Advertisement

ConfigMgr SCCM Patch Management Pros and Cons

Patch management through SCCM has sharpened very well during last few years. I started working on patching since ‘SMS 2003 + ITMU’ days. Every month, we need to perform loads of complex steps to deploy patches during that time period. Now a days SCCM 2007/2012 uses WSUS along with Windows Update to Download, Deploy and  Install patches. There are  some challenges in SCCM Patch management and I’ve seen lots of organizations are struggling to get good compliance with their patching.

In this post, I’m trying to list down some of the pros and cons of patching via SCCM. Along with some suggestions to improve the compliance and stream line the patching process. Following are the 3 points that I’ll touch base in this post.

1. Advantages of using SCCM Patch Management

2. Disadvantages or Challenges of Using SCCM Patch Management

3. Who can fill the Gaps in SCCM Patch Management?

Advantages of using SCCM Patch Management

image1. Very well integrated with WSUS and Windows Update Agent. These are the two patching technologies which are widely accepted by the industry. One Console to perform all the administrative tasks.

2. We can Automate the patching mechanism very well through SCCM. Deploy Patches Automatically to all managed Workstations and Servers.

3. With Same Patch package (Source files), we can Create different patching schedules for different business groups with in the organization as per their business requirements.

4. Easy to Exclude VIP user systems or business critical machines from patch deployments.

5. Using Maintenance Window option, we can plan and schedule server patching via SCCM.

6. Customize the User Notification Behaviour. We can control the notification behaviour for end users.

7. Patch deployment without End User Interaction. The patch installation will be done in the background in supressed mode.

8. Through SCCM, we can easily define or Customize Restart behaviour for different LOBs (Line Of Business). Often, seen that some LOBs required their systems to be forcefully restarted after patching but some are interested to supress reboot until the end user reboot the system.

9. Automated Re Evaluation Settings will help to improve the patch compliance.

10. SCCM patch packages can be deployed as part of Operating System Deployment task sequence process.

Disadvantages or Challenges of Using SCCM Patch Management

image1. To manage patches on a hybrid network with Non Windows Operating systems.

2. Every month you need to spend loads of time to deploy patches. Following are some of activities:Select the updates, create Update list, patch package/s and Deployments. However, this is improved in CM 2012 with the introduction of Automatic Deployment Rules.

3. Clean up activity for expired patches is a big challenge. We need find and edit Patch packages to remove an expired update and re-replicate the package again to all DPs. Also, need to remove the updates from  deployment management.

4. Conflicts between WSUS and SCCM Group Policy settings. SCAN errors are common problem in SCCM patching because group policy conflicts. Troubleshooting of client side patch issues is not very easy. Required skilled people to troubleshoot scan errors and resolve those. More Details on scan error related troubleshooting here.

5. “Real time” patch failure reports are not available. Compliance scanning is not available as ready to use, we need to use DCM or need to explicitly create collections and advertisements.

6. Not very good at Third Party Application Patching. You can integrate System Center Updates Publisher (SCUP) tool, as it’s free for Configuration Manager customers, with SCCM. However, you need to do loads of manual work and put in more packaging efforts to deploy third party application updates through SCUP and SCCM.

7. Some 3rd party application vendors won’t provide the CAB files for their updates which are compatible with SCUP so you need to build your own cab files and it won’t be possible without expertise in packaging and other programming technologies.

8. Extra configurations like Group Policy Settings and Publishing Certificate required to support third party application patching.

9.  Uninstallation of patches is not supported. You need to use manual methods or DISM to uninstall patches. There is no native method in SCCM Patching or Software Updates to achieve this.

10. No native method Suppress Restart Notifications in latest version of SCCM 2012. The work around is to use a combination of domain GPO Adm template settings and Local Policy Adm template settings. More Details here.

Who can fill the Gaps in SCCM Patch Management?

imageReal time failure notification, Compliance scanning and third party application updates are three main Gaps in SCCM patching. These gaps can be filled by using 3rd party SCCM Patch Management Tools.

There are number of different vendors available in market each with a slightly different approach, that provide commercial catalogs for other 3rd party applications. Some of the 3rd part products are SolarWinds Patch Manager, VMWare vCenter Protect Catalog, and Secunia CSI.

Most of the 3rd party patch management software seamlessly integrates with SCCM and adds more control and scalability in deploying patches. The 3rd party tools also provide pre built and tested updates for common 3rd party applications. Patch admins don’t have to waste their time in building and testing the catalogs.  The 3rd party vendors have their dedicated team to test, build and deploy these updates along with some  methods to roll back. So all these tasks will be automated for the organization and they don’t want invest money and time for this automation purpose.

Real time patch monitoring solutions are readily available with 3rd part patching tool vendors like SolarWinds. These tools will help increase the overall patching compliance.

