. Confirm the installation directory and click Next.

Applies to: Advanced and Patch Insights

Completion

When the installer has completed the final wizard screen is shown. This includes a link to go to the welcome experience dashboard. The first use username is admin the initial password is 123qwe which you will be prompted to change.

Applies to: Advanced and Patch Insights

Advanced Installer will create two websites and related application pools. The Dashboard website (Advanced Insights Frontend) is the site you will access to view dashboards and reports, the other site (Advanced Insights Api) is internally referenced only.

The IIS Configuration page allows you to set the dashboard port and IIS application pool identity to your requirements. The port is what will be used when browsing the portal (e.g., https://adv01.contoso.com:444). The API port is read-only. Firewall rules will be automatically created for the dashboard, and API websites.

The IIS Application Pool identity used for both the Advanced Insights Frontend and Api application pools is 'LocalSystem' by default. An alternative identity (Active Directory account) can be used if required. More details on IIS application pool identity here: IIS Application Pool Identity

Examples:

In this example, the installer automatically determined that the best available port was 444. IIS Application Pool left as default 'LocalSystem'.

In this example a custom IIS application pool identity has been set:

Confirm the required Dashboard Port and if required, IIS application pool identity and click Next.

Applies to: Advanced and Patch Insights

Installation Summary

This completes the pre-install configuration of Advanced Insights, a summary screen is shown and you can review and click Install to begin the installation.

Installation

The installer may take up to 30 minutes to complete.

Applies to: Advanced and Patch Insights

The following configurations can be modified for an existing Advanced Insights deployment. SSL certificate.

Advanced Insights website frontend network port.

Reset default admin password.

Starting the modify process.

If the install executable version that was originally used to deploy Advanced Insights is available, you can start the modify process by rerunning the original installer. Otherwise, locate the Advanced Insights listing in the add - remove programs list and select 'Modify'.

Click 'Modify'

Click 'Yes'

Click 'Modify'

Select the required modification option checkbox to enable the related 'Change' button

Applies to: Advanced and Patch Insights

When you run the installer, it will prompt for you to accept the license terms.

You will be presented with the upgrade summary page. There is also the option to change the certificate, network port or IIS application pool identity if required.

If upgrading from 1.0.x and 2.0.x versions of Advanced Insights, the upgrade summary page will also include summary information about the Advanced Insights SQL DB migration to SQLite.

If you wish to do so, click the 'View / Change Cert' button will show additional information about any warnings being flagged.

Following this, click Install to start the upgrade process.

The upgrade success page is displayed upon completion.

Applies to: Advanced and Patch Insights

This section describes the steps required to change the frontend network port used for an existing Advanced Insights deployment.

In the configuration modification page, select the checkbox for 'Frontend SSL Port Configuration' then click 'Change SSL Port':

Click 'Edit port' in the 'Advanced Insights' section and enter a new port number, then click 'Next'

Click 'Install

The installer will make the required configuration changes and display a summary once complete.

Click 'Finish'

Applies to: Advanced and Patch Insights

Advanced Insights needs read access to the ConfigMgr SQL database. If Advanced Insights is installed on a server that is not the ConfigMgr site server, or a custom Active Directory account is used for the IIS application pools, you will need to grant some SQL permissions.

Assigning Rights to ConfigMgr SQL

Option 1 - Using the Advanced Insights Computer Account

1. Open SQL Management Studio and connect to the required SQL instance for your ConfigMgr database

2. Execute the following script replacing the domain\computername and CM_XXX database name

Option 2 - Using a user account for Advanced Insights

Advanced Insights access to the Configuration Manager SQL database can be configured to use a Active Directory user account. This account is set as the IIS application pool identity.

1. Open SQL Management Studio and connect to the required SQL instance for your ConfigMgr database

2. Execute the following script replacing the domain\username and CM_XXX database name

Applies to: Advanced and Patch Insights

This section describes the steps required to change the SSL certificate used for an existing Advanced Insights deployment.

In the configuration modification page, select the checkbox for 'SSL Certificate' then click 'Change Certificate':

Use the drop down list to select the SSL certificate which represents the CNAME / Alias you wish to use.

With the appropriate SSL certificate selected, click 'Set CNAME / Alias'

In the set CNAME / Alias dialog page, the dialog will be prepopulated with a value for the CNAME / Alias based upon the selected certificated.

Modify the prepopulated URL value if required.

Click 'Set CNAME / Alias'

Click 'Next'

Click 'Install'

The installer will make the required configuration changes and display a summary once complete.

Click 'Finish'

New Advanced Insights URL

Applies to: Advanced and Patch Insights

To completely remove the product we will carry out the following actions:

1. Remove the Advanced Insights Inventory Extensions (if deployed)

2. Uninstall the Advanced Insights product

3. Remove the Advanced Insights database

Removing the Inventory Extensions

You can manually remove the Inventory Extensions from a ConfigMgr Console under: Administration > Client Settings > Default Client Settings > Hardware Inventory > Set Classes ...

Carefully Select and delete each PMPC_ Inventory Class from this window individually. This will remove them from your Hardware Inventory Schema and delete their data from the database:

Uninstall Advanced Insights

The uninstall is automated from Settings / Add Remove programs, simply select the application and click remove.

The uninstall will leave behind some customization files, including the Advanced Insights SQLite DB. This can all be removed by deleting the following folder:

Applies to: Advanced and Patch Insights

Advanced Insights stores all application configuration in a SQLite database located in the following folder:

Advanced Insights stores all warranty data in a SQLite database located in the following folder:

These files can be backed up by any file backup solution.

To restore the configuration in the event of loss or server move, simply re-install Advanced Insights and copy the backup files into the same location, overwriting the blank database supplied by the installer.

Applies to: Advanced and Patch Insights

This section describes the steps required to reset the password for the default 'admin' account for an existing Advanced Insights deployment.

In the configuration modification page, select the checkbox for 'Default Admin Password Reset' then click 'Reset Password':

The password reset confirmation is then displayed. Click 'Close'

Click 'Finish'

Applies to: Advanced Insights

PMPC_Disks

DeviceID: Identifier that uniquely names the physical disk.

BusType: The interface the disk is connected by.

MediaType: Media type of the physical disk

*Manufacturer: The name of the manufacturer

*HealthStatus: A high-level indication of device health.

*OperationalStatus: Status further explaining a given health status.

*Model: This field represents the model number of the hardware

*PowerOnHours: Length of time, in hours, the storage device has been powered on since manufacture.

*ReadErrorsTotal: Total read errors encountered by the device.

*SerialNumber: Serial Number of the battery

*Temperature: The current temperature of the storage device in Celsius

*TemperatureMax: The maximum temperature in Celsius at which the storage device is capable of normal operation.

*Wear: Storage device wear indicator, in percentage. At 100 percent, the estimated wear limit will have been reached.

*WriteErrorsTotal: Total write errors encountered by the device.

These properties are collected via SMART. Not all devices may support SMART monitoring

PMPC_Batteries

BatteryID: String identifying the battery.

DesignCapacity: The design capacity of the battery in milliwatt-hours.

FullChargeCapacity: The full charge capacity of the battery in milliwatt-hours.

Health: Comparison of the FullChargeCapacity to the DesignCapacity property is used to determine the health of the battery. (100 = Healthy)

*Chemistry: Describes the batteries chemistry.

*Manufacturer: The name of the manufacturer

*ManufacturerDate: The date the battery was manufactured

*SerialNumber: Serial Number of the battery

PMPC_ODBC

DataSourceName: Name of the ODBC

Database: The Display Name of the Application

Description: The reported version of the application.

Driver: The driver used for the ODBC

DriverVersion: The specific file version of the driver

Platform: Specifies whether the ODBC is 64/32 bit

User: The name of the user that owns the ODBC (if applicable).

PMPC_UserApps

InstallLocation: The folder location in which the application is installed

DisplayName: The Display Name of the Application

DisplayVersion: The reported version of the application.

InstallDate: The date the application was installed.

Publisher: The name of the publisher of the application.

QuietUninstallString: command line string to uninstall the application.

UninstallString: command line string for silent uninstall of the application.

User: The name of the user that installed the application.

PMPC_LocalGroups

GroupName: Name of the local group.

Members: List of user members belonging to that local group.

GroupMembers: List of sub groups that are members of the local group

If a member cannot be identified the SID will be displayed instead.

PMPC_Dock

DeviceName: Identified name of the dock device.

*Firmware: The firmware version currently installed on the dock

*Manufacturer: Manufacturer of the dock

*SerialNumber: Serial Number of the dock if applicable (For dell this is the same as service tag)

PnPID: Device "PnP" Id, this is only used if we werent able to identify the dock model

PMPC_Monitors

InstanceName: Unique Identifier for the monitor

DeviceName: Name of the monitor

InchSize: Diagonal size of monitor

ConnectionType: The cable used to connect to monitor

Primary: Whether this monitor is configured as the primary display. True or False.

