Using “Rings” to Test and Update the PolicyPak Client-Side Extension (And How to Stay Supported)
In this article we’re going help you answer the question “How can I best pre-test a PolicyPak client-side extension (CSE) rollout, before deploying it to all my end-computers?” Now, you might be wondering why you shouldn’t just send the latest CSE to all your machines all at once, always, whenever a new version is released.
The answer to this is that while PolicyPak acts as part of the operating system and helps you manage important security and configuration items, no product is bug free and, therefore, PolicyPak cannot guarantee that any updated CSE will work 100% with what you already have. As such, you should pre-test newly provided CSEs to a small group first and verify if they are working the way you expect before you deploy them out to all your machines.
What we want to avoid is a situation where you mass-deploy an untested CSE to 100% of your machines and THEN find that you have some problem you need to back out of since this can be very time consuming and difficult to do. Instead, if you pre-test the CSE before mass rollout you will have increased confidence to roll it out estate-wide.
Understanding the Microsoft “Ring” Model for Rollouts
PolicyPak is not alone in wanting to ensure your confidence during Windows 10 updates. Indeed, Microsoft themselves have this exact same concern and recommendation. Ever since Windows 10 shipped, Microsoft has recommended a “ring” approach to updating Windows.
This is because Windows is constantly updated: every month (bug fixes), and twice a year (huge upgrades).
When Windows itself gets updated, there are controls available to help you “draw lines” around machines so you can know in advance which machines will get which new software. These lines are known as “deployment rings,” “update rings,” or just “rings.” We recommend you get familiar with Microsoft’s idea of rings using the following resources:
- Microsoft: https://docs.microsoft.com/en-us/windows/deployment/update/waas-deployment-rings-windows-10-updates
- Using PolicyPak to manage Windows Update for Business Rings: https://www.policypak.com/pp-blog/windows-update-business
- Microsoft Ignite talk about Rings:https://www.youtube.com/watch?v=omwelzp-Hlw
- Jeremy’s MDM book (Chapter 9): MDMandGPanswers.com/book
If you want the super-fast version of the idea, it goes like this:
- Allocate 2–5% of your computers to get the latest update (as soon as possible). If something goes wrong, you will know about it NOW, and not later when you’ve rolled it out to your whole estate.
- Then, if all goes well, increase it to 10–50%.
- Then, if all goes well, increase that to 51–100%.
These segmentations are what is referred to as “rings.”
Microsoft updates can be a little complicated because they also deal with “channels,” or the types of versions you want to install. Additionally, Microsoft’s model is more complex than PolicyPak’s model, because the updates are required and forced. Microsoft Quality Updates (i.e., bugfixes) are required to be performed within 30 days (or they will be installed automatically) and Microsoft Upgrades (i.e., new versions of Windows) are required to be performed within 365 days (or they will be installed automatically.)
But PolicyPak doesn’t have any of those requirements or any method to force an update. Instead, our lifecycle is pretty simple.
- Every 4 to 6 weeks, PolicyPak ships a new CSE with bug fixes and new features.
- That version goes into the PolicyPak Portal and is also then available for use within PolicyPak Cloud.
- When the monthly update occurs, we notify all customers (primary and secondary technical contacts).
- If some known issue occurs within the month, we will occasionally release a hotfix build and generally make NO announcement.
- Whichever is the latest CSE in the Portal or PolicyPak Cloud is the only version of the PolicyPak CSE that is supported.
This means that you only need to keep one simply MSI up to date on your endpoints to be at the latest build.
Remember that for PolicyPak On-Prem and MDM customers, the latest CSE isn’t magically “pushed” from us at PolicyPak down to your PCs. And for PolicyPak Cloud customers, the latest CSE isn’t dictated to your endpoints either. In ALL cases it’s an admin’s choice to opt-in to use the latest CSE and specify where exactly he or she wants to get started using it.
In the follow sections, we’ll provide our recommendations for various PolicyPak products on how to implement a ring policy for PolicyPak CSE updates.