About Author 

Anoop is Microsoft MVP and Veeam Vanguard ! He is a Solution Architect on enterprise client management with more than 13 years of experience (calculation done on the year 2014) in IT. He is Blogger, Speaker and Local User Group Community leader. His main focus is on Device Management technologies like SCCM 2012,Current Branch, Intune. He writes about the technologies like SCCM, SCOM, Windows 10, Azure AD, Microsoft Intune, RMS, Hyper-V etc...

    Find more about me on:
  • googleplus
  • twitter
  • facebook
  • linkedin
  • youtube
Posted in: ConfigMgr (SCCM), Configmgr2012, SCCM, SCCM 2007, SCCM 2012, System Center 2012, System Center 2012 Operation Manager

25 Comments

  1. David O'Brien says:

    Regarding “Disadvantage No2”. Just use my script do get this done: http://www.david-obrien.net/2012/12/02/create-a-new-software-update-group-in-configmgr/

  2. Anoop's says:

    Why not ADR as I mentioned in the post?

  3. David O'Brien says:

    Maybe you still want to have the power of selecting the updates that get deployed?! Don’t have that with ADR. Or am I missing a configuration?

    • Anoop's says:

      Yes, it’s possible. There is an option to Select the property filters and search criteria .The Software update that meet the specified criteria are added to the associated software update group.

  4. David O'Brien says:

    Still, it’s every month the same with ADR. Guess it’s more flexible with my way 😉

    • Anoop's says:

      ADR is more useful as per my understanding. It will create Software Update group, Download patch package , deploy etc … everything automatically 🙂

  5. David O'Brien says:

    My script also creates the Software Update Group. It won’t download and won’t deploy, that’s correct.
    The big disadvantage with ADR is, as I see it, that it’s the same every month. That can be an advantage, but if there’s only one Patch you don’t want to install, you will have to disable it manually.
    I only create a Software Update Group out of those Patches I want it to have.

    Both have advantages and disadvanteges. People have to decide what’s best for them!

  6. Adam says:

    In my organization I wrote few powershell script that reduce this monthly job into: run script, [during running I can observe progress bar and drink cofee], after few hours check if all content on DP is in place, so basicly I save every month a few hours. I’m using those scripts in SCCM 2007, but I have also test it and customize for 2012.

  7. srikanth says:

    Hi Anoop,

    I have deployed patches to a collection, but we found that in machines with users logged in displays 24 hr notification, however if no one is logged-in , it will restart the machine and donet wait for 24hrs.

    Is this normal behaviour of patch managemnet? or we have any alternatives to avaoid the un expected restart

  8. Aaron Melius says:

    Srikanth,

    This behaviour is found in the client policy settings. There are different restart timer controls for when a session is open (user logged in) and not.

  9. Kenneth says:

    Hmm, trying to build a fairly automated patch setup. And come up with this.
    ADR on patch tuesday – Downloads the security and critical patches for our test group.. and stores them in the package.
    ADR 15 minutes later, – uses the same package for storage, but makes the updates availble for preprod 2 days later.
    ADR 15 minutes later again – still same package but makes the updates available 8 days after download, and deploys them to select Prod servers ?

    This way with the buildin delays and maint windows, we should have a fairly hands off setup of updates.. Which currently is only Critical and Security, but could include others as needed..

    On paper it looks good, chances are not extra updates have been relased in the 15 minutes between ADR runs. And the delay in deployments should give us ample to time to react to any probelms.. ?

    Or am I missing something here ?

  10. Durgesh says:

    Hi Anoop,

    Can you please tell me how to give snooze options to end users to manage the reboot behavior of their computers after the patch deployment. In my case, end users are not getting reboot prompt instead the reboot is hidden in the tray icon. You need to go and click on that to see the restart timer. Thanks,

  11. Nag says:

    My personal experience with System Center 2012 R2

    1. Client push installations were pain in the neck, somehow made it work with GPO method and Manual CMD installation
    2. Automatic deployment rules work fine in most cases, but getting optional updates or updates with no Bulletin ID deployed had to be manual.
    3. Deployments automatic or manual deployments were not instantaneous, encountered situations were the deployments just didn’t reach the servers for some *** reason.
    4 SCCM for third party patching like Java, Adobe, Chrome..etc forget about it !!!. It requires ridiculous manual effort and make you feel like ‘I should have done it manually’
    5. All the cons and Pros listed in this article are so true.
    6. Have worked with MS engineers spent days to fix deployment issues, I was never able to promise my manager that server maintenance will be in time and as planned.

    Finally, we decided to leave SCCM and got a third party patch manager.

  12. Chuck Roast says:

    It’s a little work but I found something quite useful; on a single computer run a program called PatchMyPC. It will go out and check for 3rd party updates; useful with Java and Adobe products; then it will install the updates. Now comes the sneaky part. Copy the downloaded files to another location before closing PatchMyPC then use various command line switches to silently install the updates. Bam, you’re done. And you can even do this with SCCM, do it as a Program and not an application.

  13. Nirmal says:

    Hi Anoop, require your help. While rolling out 2011 MS security patches, i get GENERAL FAILURE. But 2015 security patches are getting installed without any issues.