ResolutionHorizontal: Maximum horizontal pixel count

ResolutionVertical: Maximum vertical pixel count

*Model: Model of the monitor

*SerialNumber: Serial number of monitor (service tag for DELL)

*Manufacturer: Name of manufacturer

*ManufactureYear: Year the monitor was made

PMPC_Updates

UpdateId: unique ID that represents the update

Title: Title of the update.

Status: Missing or Installed.

Service: The Update Service used to discover this update.

Product: Product associated with the update

ProductID: ProductID associated with the update

InstalledOn: Date the update was Installed On

DatePosted: Date the updated was release or revised

ArticleId: KB article ID identifying the update

PMPC_WifiInterface

GUID: unique ID that represents the Wifi Interface

Description: Name / description of the interface

Authentication: Type of authentication used (e.g., WPA2, WEP, Open)

Band: Frequency band used (e.g., 2.4GHz, 5GHz)

Channel: Current operating channel

Cipher: Encryption cipher used (e.g., AES, TKIP)

ConnectionMode: Mode of connection

Driver Version: Version of the driver software controlling the interface

PhysicalAddress: MAC address of the interface

RadioType: Type of wireless radio (e.g., 802.11n, 802.11ac)

Signal: Percentage signal strength of the connection

SSID: Name of the wireless network

State: Current state of the interface (e.g., connected, disconnected)

PMPC_UserProfile

SID: Security Identifier associated with the user profile

Path: File path where the user profile is stored

LastLoggedIn: Date and time of the user's last login

AccountName: Name of the user account

SizeGB: Size of the user profile in gigabytes

PMPC_BrowserExtension

InstallPath: Path of the extension content and manifest

Name: Name of the extension

Author: The reported author of the browser extension acording to the manifest

Browser: The browser that the extension is installed in.

User: The user that has the extension installed. (All browser extensions are per user)

ID: ID of the Browser Extension associated with Chrome / Edge store

Version: The version of the browser extension

Applies to: Advanced Insights

Applies to: Advanced Insights

Introduced in Advanced Insights 2.2.1, the Custom Dashboard feature enables users to create their own dashboards and share them with other users, if permitted.

Applies to: Advanced Insights

Clients with the Inventory Extensions MSI installed will support the use of our custom client actions:

⚙ Script Approval

If you see this message when using any of the custom client actions:

This means you have the "Additional Script Approver" setting enabled in ConfigMgr. To approve our script, please follow these steps:

1. Open your ConfigMgr Console

2. Go to Software Library > Scripts

3. Right click and approve the "Advanced Insights Client Actions" script

Custom Action Descriptions

• Install Updates - Installs all updates which are advertised to the device which are targeted as available or required. This is the same action as pressing Install All in the Software Center.

• Repair Client - Executes the ccmrepair.exe

• Clear CCM Cache - Clears all ccmcache items on the client (including persistent cache)

Applies to: Advanced and Patch Insights

For various Configuration Manager console actions and features to work, the accounts running the IIS App Pools need to have permissions to connect to your SMS Provider Server.

By default, the IIS App Pools run under the local computer account of your Advanced Insights Server.

⚙ Add the IIS Pool Account To ConfigMgr Security Role

1. Open the ConfigMgr console and navigate to Administration > Security > Administrative Users > click Add User or Group

2. Choose the User/Computer account running your IIS App Pools. In our example we are adding the local computer account of our server named "SCCM"

3. Assign them the Operations Administrator role (or optionally a custom role)

⚙ Use a Custom Security Role (Optional)

If you wish to adhere to the "Principle of Least Privilege" then you can download the XML file below and import it as a security role into ConfigMgr. This role grants the lowest possible privileges.

To import the security role XML file, open the ConfigMgr console and navigate to Administration > Security > Security Roles > click Import Security Role.

Applies to: Advanced and Patch Insights

On first logon, you will see the welcome page. You can access this page any time by clicking your username in the top right of the screen.

The welcome screen needs your Patch My PC license key and your ConfigMgr site server details.

License Key

If Advanced Insights is installed on the same server as the Patch My PC Publisher we will read the license key automatically. Alternatively, please add your license key and click to verify.

Configuration Manager Database Details

Provide the server name and database name of your ConfigMgr primary site and click to connect.

As long as the IIS application pool identity running the Advanced Insights Controller website has permission to read the database, you should be good to go.

If you have a problem at this stage, please see this document for details on granting SQL permissions.

Once the license key and SQL sections are successfully completed, click Go to Dashboard in the final step to complete setup.

Applies to: Advanced Insights

Several features of Advanced Insights (this is not relevant for Patch Insights) require the deployment of our Inventory Extensions. This process adds additional reports and functionality to Configuration Manager.

To setup the Inventory Extensions, there are two actions to complete:

⚙ Extend ConfigMgr's Hardware Inventory Schema

1. Navigate to the Administration > Settings page

2. Select the Advanced Insights Inventory Extensions tab

3. Select whether to collect Microsoft Update Compliance Data see here for more information

4. Click Update Hardware Inventory via Advanced Insights

⚙ Manual Steps to Extend Hardware Inventory Schema

1. Download AdvancedInsights_SMS_DEF.mof

2. In the ConfigMgr Console, navigate to Administration > Client Settings > Default Client Settings > Hardware Inventory > Set Classes...

3. From this page click Import... and select the AdvancedInsights_SMS_DEF.mof

4. Tick/untick the imported Inventory Classes as required

💿 Deploy the Inventory Extensions MSI to clients

Client-Side Requirements for the Inventory Extensions MSI

• Windows 10/11, Windows Server 2012 - 2022 (64-bit)

• .NET Framework 4.8

To deploy the Advanced Insights Inventory Extensions from the Patch My PC Publisher

You can deploy the Inventory Extensions product via Patch My PC Publishing Service

1. Open the Patch My PC Publisher, navigate to the ConfigMgr/Intune Apps tab and select Patch My PC > Advanced Insights Inventory Extensions (MSI-x64)

2. To quickly sync this app to ConfigMgr/Intune without having to wait for all other selected apps and updates in the Publisher to evaluate and process, right click the Advanced Insights Inventory Extensions (MSI-x64) app and select Publish this product during the next manual sync. (Selective sync).

3. On the Sync Schedule tab, click Run Publishing Service Sync.

4. Verify the Inventory Extensions x.x.x.x (MSI-x64) application was created and deploy it to your desired collection(s).

Applies to: Advanced Insights

Advanced Insights (this is not relevant for Patch Insights) can access device warranty information from a variety of vendors. For access to Dell warranty information you will need an API key provided by Dell. The process to apply for a key is shown here.

First you will browse to https://techdirect.dell.com and register or log in, you will need to be associated with your Dell Company account. Once all that is sorted you can select to go to the APIs section.

Once you have successfully obtained your API key log into Advanced Insights and navigate to the Administration area. Go to Settings - External Services and check the "Is Enabled" and "Enable Warranty Caching" option.

Enter the provided Dell warranty text for Client ID, Client Secret and click save all.

*Please only enter in the text in-between the brackets for the API Client Secret.

Applies to: Advanced and Patch Insights

Advanced Insights supports http, socks4 and socks5 network proxies.

Please add the correct protocol to the start of your proxies' network address e.g. http://x.x.x.x, socks4://x.x.x.x, socks5://x.x.x.x. Ports can be added at the end of the network address e.g. http://x.x.x.x:1234"

Adding a proxy server in the Welcome page

If Advanced Insights cannot automatically access our licensing service at https://api.patchmypc.com we will automatically prompt for you to supply proxy details.

Adding a proxy server in the Settings page

Proxy configuration can also be added in the Administration - Settings - External Services tab

Applies to: Advanced Insights

Inventory Extensions Process Visualized

What is the Inventory Extensions MSI?

The Inventory Extensions MSI is a .NET WMI Provider. This provider code is loaded by the WMI Service on Windows clients. The provider returns data that the client processes into a hardware inventory report where it is then submitted to the ConfigMgr site server and entered into the SQL database.

What is WMI?

WMI stands for Windows Management Instrumentation. It is a set of specifications from Microsoft for consolidating the management of devices and applications in a network from Windows-based systems. WMI provides a standardized way for systems administrators to manage and query information about their systems.

The heart of WMI is the WMI Service, known as Winmgmt and part of the Windows OS, this service runs in the background on all Windows systems. This service acts as a broker between WMI Clients (ConfigMgr client) and the WMI Providers (Inventory Extensions MSI) that deliver the actual data.

How does this integrate with ConfigMgr?