Recommendations for PolicyPak Cloud Rings and Rollouts
In PolicyPak Cloud, because the concept of “groups” is baked in, you can use a PolicyPak Cloud Group like a ring. Simply choose a group and manually specify to use a particular version of the CSE on that group. You can also specify to use a particular version of the CSE everywhere (using the special ALL groups).
Therefore, our advice would be to do the following:
- Set up a group of 2–5% of your computers. When a new CSE is released, you should opt in and use this group to start testing and verify success. If there’s a problem you can raise it to the PolicyPak support team and we’ll work with you.
- If all goes well, you can roll out the latest CSE to more PolicyPak Cloud Groups. It only takes one click within the group to select the CSE. Your target rollout for the new CSE should be around 30–50% of your Windows 10 machines. Again, at this point if there’s a problem, you can raise it to support and we’ll work with you.
- Then, after you’ve rolled out to 50% of your machines, you should be confident enough to roll it out to all machines.
- When ready again, simply pick the remaining PolicyPak Cloud Groups and select the latest Client Side Extension to opt-in more groups.
- Alternatively, use the special All group to finish your upgrade and mass upgrade the remaining PCs all at once (again, after you’ve done some pre-testing.)
For more details and a video on this process, see https://kb.policypak.com/kb/article/791-policypak-cloud-groups-cse-updates/
Recommendations for PolicyPak Group Policy Edition Rings and Rollouts
Chances are you already have some kind of on-prem software deployment system to perform your software updates, such as:
- PDQ Deploy (recommended by us here at PolicyPak for on-prem software installs)
- Microsoft SCCM
- Many, may others.
Whichever software deployment tool you are using, we recommend you make the following three rings for your CSE rollout:
- Allocate 2–5% of your computers to get the latest CSE update (as soon as possible). If something goes wrong, you will know about it NOW and can get support.
- Then, if all goes well, increase it to 10–50%.
- Then, if all goes well, increase that to 50–100%.
The idea of rings (or collections, groups, etc.) varies from tool to tool in the following ways.
- For SCCM, you use collections (and make them act like rings.) (See this official document: https://docs.microsoft.com/en-us/mem/configmgr/core/clients/manage/collections/create-collections.) The rule you create would essentially look for NO CSE or an earlier Client Side Extension version.
- For PDQ Deploy, you use targets (and make them act like rings.) You can select Active Directory groups, text files with specific computers, PDQ Inventory groups, and other group lists. (See the details here: https://documentation.pdq.com/PDQDeploy/220.127.116.11/index.html?optimize-deploy.htm.)
- For other on-prem tools, see your corresponding documentation.
Note: While it’s possible to deploy the PolicyPak CSE via Microsoft’s Group Policy Software Installation, it is not recommended. Our official recommended way to deploy the PolicyPak CSE should you have NO on-prem software deployment tool is the free version of PDQ Deploy. (See the video series at https://www.policypak.com/integration/policypak-and-pdq.html.)
Recommendations for PolicyPak MDM Rings and Rollouts
The concept of rings with regard to Windows 10 updates and upgrades is built into Microsoft Intune (and perhaps other MDM services). You can see Microsoft Intune’s example of rings here: https://www.anoopcnair.com/software-update-patching-options-with-intune/.
But the specific idea of using rings to deploy other software (any software), like the PolicyPak CSE, is not something native in an MDM service. Therefore, you will need to create computer groups, then assign software to those groups.
In Intune (and most other MDM services), groups can be simple or dynamic. You might want to create three groups like this:
- Simple group: Hand-picked machines which represent 2–5% of your estate.
- Dynamic group at 30%: A group you define with 30% of your Windows 10 computers.
- Dynamic group at the remainder (31-100%): A group you define with the remainder of your Windows 10 computers.
By making the groups dynamic, as computers get enrolled into your MDM service they will automatically be part of the first or second dynamic group. But because the first group is a simple group with hand-specified machines, those machines are the only ones that will get the initial rollout of a new CSE. Then, because the PolicyPak CSE is an MSI, you can use the MSI deployment method with your MDM service to target to these groups.