    • Anoop says:

      Hi Nirmal ! – Sure, most probably 2011 MS security patches are already expired 🙂 I would suggest to do deep dive into SCCM Log files which can shed some lights into the issues. In SCCM log files are always useful. I would suggest to analyse the patches in the SCCM 2012 update group. Also, think about the fact that do you really require to deploy 2011 patches now? As we are in 2015 🙂

      Also, You can questions into our SCCM Facebook group Forum https://www.facebook.com/groups/ConfigMgr2012/ for more detailed discussions.

      Regards
      Anoop

  14. Mark Giemza says:

    Does anyone know how to deploy Optional update “Internet Explorer 11 Language Pack for Windows 7 for x64-based Systems” using SCCM 2012?

  15. Shivakumar says:

    Is there any way to Roll back the updates installed via SCCM or WSUS? except writing task sequence to uninstall an individual KB in SCCM.

  16. Braden Bills says:

    I like the idea of patch management software. It makes things so much more organized and easy to work with. I’m going to talk to my boss to see if we can get some for our company.

  17. Zach says:

    1.) To manage patches on a hybrid network with Non Windows Operating systems.

    1.) Answer: Can be done through 3rd party integration kits. For example, Parallels for SCCM for mac management. Also the latest cumulative update provides some management features as well, nearly closing the gap on mac systems if both are used together. Also Shavlik has a patch SCUP repository that is pretty nice.

    2. Every month you need to spend loads of time to deploy patches. Following are some of activities:Select the updates, create Update list, patch package/s and Deployments. However, this is improved in CM 2012 with the introduction of Automatic Deployment Rules.

    2.) Answer: ADR is very strong and it really depends on the type of updates you are applying. Also this does depend on if you have

    3. Clean up activity for expired patches is a big challenge. We need find and edit Patch packages to remove an expired update and re-replicate the package again to all DPs. Also, need to remove the updates from deployment management.

    3.) – Answer:There is a powershell script that does this very well and will go through all of your software groups. This is on the Technet Gallery. Test it to ensure it does what you need then schedule task it for a regular routine.

    4. Conflicts between WSUS and SCCM Group Policy settings. SCAN errors are common problem in SCCM patching because group policy conflicts. Troubleshooting of client side patch issues is not very easy. Required skilled people to troubleshoot scan errors and resolve those. More Details on scan error related troubleshooting here.

    4.) – Answer: Not sure the definition of skilled is but our common grunt on the Desktop team with proper google-fu could do this fairly well. Also you can build a GPO WSUS using preferences that will appropriately fill the gap between SCCM and WSUS. This could be written into a flow process your typical desktop/helpdesk guy could use.

    5. “Real time” patch failure reports are not available. Compliance scanning is not available as ready to use, we need to use DCM or need to explicitly create collections and advertisements.

    5.) Answer: “There isn’t really anything that will give you real time patch statistics. Compliance scanning is structured entirely differently.

    6. Not very good at Third Party Application Patching. You can integrate System Center Updates Publisher (SCUP) tool, as it’s free for Configuration Manager customers, with SCCM. However, you need to do loads of manual work and put in more packaging efforts to deploy third party application updates through SCUP and SCCM.

    6.) Answer: I refer back to Shavlik for their Patch product for 3rd party apps or Solarwinds SCCM patch manager. Essentially fully configured Scups without any of the headache.Also if you want to go the monolithic way, it’s not really often you have to change your scripts for an 3rd party software update that you may need to package.

    7. Some 3rd party application vendors won’t provide the CAB files for their updates which are compatible with SCUP so you need to build your own cab files and it won’t be possible without expertise in packaging and other programming technologies.

    7.) Answer: CM is a complete toolset so I don’t understand why you scorn this when you can easily deploy it as a package. In most cases, this is usually better.

    8. Extra configurations like Group Policy Settings and Publishing Certificate required to support third party application patching.

    8.) Answer: Won’t debate this but this is common for anything else out there.

    9. Uninstallation of patches is not supported. You need to use manual methods or DISM to uninstall patches. There is no native method in SCCM Patching or Software Updates to achieve this.

    9.) Answer: It sounds like Microsoft is working on this a bit more recently. Technically you could execute removal through the WSUS console via selecting Approved for removal now without it breaking the integration with the SCCM console. Also the usual best practice that is supported is by packaging the update(s) with an uninstall script.

    10. No native method Suppress Restart Notifications in latest version of SCCM 2012. The work around is to use a combination of domain GPO Adm template settings and Local Policy Adm template settings. More Details here.

    10.) Answer: There is a native suppress restart notifications. You may mean there is limitations in what you can configure with it, which if that is the case, then I agree.

  18. Nirmal says:

    Hi Anoop, have one query. We have created 2012 R2 SUG for patches from 2014 to 2016 and deployed to a collection. But in software center it shows only october 2016 patches. Bit confused why rest of the patches are not showing in software center.

Leave a Comment and Contact Anoop