ConfigMgr's existing hardware inventory data is collected from WMI. We simply extend ConfigMgr's default hardware inventory policy with the new definitions of our Inventory Extensions data. This allows the ConfigMgr clients to query our WMI Provider through the WMI Service during its normal hardware inventory task - just like it would for any existing hardware inventory class.

For this reason we do not consider the Inventory Extensions MSI as an "Agent". We do not install any services on clients, instead the existing WMI Service brokers the connection between our Inventory Extension MSI code and the ConfigMgr client for us. The only time this code runs on clients is during a Hardware Inventory task or when a custom client action is invoked, after which the WMI Service handles the unloading of our WMI Provider.

Applies to: Advanced Insights

Advanced Insights (this is not relevant for Patch Insights) will display the warranty status of Lenovo devices in the device modal display. We need to provide a warranty API token to be able to get this data.

To apply for a warranty API token you need to request one from your Lenovo account manager.

Once you have successfully obtained your API key log into Advanced Insights and navigate to the Administration area. Go to Settings - External Services and check the "Is Enabled" and "Enable Warranty Caching" option.

Enter the provided Lenovo warranty text for the Lenovo API Client token and click save all.

You can then navigate to the Warranty dashboard and click the Bulk Processing object in the top left to initiate warranty lookup.

Applies to: Advanced Insights

Advanced Insights (this is not relevant for Patch Insights) can access device warranty information from a variety of vendors. For access to HP warranty information you will need to sign up to HP Workforce Experience, enrol all the HP devices you want to collect warranty data on and set up a developer account to access the warranty data.

Developer account creation

First, we will create the developer account needed to interact with the HP Workforce Experience api.

Initial setup

API Enrolment

First, you will need to create an account if you do not have one already. If you have a HPID for HP Workforce Experience, you can use this account.

Creating credentials

Please visit the link above to open the credentials generation page. You will be show the following options below. Click Get Credentials in the HP Proactive Insights Analytics section.

Credentials creation flow

You will need to provide the following information:

1. Credentials name: We recommend "Advanced Insight Warranty"

2. Description: We recommend "API Keys for Advanced Insight Warranty"

3. Developer Redirect Url: This will be used by HP to redirect when you log in. This needs to be your Advanced Insights in the following format https://FQDN:PORT/app/main/view/warranty. Example https://contoso.local:444/app/main/view/warranty

4. Client ID: Leave blank

5. Tick Read Checkbox

Click create and you will be redirected back to the previous page.

Viewing app

Once you have been redirected, there will be a green success banner on top of the page. Please now click the "My API Credentials" link in the banner.

Now click on the newly created app by click the app name, this will load the app details page.

Here you will see information about the newly created app.

We need to copy

1. The API ClientId

2. The API Secret (click "Show Secret" to get this entry)

HP Settings in Advanced Insights

We now need to copy API ClientId and API Secret to Advanced Insights.

1. Go to Administration -> Settings -> External Services

2. Based on the location of the HP Workforce Experience portal you used, select US or EU.

3. Copy and paste the API Client ID into the Client ID input

4. Copy and paste the API Client Secret into the Client Secret input

5. Save settings.

Register for HP Workforce Experience

Using HP Workforce Experience

When you have registered and logged in, you will be greeted by the home experience of HP Workforce Experience. On the left hand side, you will need to click "Assets" to begin importing your HP devices into HP Workforce Experience.

Importing devices

HP Workforce Experience allows you to import your device using four different mechanisms. Currently only Intune Import and Asset enrolment allow for warranty data collection, manual and csv upload do not trigger warranty collection by design. To begin importing devices, please click the "Add" button in the top left of the page.

Intune import

To begin importing from Intune, please click the Intune Import button then click next.

You will be now asked to provide your Intune Domain Name, this can be found by going to the Intune portal, clicking Tenant Administration on the left hand menu and copying the Tenant name from the Tenant Status page.

You will now be greeted by the Microsoft Login flow, please log in using your microsoft credenitals as normal. You will be then presented the list of permission HP requests to perform the Intune import.

Once you have accepted the permission, the connection to Intune will be completed by HP.

You will now be asked if you wish to import Assets from Intune Groups, or to import all of your assets.

We shall continue using Group import only.

When you click on Import assets only from Intune groups, you will be presented with a full list of all your groups in Intune. You can filter out the groups you want to import and you can import multiple groups. Select the groups you want to import and click Import.

Intune will now begin importing your selected devices. You will receive a notification on begin and completion of the import.

You can also check progress by navigating to the logs link on the left hand side.

Asset Enrolment

To enrol your device by Asset Enrolment, please use the following HP documentation to distribute the agent.

Via SCCM

Via Intune

Collecting Warranty

Collecting warranty in Advanced Insights works in the same way as the other providers, but you will need to log into HP on bulk caching.

Navigate to the warranty dashboard.

To begin, click the "Bulk Processing" statistic to begin re-caching warranty.

You will be asked to log in to HP, click yes and Advanced Insights will go to HP to log in.

Applies to: Advanced Insights

If you use Intune to manage your windows updates (Windows Update for Business) then none of that compliance data is visible from ConfigMgr. This requires you to have to read compliance data from BOTH ConfigMgr and Intune.

Solution

• You get complete visibility of all update compliance from Advanced Insights

How does it work?

We supplement your ConfigMgr compliance data with additional data from Microsoft Update.

Our Inventory Extensions WMI Provider runs on clients and scans against Microsoft Update to find update compliance data. This data is then pulled into ConfigMgr via Hardware Inventory for reporting.

Requirements

1. You must complete the implementation steps in the Configuration Guide

2. Clients must be configured to use Windows Update for Business

Applies to: Advanced and Patch Insights

Advanced and Patch Insights support integration with Active Directory for user authentication. This feature is enabled by an administrator in Administration > Settings > User management. Once enabled, this will ensure that any users signing in can use their AD username and password. If users have an RBAC role defined in Configuration Manager, Advanced Insights will adhere to that role, only showing the clients they are permitted to view.

To enable Active Directory authentication capabilities:

1. Check the box for Enable Active Directory Authentication

2. Optionally Enter your Active Directory domain name (normally only required if the authenticating domain is different from the domain the Advanced Insights server is installed in)

3. Optionally Enter a username and password used to connect to Active Directory, this is only required if the Advanced Insights App Pool identity (Local System by default) has been restricted from reading Active Directory, which is uncommon

After you have entered these details, you can now log in with your Active Directory UPN or username.

If this is your first time logging in to Advanced Insights, you will receive whatever role is assigned as "default" or roles your Active Directory Group membership assigns.

You can read more about assigning roles to Active Directory Groups in the article below:

Applies to: Advanced Insights

Advanced Insights supports authentication using Entra ID credentials using OpenID. To configure this is a two-step process:

1. Create an App Registration in Entra

2. Enter the App Registration details to Advanced Insights

Creating the App Registration

Navigate to the Entra Admin Centre and log in with an account that has permissions to create App Registrations.

You will add a name for the App Registration (for example "AdvancedInsights").

In Supported Accounts select "Accounts in this organizational directory only"

Redirect URI

Example redirect URI:

https://advinsightsserver01.contoso.local:444/account/login

Select "Single-Page Application (SPA)" from the dropdown list in the "Redirect URI" section, and enter the URI.

When you have filled in the required properties click Register.

You will be shown the App Registration overview screen. We need to copy some properties from here.

Copy Application (client) ID and Directory (tenant) ID values into a Notepad document.

Now click the "Authentication" link on the left in the "Manage" section.

In the "Implicit grant for hybrid flows" section, tick both options for:

"Access tokens (used for implicit flows)"

"ID tokens (used for implicit and hybrid flows)"

This grants the application permissions to issue the tokens used by Advanced Insights to validate login.

To save changes, click 'Save'.

Click "Certificates and secrets", then within the "Client secrets" section, click "New client secret".

Name the secret and set an expiry duration that is suitable for your environment.

Click 'Add' to save the "Client secret" configuration.

Now you can copy the "Value" of your client secret and add it to your Notepad document:

This completes the configuration work in the Azure Portal.

Adding settings to Advanced Insights

1. Log into Advanced Insights with an administrator role account and navigate to the 'Administration' > 'Settings' menu. Select the "AzureAD" tab.

2. Clear the "Deactivate" checkbox.

3. Enter the value for your Application ID/ClientID.

4. Enter the value for your Client Secret.

5. Enter the value for your Directory (tenant) ID.

6. Select 'Save All'.

New users

1. Log into Advanced Insights with an administrator role account and navigate to the 'Administration' > 'Settings' menu. Select the "User Management" tab.

2. Enable "New registered users are active by default." checkbox.

3. Select 'Save All'.

This completes the configuration for adding the Entra ID App Registration details to Advanced Insights.