How to Stay Supported
Earlier we stated that the latest CSE in the Portal or PolicyPak Cloud is the only supported version.
The latest version is the one with the most fixes and features.
You might be wondering if only the very latest CSE version is supported, does that mean that you lose support if you are unable to stay current (or nearly current) with the PolicyPak CSE rollouts. The answer in summary is no; you are always supported, regardless of the CSE version you have on your machine. You are always welcome to ask questions in the forums, open support tickets for “how do I questions,” and so on.
However, if you find a bug, problem, inconsistency, or other issue, then PolicyPak support will direct you to update (at least) one machine with the very latest CSE on it for investigation. And we will ask for log files from that machine after you have reproduced the issue. In other words, as a general rule, we will typically not begin to investigate your issue unless you can reproduce it on a machine with the latest CSE. There is no value in investigating old CSE behavior because the problem could already be fixed in the latest version. And, logging improvements could be present in the latest CSEs. Additionally, if your request involves us investigating the log files, similarly, we will not ask for nor investigate any log files unless the problem is reproducible on the latest CSE.
From a practical perspective though, you should attempt to have your Windows 10 machines on a Client Side Extension which was at least shipped within the last full year. Six months is better, and three months is even better. Upgrades should go smoothly from any Client Side Extension to any other Client Side Extension, but those are not expressly tested. We really only test the “previous Client Side Extension to current Client Side Extension” upgrade path. Therefore, when you stay as close to our currently shipping Client Side Extension as possible, you’re likely going to get the best experience and latest testing and fewest problems overall.
Furthermore, because corporate PCs are typically full of applications, system software, and possibly other unusual circumstances, we strongly recommend you have at least one “very clean” machine for ongoing testing. A “very clean” machine would have:
- Latest version of Windows 10
- Latest version of Microsoft Edge
- Latest version of Chrome or other browsers
- ONLY software which PolicyPak might be controlling, such as required with PolicyPak Application Manager, PolicyPak Least Privilege Manager, PolicyPak Start Screen & Taskbar Manager, etc.
- Not much else, and most specifically, no 3rd party system software or A/V software other than PolicyPak
In this way, you can hand-install the latest PolicyPak CSE, do some pre-flight testing before you even get to your rings. Then if you encounter a bug, you can quickly validate your bug report, and collect logs from a machine that’s close to you and available whenever you need it, not just when the user is available.
Final Thoughts and Recap
A Windows 10 rollout incorporates the concepts of rings so you can confidently roll out Windows 10 as new versions come out, month after month and year after year. PolicyPak encourages you to utilize the same parallel concept of rings when rolling out the PolicyPak CSE either for the first time or at update time.
Use your software deployment mechanism (either an on-prem system, or via MDM or PolicyPak Cloud) to make the rings you need. Keep in mind that you typically want to update 2– 5% of your computers for a quick check, then feather it out to about 30%. Finally, after ensuring that everything is working properly, you can roll it out to the remainder.
If you fall behind, PolicyPak has no “force update” mechanism. You can stay behind and “out of date” for the PolicyPak CSE as long as you want (again, the practical outside length in this is about a year.). As stated, we don’t recommend this, because in doing so, you specifically lose out on new features and fixes in latest CSE.
With that being said, even if you fall out of date with the latest PolicyPak CSE, you are still entitled to support. Just remember that you will have to reproduce the issue on a machine with the latest CSE and be prepared to get logs from a “very clean” machine.
The post Using “Rings” to Test and Update the PolicyPak Client-Side Extension (And How to Stay Supported) appeared first on PolicyPak.
*** This is a Security Bloggers Network syndicated blog from Blog Posts – PolicyPak authored by Ali Hassan. Read the original post at: https://www.policypak.com/pp-blog/using-rings-to-test-and-update-the-policypak-client-side-extension-and-how-to-stay-supported