A community where customers and the community can provide feedback to make a better product for everyone! For more details on how we prioritize request, please see:
Supply chain management continues to be an area of significant security concern, and even for trusted suppliers who have been validated for installation in our environment, there is significant room for impact if their code repositories or build chains are compromised.
Currently, Patch My PC has several controls in place to ensure end-to-end code integrity and external validation of new updates, bringing significant assurance to the third-party patching process. As well, release of updates is entirely in the control of the customer, allowing as much or as little review to be implemented as needed before deploying to endpoints.
However, there is currently no customer control over updates being downloaded into our deployment repositories. If an update passes the bar that is established by Patch My PC to synchronize an update to customers, this update is downloaded into the customer environment during the next update cycle. In at least one instance, this has resulted in a (false positive) response from our internal security team when an update with a non-zero Virus Total score was downloaded and then quarantined by our EDR solution.
This request is to allow additional customer control over the Virus Total rating of updates that are accepted into our environment, along with tooling that allows for overrides once a review is undertaken. Specifically:
Allow customer to specify the maximum number or percentage of Virus Total engines detecting an issue with an update before downloading into the environment, including zero
Allow customer ability, post-review, to mark specific updates with non-zero scores for acceptance into the update synchronization for their site
Provide an emailed report of any updates whose products are currently selected for patching in the customer's environment but for which updates are being withheld because they have not yet been reviewed and released by the customer
This is tangentially related to the following existing request to add more information to the email / Teams reports, but is not effective without also allowing hold and review of updates not meeting the customer's acceptable level of risk for Virus Total score.
https://ideas.patchmypc.com/ideas/PATCHMYPC-I-792
More information on the current security review process for Patch My PC / SCCM updates can be found here:
https://patchmypc.com/deep-dive-into-security-validation-of-third-party-software-updates-in-microsoft-sccm