First login - Consent to Permissions

The Advanced Insights logon screen will now show a "Sign in with Microsoft" button.

At first logon, an Azure administrator will have to consent to the application registration requested permissions.

User requirements

You should check in the Users area in Advanced Insights that there are no existing user accounts with email addresses that match the Entra ID accounts you are going to have logging in. If you do, you can delete these accounts and they will be recreated on first login by that user.

You will always be able to log in as the Advanced Insights "Admin" to make configuration changes.

If the Entra ID account a user logs into Advanced Insights with has a matching on-prem AD Account with the same Email Address set, any RBAC role they have in ConfigMgr for their on-prem AD account will be maintained in Advanced Insights.

For example, if a log in with this Entra ID Account is used:

The on-premises Active Directory object of this account has the users Entra ID UPN set as the email property:

Applies to: Advanced Insights

To launch the Configuration Manager remote control action from the client actions menu in Advanced Insights the user must have some files from the Configuration Manager console install directory and an Advanced Insights utility. If the ConfigMgr console is installed on the user’s computer then no additional configuration is required.

Files and Folders

To run the ConfigMgr remote control agent we need a copy of:

• CmRcViewer.exe

• RdpCoreSccm.dll

• the relevant locale folder for the RC Tools, for example 00000409

All of these are copied from \\SiteServerName\SMS_ABC\AdminConsole\bin\i386

On each Advanced Insight user’s computer, copy these files and folder to a location accessible by the user, for example C:\CMTools or %AppData%\CMRCtools.

We also need a copy of the Advanced Insights utility AdvInsRemoteControl.exe stored in the same location. The user is prompted to download and run this from the Advanced Insights portal the first time they try to use remote control if the app has not already been executed.

The AdvInsRemoteControl.exe file

AdvInsRemoteControl.exe is included with the installation of Advanced Insights in the folder C:\Program Files (x86)\Advanced Insights\Api\Installers. It is a DotNet Core application which handles calling the Configuration Manager Remote Control utility from the Advanced Insights website. On first run AdvInsRemoteControl.exe registers itself in the Registry as a class type under Computer\HKEY_CURRENT_USER\Software\Classes\cmrc

This allows the Advanced Insights website to invoke the ConfigMgr Remote Control agent when required. If you delete or move the AdvInsRemoteControl.exe you can reregister it simply by running it again from Windows Explorer.

The application will check for the correct Configuration Manger files and folders when it runs and will alert you to any configuration errors.

Applies to: Advanced Insights

Anywhere in the Advanced Insights portal when you click a computer name you will be shown the Device View. If the device is online the Remote Control button in the top right hand corner will be available.

A confirmation message is shown

Following which the Remote Control tool will launch.

If you are missing the setup outlined in the "Requirements for Remote Control" document, you will be shown this message.

Clicking yes will take you to the Requirements for Remote Control documentation page. You must complete the rest of the requirements above to be able to use the tool.

Applies to: Advanced Insights

To provide easy access to all dashboards and individual devices, collections, updates, etc. Advanced Insights is provided with an optional Configuration Manager Console Extension. This adds a node to the Assets and Compliance view of the console as well as providing an additional option in the context menu when right-clicking certain object types in the console.

Download

Download and unzip the Console Extension using the link below.

Installing the Console Extension

To import the Extension, navigate to the Administration node of the Configuration Manager console and expand the Updates and Servicing node. Right click Console Extensions and select "Import Console Extension".

Browse to the location of the unzipped Console Extension download.

Select the AdvancedInsightsConsoleExtension.cab file and click Open, then click Next, next and Close.

The newly imported Console Extension will be listed alongside any other extensions you have deployed. You must now Approve the Extension by right clicking and selecting "Approve".

Once approved the Extension can be Installed:

You will be prompted to restart the ConfigMgr Console. When it reloads the Advanced Insights node will have been added tot he Assets and Compliance view:

First Run

When you click the Advanced Insights node, a dialog is displayed in the detail pane asking for the details of your Advanced Insights portal.

Provide the relevant URL, including https:// prefix and any required port, for example https://server.contoso.com:444 and click OK. If the address is correct, the Advanced Insights login page will be displayed. You can re-run the configuration step any time by right clicking the Advanced Insights node and selecting "Configuration".

Using the Extension

The first obvious use of the Extension is to display the Advanced Insights portal right there in the ConfigMgr Console:

The second use scenario is to access the rich display capabilities of Advanced Insights when working with Console objects. For example, right-clicking a client and selecting "View in Advanced Insights" will open a new browser window and automatically display the device view for that client.

This functionality is available for Devices, Collections, and Updates in the ConfigMgr console.

Applies to: Advanced Insights

Creating your first Custom Dashboard

Custom Dashboards are created and maintained in the Administration node.

Click Create New to open the dashboard editor.

Here I have provide a name, description and chosen an icon for my dashboard. I have filtered the "page" column of the dashboard items column to find the objects I want.

Each item I add to my custom dashboard can have dedicated filter options applied. Here I have selected the update I wish to see the trend data for and have set that I want to render data from the date posted. I will add a second Update Installation Trend chart top my dashboard and set it to show the state of a different update.

Having saved my dashboard, it now shows up in the menu and I can select it to render my chosen charts.

Applies to: Advanced Insights and Patch Insights

The Home Dashboard is the first screen shown to you when first logging on to Advanced Insights. This page is designed to be a "daily check" type of view for your Configuration Manager environment, with a focus on software updates.

Video Overview

Dashboard Overview

The statistics across the top will show you details about your Configuration Manager environment and how long it has left in support, the number of devices in your environment which are under configuration, management versus devices that don't have the SCCM/ConfigMgr client install. We'll show you the number of updates in the environment which are required by at least one device, and we'll also show you any issues that you may be having with distribution of content across the Config manager infrastructure.

Click Through Data

As with everything in the Advanced Insights interface, you can click on any of these stats to see further information about the devices or the infrastructure that is listed behind them. For example, clicking the Managed Devices box, will show a list of the machines and their managed/unmanaged state.

Donut Charts

The next row of statistics are doughnut charts, which show you information about your Configuration Manager client count. In our demo environment we see that there are three devices running an old version of the client, two that are on a more recent version and everything else is fully up to date.

The next doughnut chart shows us details about Windows 10 and Windows 11 devices, and their support status. This chart can be pivoted to some of the other metrics that we have about Windows 10 and Windows 11. So for example, the servicing channel and we can also see things like the editions and the release version.

We can view all of the data used to build this chart by clicking the view chart data button under the cog icon.

We also show the same support and edition information for the Office 365 client if you have that deployed in the environment.

Scan Cycle Chart

The chart on the right hand side will show us the status of the software updates scan cycle in your in your client estate. So here you can see that currently we have one machine which is running the software update scan and two have completed successfully. There are no errors. If everything is green in this chart, then that means that your software updates scan environment is healthy.

The final row on the home dashboard will show as computer compliance, sorted by default by your least compliant computers from a software update perspective.

We have several machines that have not sent in any software update compliance data for a while and so their compliance status is unknown against more recent updates. We can scroll through this list and can expand out the number of records that are being shown to show you a longer list.

Device View

Clicking on any machine will take you to the detailed device view for that client where we show you the software update state for that individual machine.

This view shows detail of update agent configuration and scan health as well as required and installed updates. The Actions row allows us to invoke client actions against the device, such as an update deployment evaluation, reboot, etc.

The final view on the home dashboard is of deployed updates compliance.

We have dedicated Software Updates dashboards for a more detailed view of this data, but on the home page we can see our least compliant updates, and we can click through to see significant detail about each object, its deployment state, etc.

Applies to: Advanced Insights

When creating or editing a Custom Dashboard, if the user has Create Public Dashboards permissions, the dashboard being created can be shared with individual users, or assigned to an existing role.

To give access to additional roles and/or users when editing a Custom Dashboard, you can use the section at the bottom of the editor page to grant access.

CCusom Dashboards can also be assigned to roles and users in the Administraion node, for example to add a custom dashboard to a Role:

Applies to: Advanced Insights

Active Directory Group Authentication enables the Advanced Insights administrator to associate Advanced Insights Roles with AD Security Groups. This ensures that a new user is automatically granted the relevant rights in the portal without the need for manual user creation.

Once this is configured, we can assign an existing role to an Active Directory Group, or create a new role for a group. N.B. There is currently no support for nested groups.

Assigning a Role to an Active Directory Group

Navigate to Administration > Roles.

1. Click Create new role

2. Enter a name for the role (in this example, "Helpdesk"

3. Type the name of the associated Active Directory Security Group, here, we are using "sg-Helpdesk". Ensure the group name is validated on save.

Now click the Permissions tab and select the pages and permissions you want to grant to this role.

Logging on with an account in the helpdesk role, the user is granted only the access stated in the role configuration:

Applies to: Advanced Insights

Applies to: Advanced Insights

Applies to: Advanced Insights

Applies to: Advanced Insights

Applies to: Advanced Insights

The Displays donut chart lists several properties, by default Manufacturer is shown, but this can be pivoted to Model, Connection Type, Year of Manufacture, Size and Resolution by clicking the property button:

The Connected Displays table lists all machines and their individual display configurations.

Clicking any device listed will take you to the Device View, with the Hardware - Display tab selected:

This view shows you the physical horizontal layout of the monitors on the user's desk (note, vertical positioning is not shown). The primary monitor is indicated with the Windows logo. The hover over text lists additional monitor properties, also listed in the table below.

Applies to: Advanced Insights

This dashboard shows User details that have been imported through discoveries into Configuration Manager.

The top row of the data gives you a quick overview of the number of Active Directory Users, Azure AD Users, All Active Directory User Groups and Primary Device Users.

Click through any of these dash stats to be able to load a table with all the information you have selected

Users

This table list users which have been discovered from Configuration Manager.

User Groups

This table list all the Active Directory User Groups which have been discovered from Configuration Manager.

Applies to: Advanced Insights

This dashboard shows details for device properties from within Configuration Manager.

The top row of statistics gives you quick access to Managed Devices (Devices with a Configuration Manager client), Virtual Devices, Portable Devices and Desktop Devices.

Click through any of these dash stats to be able to load a table with all the information.

From this table you are able to do several different functions. You have the ability to multi select devices and perform one of the many built-in right click options available to you in the Configuration Manager Console and also some of the PatchMyPC actions too.

There is an export button at the top right corner (Cog) where you can export the dataset to a CSV file.

At the bottom of the table page you can also make the page size large in rows and also by selecting a device or multi devices add them into a collection.

Donut Charts

The next row of statistics are doughnut charts, which show you information about your Configuration Manager client count, Client Heartbeat, Client Hardware Inventory and Client Device Properties.

Client Deployment

In this Donut chart you can see all the different versions of Configuration Manager clients you managing in your environment. This is a handy stat to see after a Configuration Manager upgrade to see. When you click on the cog in the top right you will have an option to View Chart Data or refresh data.

When you click on the View Chart Data button you will get a whole list view of all the clients and their Configuration Manager client versions.

Filter the data by any of the titles to make a more customised report for yourself.

Client Heartbeat

In this Donut chart you can see how long since a Configuration Manager had sent its Heartbeat Discovery to Configuration Manager. This can be from Today, 3, 7, over 7, 14 and 30 days.

Client Hardware Inventory

In this Donut chart you can can see how long is been since devices have submitted their hardware inventory data to Configuration Manager.

Client Device Properties

In this Donut chart we have the option to pivot the data to different options

• Manufacturer

• Memory - Installed (GB)

• Cpu - Type

• Disk- free disk space (C:)

• Bitlocker Status (C:)

• BIOS Version (Top 20)

Applies to: Advanced Insights

This dashboard hosts two primary tables.

Disks and Logical Partitions

The top table lists physical disk, the partitions defined on that disk and the logical drives created on that partition. For example:

Here, a a machine has five physical disks, Disk #0 has three partitions, but only one of these partitions has a logical drive with a drive letter (C:) defined (the "missing" partitions in this instance are the Windows Recovery Partition and the EFI System Partition). That partition is allocated 232.3GB of a 232.9GB disk (~100% of the drive) and the logical disk is 232.3GB in size with 168.2GB free space, i.e. it is 27.6% used.

Physical Storage Device Health

The storage health statistics are gathered from Windows S.M.A.R.T. (Self-Monitoring, Analysis and Reporting Technology) tools.

Each disk presents the data it supports (not all disks report PowerOn statistics, or temperature, these are listed where available). We can see the wear statistic reported by SMART. The higher the wear percentage, the more likely it is that the disk will fail.

Applies to: Advanced Insights

Advanced Insights will display battery health data for managed devices. The table lists all devices with battery data. The design capacity (in mWh) is listed alongside the current Charge Capacity. The Health percentage shows the ratio of Charge Capacity to Design Capacity. As the battery loses capability to hold charge, the percentage shown will be lower. 100% Health is Good, 0% Health is bad.

This data is gathered by the Advanced Insights inventory extensions using the Powercfg.exe utility included with Windows.

Clicking an individual machine will show some additional detail about the device battery in the device view.

Applies to: Advanced Insights

The Collections dashboard has significant functionality below the surface.

Each collection is shown, with its relevant metadata and device count. The Quick Search feature helps to rapidly location a specific Collection, the containing console folder is shown in the Path column.

Clicking an individual collection opens the Collection Members view:

This view allows you to remove members with the delete button (for direct members only). You can also access all of the client actions available for one or more selected clients using the Bulk Actions menu.

The list icon hosts an Add Resources option. Clicking this allows you to import a CSV of resources to add to the selected collection.

The collection modification process will verify that the listed devices are valid clients, and are not already members, before adding to the collection, the results of the action will be shown on completion.

Applies to: Advanced Insights

This dashboard shows details for all Applications defined in the Configuration Manager console.

The top row of statistics give you quick access to any applications modified recently as well as enabling you to see unused applications which can potentially be retired.

The table lists all applications and their aggregated deployment status, i.e. if there are multiple deployments for an application this level provides an overall summary of all deployments. This table can be filtered to a chosen collection.

Click through to any individual application shows additional detail, including individual deployment compliance:

General Information

The General Information tab lists the metadata for the application and details of the distribution point status for the application.

Deployment Types

The Deployment Types tab lists all deployment types defined for the application, the relevant technology and content size with the source path.

Deployments

The deployments tab lists each deployment and its related compliance.

Compliance

The compliance tab lists each targeted client and its overall application deployment compliance. Clicking any individual machine will take you to the device view focused on the software - applications tab.

Applies to: Advanced Insights

This page shows a filterable list of each device and the video adapters inventoried by Configuration Manager. Where a device has multiple adapters, multiple rows are listed.

Click-through shows the device view with all inventoried adapters and their driver versions.

Applies to: Advanced Insights

This dashboard shows software usage which you have enabled from Configuration Manager Console. Ensure that the metering rules you have created are the correct executable name, version and language.

You can drill further down to the individual application to see which devices and users run the app.

Software Usage, General Tab

On this tab you can see the application you have selected and list which users have run this exe.

Software Usage, Usage Tab

This tab displays the details of the software usage.

Applies to: Advanced Insights

On this dashboard we show you data with regards to the Microsoft 365 Apps. The information shown in the donut charts are:

• Support Status

• Servicing Channel

• Platform (Architecture)

• Release Version

• Build Version

The table shows the latest support data from Microsoft.

When you click on the cog on any of these donuts you will be able to view the whole chart data.

Chart Data

In this data you filter on any of the headings and also export the data too.

Applies to: Advanced Insights

This dashboard will display all the Open Database Connectivity (ODBC) connections reported. We can see the name of the Computer, DataSource name, Server name, Database and Driver version.

Applies to: Advanced Insights

This page helps to track which wireless adapters are present in the environment. The device name and driver version are shown along with MAC Address.

Click through shows connection history in the device view.

All the information on this page are the web browsers extensions installed in the web different browsers.

Applies to: Advanced Insights

On the top bar of this page we are showing:

• Windows 11 - Count of all Windows 10 and 11 client devices that are inventoried as Windows 11

• Unappraised - Count of all Windows 10 client devices missing Windows 11 upgrade appraisal data

• Ready for Upgrade - Count for all managed Windows 10 client devices that can be immediately upgraded to Windows 11

• Cannot Upgrade - Count of all managed Windows 10 client devices that cannot be upgraded to Windows 11

The donut chart for OS Upgrade Readiness and Cannot Upgrade Reason you have a properties which you can toggle between the different versions of Windows 11. On these two donut charts you also have the ability to view the chart data and export from the cog icon.

The last chart on the left is the Windows 11 Upgrade Readiness Issues chart where you can see the reasons for why the devices are unable to upgrade to Windows 11.

The Reasons column have the following conditions which are flagged if a device is marked as unable to upgrade (Red) to Windows 11:

• If a system doesn't support TPM 2.0 (RedReason=Tpm)

• If the system isn't Secure Boot Capable (RedReason=UefiSecureBoot)

• If the system has less than 4 GB of RAM (RedReason=Memory)

• If the system doesn't have 2 processor cores (RedReason=CPU)

• If the CPU doesn't support 1 ghz and higher speed (RedReason=CPU)

• If the CPU doesn't support the Windows 11 approved CPU generation (RedReason=CpuFms)

• If the system is in SMode and not a home (core) sku (RedReason=SModeState)

• If the system drive size is < 64 Gb (RedReason=SystemDriveSize)

Applies to: Advanced Insights

On this operating system dashboard we are showing the following information:

• Pending Restarts - all devices

• Pending Restarts - Windows Updates

• Server

• Workstations

• Client Computer Operating Systems

• Windows OS Servicing

When you select Pending Restarts for one of the 4 options at the top you get a table with the device information, but also you get to see what the client has reported it is pending a restart for.

Windows OS Servicing

In this donut chart you can pivot the information using the properties button to show either the following information:

• Support Status

• Servicing Channel

• Release Version

• Edition (SKU)

• Build Version

From selecting a property you can then go and select for example build version and get a report just on one particular build version.

Or by clicking on the cog and then selecting View all Chart data you can get a table with all the devices in that property selected.

Applies to: Advanced Insights

On this report we can see all the groups members and users part of the Local Administrators group on client devices.

Applies to: Advanced Insights and Patch Insights

The Dashboard under Software Updates page give you an overview of the data for Software Update health and compliance.

Video Overview

Dashboard Overview

Along the top bar in the this dashboard you get shown the Synchronisation status of the top level Software Update Point, Updates that are Required by 1 or more devices which need deploying, last months update compliance and also the current month update compliance.

Update Synchronisation

In this dashboard we show all the Software Updates Point site and their synchronisation status. If you have multiple downstream Software Update Points you will see their status here too.

Updates Requiring Deployment

When you click through on this dashboard statistic you get a dashboard with the number of Critical and Security Updates that are not in any active deployments and are required my at least one computer in your environment. This excludes superseded and expired updates.

Last and Current Months Update Compliance

On these click through charts you can see a report on the Last and Current Months device compliance against deployed Critical and Security Updates released or revised in that month, this also includes Superseded updates.

On the previous month box you can toggle back to previous months to view the device compliance for that month.

Scan Cycle Chart

In this chart it will show us the status of the software updates scan cycle in your in your client estate. So here you can see on the previous day we have 24 devices have failed to complete a software update scan and 459 have completed successfully. If everything is green in this chart, then that means that your software updates scan environment is healthy.

Computer Compliance

The computer compliance, sorted by default by your least compliant computers from a software update perspective.

We have several machines that have not sent in any software update compliance data for a while and so their compliance status is unknown against more recent updates. We can scroll through this list and can expand out the number of records that are being shown to show you a longer list.

Update Compliance

The final view on the Software Update dashboard is of deployed updates compliance. This is sorted by the least compliant update.

Applies to: Advanced Insights and Patch Insights

This dashboard displays all the software updates and compliance data including superseded updates. You can also create custom reports by using the search and filter functions on this page.

Applies to: Advanced Insights and Patch Insights

The Software Update Groups dashboard shows high-level compliance for each SUG in the environment, with drill-through for additional compliance detail.

Clicking through to an update group shows the update group view:

This lists the basic metadata associated with the SUG and shows the compliance of all devices.

The Members tab shows the individual updates included in the selected update group:

The Deployments tab shows deployment details with start and deadline dates:

You can click through each deployment to see the reported deployment statistics including the enforcement state of each individual client.

Applies to: Advanced Insights and Patch Insights

In this dashboard you can see the last installation status for deployed software updates for computers needing the update.

Applies to: Advanced Insights

Sometimes we need you to provide log files, including information about your Advanced Insights instance. Your Advanced Insights deployment includes the Log Collector executable that can be used to collect all required logs.

This page provides details about what information the AdvancedInsightsLogDiag.exe collects.

Advanced Insights data and installation logs

The contents of the following directory are collected, which consist of the 'AdvancedInsightsApi.log' and any 'AdvInsights_Verx.x.x.zip' installer logs.

C:\ProgramData\AdvancedInsights\Logs

Windows Application Event Log

The Windows Application Event log data is collected and output into 'Application_EventLog.log' with a filter applied for the following event sources:

• ".NET Runtime"

• "Advanced Insights"

• "MsiInstaller" - if required to diagnose install problems, the filter will include

Advanced Insights SQLite db

The 'ConfigManagerLocation' and 'ConfigManagerDatabase' value are collected from the Advanced Insights SQLite database file located at:

'C:\ProgramData\AdvancedInsights\Data\Api\AdvancedInsightsConfig.db'

SQL Server information

The following information is queried from the SQL Server instance where the Configuration Manager database is located: SQL Master db:

• Configuration Manager database name

• Configuration Manager databaste state (ONLINE/OFFLINE)

• Configuration Manager database compatibility level

• Configuration Manager database .mdf file path

• Configuration Manager database file size

• Configuration Manager database log file .ldf path

• Configuration Manager database log file size

• SQL Server version

• SQL Server Product Level

• SQL Server Edition

• SQL Server Engine Edition

• SQL Server Product build

• SQL Server Product Major version

• SQL Server Product minor version

• SQL Server Product update version

• SQL Server Installed updates

• SQL Server remote query timeout value

• SQL Server maximum degree of parallelism value

• SQL Server Minimum size of server memory (MB)

• SQL Server Maximum size of server memory (MB)

Configuration Manager SQL database:

• Advanced Insights Inventory Extensions class names and data counts.

• Advanced Insights Inventory Extensions Configuration Manager application information. For example 'Name', 'created date', 'version', 'number of deployments'.

• Configuration Manager database level SQL configured properties:

  • MAXDOP

  • LEGACY_CARDINALITY_ESTIMATION

  • PARAMETER_SNIFFING

  • QUERY_OPTIMIZER_HOTFIXES

Windows Server IIS information

• Information related to the Advanced Insights IIS websites and application pools are collected.

• Advanced Insights Api

• Advanced Insights Frontend

• Website name

• HTTPS bindings included the current SSL certificate properties

Windows Server information

• The version of Advanced Insight currently installed.

• The install date of Advanced Insights.

• The install path of Advanced Insights.

• The install source of Advanced Insights.

• Server CPU properties.

• Installed Server RAM

• Server disks including total size and free space

• Windows OS version

• Check for Server pending restart.

• List Windows updates installed in the last 30 days.

Applies to: Advanced Insights

This will ensure the BitLocker Unmanaged and Recovery at Risk statistics are populated.

The top row of statistics help to identify where configuration errors may be causing compliance issues.

The first statistic, "BitLocker Unmanaged" shows Computers which have a BitLocker Encrypted Operating System Drive but are not under the control of a Configuration Manager or integrated MBAM Agent Management Policy. These devices may not conform to the required standard and will not report compliance.

Recovery at risk lists computers which have a BitLocker Encrypted Operating System Drive but have not yet escrowed a recovery key into the Configuration Manager database. You may be unable to access these devices in the event of a BitLocker Recovery prompt.

Inactive TPM portable devices lists laptops machines which do not show an activated TPM chip.

Non-Compliant Computers shows BitLocker Encrypted computers which do not conform to the BitLocker policies set in your environment. Clicking through will show the compliance conflicts:

The row of donut charts show the BitLocker status for all workstation clients (off, on, suspended or unknown). We show the BitLocker Cipher in use by the clients (this requires the MBAM integration listed above). We show the TPM version of the clients and the TPM Status (Activated, Enabled, Unknown). TPM "Enabled" is ready for activation by the OS, but is not currently in use.

Applies to: Advanced Insights and Patch Insights

The Software Update Deployments dashboard shows high-level compliance for each Software Update Deployments in the environment.

Clicking through the Software Updates deployments you can see the general information about the deployment.

You can toggle the DeploymentStatus to show you the following fields:

• Compliant

• Enforcement State Unknown

• Pending System Restart

• Downloaded Update(s)

Applies to: Advanced Insights

The User profiles dashboard is data collected from the Inventory Extensions. Here we are able to display information on:

• Aged Profiles - Users profiles with last logon greater than or equal to 90 days.

• Unknown Age Profiles - User profiles with no last logon date data.

• Orphaned User Profiles - User profiles with no associated user account.

• Conflicting Paths - User profiles on the same device that share the same user profile path.

On each of these reports you will be able to see the Computer name, Account name, Last logged in date, Age and Size of the user profile.

The donut chart breaks down profiles based on size on disk.

The User Profiles chart gives you a full list of inventoried user profiles on client devices but also you have the ability to delete a users profile from a device too.

Starting with version 2.4.1, the installation of Advanced Insights supports the configuration of a custom IIS Application Pool identity. A default installation of Advanced Insights sets 'LocalSystem' as the identity for both the Advanced Insights Api and Frontend IIS application pools.

A custom identity (Active Directory account) can be set as part of the installation either for a new install or upgrade. When using a custom identity, the account is also granted full control file system permissions on the following directory path: C:\ProgramData\AdvancedInsights.

The IIS application pool identity can also been modified for existing installs too.

Applies to: Advanced Insights

At the top of this dashboard you can see how many devices have reported Microsoft Update Inventory Data, count of Critical and Security updates required by one or more devices, Drivers required by one of more devices and Classifications and/or Products for required updates that you are not currently synchronising into Configuration Manager.

On the Windows Update Scanning Sources Donut chart you have 2 sources:

1. Windows Updates - Only does updates for the Windows Operating system itself. These updates also include Windows components such as Internet Explorer, DirectX, .NET and Windows Media Player. It also includes security and service pack updates.

2. Microsoft Update - Includes all of the items that Windows Update covers as well as other Microsoft products such as Office, SQL and Exchange all in one place.

On the All Required Updates report you get a list of updates available from Microsoft which 1 or more device require an update for which are not sync'd in your software update point for deployment.

Applies to: On-premises Publisher

When installing the Publisher for Configuration Manager, please ensure you meet the following requirements:

Software:

• Microsoft .NET Framework 4.6.2 or above

• Internet connection

• The relevant domain names for Patch My PC have been added to your firewall's allowlist

• Install the Publisher on top-most WSUS/Software Update Point in the environment

• Appropriate disk space depending on the number of products enabled

• Install the Configuration Manager console

• Supported Operating Systems

  • Windows Server 2012, Windows Server 2016, Windows Server 2019, Windows Server 2022, Windows Server 2019 and Windows Server 2025

  • Windows Server Update Services (WSUS) installed and configured

Hardware:

The Publisher is a lightweight Windows application with a GUI frontend and a Windows service backend. The hardware requirements can be found below.

• CPU: 2 CPU or more

• Memory: 8GB of RAM or more

• Disk Space: 80GB of disk space or more

  • The amount of disk space required will depend on the number of selected products.

Applies to: On-premises Publisher

Before Getting Started

Here are a few important resources below you get started.

Free 30-day trial

Free Setup Call with an Engineer

Video Installation Guide

If you prefer using a video guide, you can watch the video version below.

Continue Guide

Next up, start with the requirements

Applies to: On-premises Publisher

Download the Publisher MSI Installer

Run the Installation

Start the installation by double-clicking the downloaded MSI.

Welcome Screen

Once the installation starts you'll be greeted by the welcome screen in our installer wizard, click Next.

End-User License Agreement

Read the End-User License Agreement. After that, select I accept the terms in the License Agreement and click Next.

Disable Microsoft Intune Standalone Mode

Ensure the option Enable Microsoft Intune standalone mode is not selected. Enabling this will disable any prerequisite checks for integration with WSUS/ConfigMgr and also hide options for publishing to WSUS/ConfigMgr after installation.

This option is for customers who intend to publish only to Microsoft Intune.

Click Next.

Select Installation Folder

By default the Publisher is installed in C:\Program Files\Patch My PC\Patch My PC Publishing Service. This location is where we store all of the product's configuration information.

Ready To Install

Click Install.

Completed

Once the Publisher has finished installing, click Finish to close the installation wizard.

Applies to: On-premises Publisher

Feature Enablement

To enable products to publish, check the Enable publishing of third-party updates checkbox.

Once the option is selected, you'll be able to enable other products.

To find and enable these products, you can search the list of updates using Ctrl + F or by clicking on the magnifying glass in the lower right corner.

When you select the search button a dialogue will open, type in one of our example products and hit enter, or click OK.

Once you have found the product you want to patch, click the checkbox for your preferred architecture choice and click Apply.

Next, you will need to enable the product in Configuration Manager to ensure the updates appear and become deployable via Configuration Manager. To do this first, you will need to complete a normal publisher sync. This will insert the updates into the WSUS database for each product selected. Once the updates are in the WSUS database, we will then need to pull them into ConfigMgr with a Software Update Point sync. You can run a publisher sync at any time from the sync schedule tab. Within that tab, there is an option to “Trigger SCCM software update point sync when new third-party updates are published”. With that option enabled, a Software Update Point sync will occur after the publisher sync. Alternatively, you can leave that box unchecked and run a SUP sync manually. Upon completion of the publisher and SUP sync a new product called 'Patch My PC' will become available in the software update point configuration tab. To reach this tab you will need to navigate to sites, right click the primary or CAS, select configure site components and choose Software Update Point.

Once this loads, select products and check the entire Patch My PC category.

Once enabled, the next software update point sync will pull in all updates created by Patch My PC.

Applies to: On-premises Publisher

Certificates

When working with a Configuration Manager or WSUS implementation, proper certificate configuration is crucial. One way Microsoft helps ensure an update is considered secure and from a trusted source is through the utilization of a code signing certificate. This requirement means all custom updates must be code signed before injection into WSUS. We provide three different ways to configure the certificate.

In most organizations, allowing Configuration Manager to manage the certificate is acceptable and the easiest option. There may be external requirements that prevent the usage of self-signed certificates. To read our in-depth guide on certificates click the link below.

If a self-signed certificate managed by Configuration Manager, is acceptable for your organization complete the steps below.

Self Signed - Configuration Manager Managed

If you are running SCCM 1806 or newer, you can enable the option for “Configuration Manager manages the certificate” in the Software Update Point configuration. To configure this setting complete the following steps.

Begin by opening the configuration manager console and then

1. Select Administration

2. Expand Site Configuration and select sites

3. Select your topmost Site (If you have a CAS, select the CAS) - Right click the site

4. Select Configure Site Components

5. Select Software Update Point from the fly-out.

This will open up the software update point management component tab. From this window complete the following steps if not already done.

1. Select the Third Party Updates Tab

2. Validate Enable third-party software updates is checked.

3. Validate Configuration Manager manages the certificate option is selected.

4. Select Apply

Once enabled, SCCM will automatically generate the signing certificate during the next software update point sync. You can force a software update point sync at any time. To force a software update point sync, complete the following steps.

1. Browse to Software Library

2. Expand and Software Updates > Right-click All Software Updates

3. Select Synchronize Software Updates

4. Hit OK on the pop-up message.

If you want to watch, and confirm the certificate is properly created, you can open the wsyncmgr.log this log is located in %ConfigMgr Install Directory%\Logs\wysnmgr.log. Alternatively, you can click the button displayed below in the Publisher General Tab.

With the log file open you'll want to watch for the entry stating the certificate was inserted. This indicates the certificate has been generated and is ready to be used.

You can ascertain if the certificate exists and is ready for use by clicking the Show Certificate button in the publisher.

Applies to: On-premises Publisher

Scheduling Daily Publish

By default, we recommend the Publisher sync runs on a daily basis. The sync schedule only controls when updates or applications are published to your environment. Patch My PC does not automatically create deployments in Configuration Manager for you.

When Patch My PC releases these new updates, the sync schedule is what automates the publication process. You can also manually start the sync and publication process at any time by selecting the Run Publishing Service Sync option.

Applies to: On-premises Publisher

When installing the Publisher for an Intune-only configuration, ensure you meet the following requirements:

Software:

• An Internet connection

• Appropriate disk space depending on the number of products enabled

• Supported Operating Systems

  • Windows 10 or Windows 11

• Windows Server 2012, Windows Server 2016, Windows Server 2019, Windows Server 2022, Windows Server 2025

  • When using Windows Server, only the WSUS API component needs to be installed, not full WSUS.

Hardware:

The Publisher is a lightweight Windows application with a GUI frontend and a Windows service backend. The hardware requirements can be found below.

• CPU: 2 CPU or more

• Memory: 8GB of RAM or more

• Disk Space: 80GB of disk space or more

  • The amount of disk space required will depend on the number of selected products.

Applies to: On-premises Publisher

Feature Enablement

To activate any of the tabs in Patch My PC Publisher, the corresponding checkbox must be checked. If you do not check this option the product selection tree for the corresponding tab cannot be used.

Application Options

The application Options button has a lot of different features. This installation guide will not cover the options in detail but instead give you a quick, straightforward guide to getting the product installed. For more detailed documentation, click the more info links in the Publisher.

Let's get started to begin, click the Options button next to the enablement checkbox.

This will load the options panel in the Publisher.

After clicking the Configure option, the below pop-up will appear.

Once you enter the name of the server select Test to validate the configuration.

In the event the test result fails, you will instead see the following message.

If the connection fails, click Create ConfigMgr Security Role to automatically create a new security role with the minimum required permissions. Please see the article below for more details.

Once you have completed a successful connection to the SMS provider select OK to finalize the configuration.

Next, you'll want to provide a UNC share to store the application content. This path needs to be accessible by the computer account of the machine running the publisher as well as the ConfigMgr site server, or a dedicated service account

The above configuration would create the below folder structure similar to the structure below.

Below are the default settings which will work fine for most setups. Our product provides a lot of customization options.

To learn the details about all items on this page, check out the article below.

Once you have the base options selected, you are ready to check out a simple application for testing. We recommend using 7-zip. Its small size makes it ideal for testing. Use the search icon in the bottom right or the Ctrl+F key combination to search for Igor

Select Apply. We do provide a large number of right-click options to fully customize the application installation process, those steps as described in the article below.

Applies to: On-premises Publisher

Local Content Repository

The products that need to be downloaded and stored locally are listed below.

Backup and Restore

All settings within the publisher are backed up the publisher is closed using the "OK" button, or the "Apply" button. These settings are stored in the backup directory where the Publisher is installed. You can get an immediate backup of the publisher at any time using the options in the Advanced tab.

Applies to: On-premises Publisher

Before Getting Started

Here are a few important resources below to get you started.

Free 30-day trial

Free Setup Call with an Engineer

Video Installation Guide

If you prefer using a video guide, you can watch the video version below.

Continue Guide

Next up, start with the requirements

Applies to: Advanced Insights

In order to function and to help improve our product and services, Advanced Insights collects and stores the following telemetry data.

Applies to: On-premises Publisher

Downloading the Newest Version

You can always download the latest MSI installer of the publishing service using the following URL:

Run the Installation

Start the installation by double clicking the downloaded MSI.

Welcome Screen

Once the installation starts you'll be greeted by the welcome screen in our installer wizard, click next.

End-User License Agreement

The next step will be to accept the EULA. Make sure you select the "I accept the terms in the Agreement" and hit next.

Enable Intune Standalone Mode

When installing the product we provide an option called Intune Standalone mode. If you do NOT intend to use the product with Configuration Manager, ensure the option is checked and select next.

Select Installation Folder

By default, we install the publisher service in C:\Program Files\Patch My PC\Patch My PC Publishing Service\ This location is where we store all of the products configuration information.

Ready To Install

You are now ready to install the product! Click Install, and grab a drink of water.

Completed

Once the publisher has finished installing, just hit the finish button to close the install wizard.

2FA - Administrator settings

Enabling 2FA

To enable 2FA, first go to Administration -> Settings -> Security and tick Enable two factor user login.

Once enabled, you can also enable the ability to allow users to trust the browser they are using. This skips 2FA on subsequent logins but this is optional.

As an admin, you can also enable and disable 2FA for a user. This will override the users 2FA settings.

Disable 2FA for user

Go to Administration -> Users -> and click on the Actions button for the user you want to modify. Then on the dropdown click Edit.

On the user properties modal, click Two factor authentication enabled and then Save.

2FA - User Settings

Enabled 2FA

When logged in, click on your user profile in the top right of the webpage, then click My Settings from the dropdown.

You will now be presented with your users settings. You will see a banner at the bottom to enabled 2FA

Click Enable, then the modal will load with the steps to enable 2FA.

1. Scan the QR code using your authenticator app of choice.

2. Enter the code generated by your autenticator app to confirm correct settings

3. Click Download on the security code, the continue button will now enable.

4. Your account will now have 2FA enabled, click done.

Once you have enabled 2FA, you will be greeted on login for a code.

Disable 2FA - User

To disable 2FA, go back into My Settings, on the bottom you will see two new buttons called Recovery codes and disable. Click disable and then enter the code generated in your 2FA app.

Applies to: On-premises Publisher

Catalog Information - License Key

When the publisher first launches, you will be required to provide a license key. If you have not yet purchased and received your license key, we provide two additional free options for testing our product.

The first option is to enable the Limited Trial Mode. This limited trial mode does have some restrictions including a limited number of products as covered in the link above. We encourage you to request a free thirty-day trial from our website. When you receive your full-trial or customer license email, it will contain your 20 character license key.

If the license validation is successful, it should look like the below image.

Applies to: On-premises Publisher

This article covers integrating the Patch My PC Publisher with your Intune tenant. We will go over creating an app registration in your Azure AD environment and configuring the Graph API permissions required for the Publisher to automatically create, update and assign Win32 applications in your Intune tenant; as well as configuring the tenant authority, application ID and application secret within the Publisher.

Topics covered in this article:

• Step 1: Registering the Patch My PC Application in Azure AD

• Step 2: Configure API Permissions for the New Application

• Step 3: Configuring Certificates & Secrets

  • Option 1: Creating a self-signed Certificate

    • Create the Certificate

    • Export the Public Key

  • Option 2: Creating a Client Secret

• Step 4: Configuring the Patch My PC Publisher to Connect to the Intune Tenant

  • Test authentication, Connectivity and API Permissions

Step 1: Registering the Patch My PC Application in Azure AD

In order for our service to have permissions to your Intune tenant for application management, start by navigating to your environment’s Azure AD portal, head to App registrations, and click New registration in the top left of the main pane.

Give your app registration a relevant name such as “Patch My PC – Intune Connector”. Configure the account types based on your tenant requirements. For the Redirect URI, leave it to the default unless you have specific requirements for configuring the Redirect URI. Then click Register.

Step 2: Configure API Permissions for the New Application

After you register a new application, we will need to delegate certain permissions in order for the Patch My PC Publisher to create and update Win32 applications in your Intune tenant, as well as view Azure groups and create assignments for the applications automatically.

Once the new app is registered, navigate to the API permissions node in the left column of the newly created app’s page. In the API permissions page, click the button to Add a permission, then in the right pane that appears, select the Microsoft Graph API.

Then, you are prompted for what type of permissions your app requires select Application permissions. In the Select permissions table view, search for “DeviceManagement” and under those permissions, enable the following:

• DeviceManagementApps.ReadWrite.All

  (View and create applications in Intune)

• DeviceManagementConfiguration.Read.All

  (View properties and relationships of assignment filters)

• DeviceManagementManagedDevices.Read.All

  (View device inventory for the auto-publish feature)

• DeviceManagementRBAC.Read.All

  (View scopes to be assigned to applications)

• DeviceManagementServiceConfig.ReadWrite.All

  (Update Enrollment Status Page configurations)

Then, search for “GroupMember”, and under Group permissions, enable:

• GroupMember.Read.All

  • View Azure AD groups to enable automatic application deployment

Click Add permissions.

To approve the new permissions, click Grant admin consent for. Choose Yes if you are prompted to consent for the required permissions. You must be logged into an Azure AD account with permissions to perform this task.

The result is shown below.

Step 3: Configuring a Certificate or Client Secret

A certificate is considered more secure than a client secret for authentication to the new app registration as it is something you have (private key) rather than something you know (password). A client secret is the easiest configuration method but is considered less secure.

Choose either Option 1 or Option 2 from the steps below to create an authentication credential for use with the new app registration. We strongly recommend using Option 1.

Option 1: Creating a Self-Signed Certificate

The following are the current requirements for using certificate-based authentication that apply to both purchased and self-signed certificates:-

• A 2048-bit key length. While longer values are supported, the 2048-bit size is highly recommended for the best combination of security and performance.

• Uses the RSA cryptographic algorithm. Azure AD currently supports only RSA.

• The certificate is signed with the SHA256 hash algorithm (Entra ID also supports certificates signed with SHA384 and SHA512 hash algorithms).

• The certificate is valid for only one year.

Follow the steps below to create a self-signed certificate using the New-SelfSignedCertificate and Export-Certificate PowerShell cmdlets:-

Create the Certificate

Open a PowerShell window on the same computer where the Patch My PC Publisher is installed. Be sure to elevate the prompt by choosing Run as Administrator.

Copy the following code snippet to and paste into the elevated PowerShell window.

$subjectName = 'PatchMyPCIntuneConnector'
$certStore = 'LocalMachine'
$validityPeriod = 12

$newCert = @{
    Subject = "CN=$($subjectName)"
    CertStoreLocation = "Cert:\$($certStore)\My"
    HashAlgorithm = 'sha256'
    KeyExportPolicy = 'NonExportable'
    KeyUsage = 'DigitalSignature'
    KeyAlgorithm = 'RSA'
    KeyLength = 2048
    KeySpec = 'Signature'
    NotAfter = (Get-Date).AddMonths($($validityPeriod))
    TextExtension = @("2.5.29.37={text}1.3.6.1.5.5.7.3.2")
}
$cert = New-SelfSignedCertificate @newCert

Verify the certificate was created successfully in the Local Machine Personal Certificate Store by running certlm.msc.

Export the Public Key

We need to export the Public Key and upload it to the new app registration for the Patch My PC Intune connector. Follow the steps below:-

Open PowerShell window on the same computer where the Patch My PC Publisher is installed. Be sure to elevate the prompt by choosing Run as Administrator.