ConfigMgr SCCM Patch Management Pros Cons. In this post, I’m trying to list some of the pros and cons of patching via SCCM, along with some suggestions to improve compliance and streamline the patching process.
Latest Software Updates Post SCCM Third-Party Software Updates Setup Step By Step Guide 1 (anoopcnair.com).
You can also learn the Difference Between WSUS Vs WUfB Intune Vs SCCM Patching Methods – HTMD Blog #2 (howtomanagedevices.com).
The following are the 3 points that I’ll touch base on in this post. This post discusses most of the Pros and Cons of ConfigMgr SCCM Patch Management.
Table of Contents
ConfigMgr SCCM Patch Management Pros Cons
Let’s discuss the Pros and Cons of ConfigMgr SCCM Patch Management. The screenshot below helps you show more details about the ConfigMgr SCCM Patch Management Pros and Cons.
1. Advantages of using SCCM Patch Management 2. Disadvantages or Challenges of Using SCCM Patch Management 3. Who can fill the Gaps in SCCM Patch Management?
- Fix SCCM Client-Side Patching or Software Updates Issues Troubleshooting Tips
- Best SCCM Patching Software Update Deployment Process Guide
- How to Create Deploy New Software Update Patch Package Using SCCM | ConfigMgr
Advantages of using SCCM Patch Management
Let’s discuss the Advantages of using SCCM Patch Management. It is explained in detail below. 1. It is very well integrated with WSUS and Windows Update Agent. These are the two patching technologies widely accepted by the industry—one Console to perform all the administrative tasks.
2. We can very well Automate the patching mechanism through SCCM. Deploy patches automatically on all managed workstations and servers.
3. The same patch package (Source files) allows us to create different patching schedules for different business groups within the organization according to their business requirements.
4. It is easy to Exclude VIP user systems or business-critical machines from patch deployments.
5. Using the Maintenance Window option, we can plan and schedule server patching via SCCM.
6. Customize the User Notification Behaviour. We can control the notification behavior of end-users.
7. Patch deployment without End User Interaction. The patch installation will be done in the background in a suppressed mode. Some of the Advantages of using SCCM Patch Management are given below.
Advantages of using SCCM Patch Management |
---|
8. Through SCCM, we can easily define or Customize Restart behavior for different LOBs (Lines of Business). Often, some LOBs require their systems to be forcefully restarted after patching, but some are interested in suppressing reboot until the end-user reboots the system. |
9. Automated Re-Evaluation Settings will help to improve patch compliance. |
10. SCCM patch packages can be deployed in the Operating System Deployment task sequence. |
Disadvantages or Challenges of Using SCCM Patch Management
Let’s discuss the Disadvantages or Challenges of Using SCCM Patch Management. 1. To manage patches on a hybrid network with non-Windows operating systems.
2. You need to spend a lot of time deploying patches monthly. Some activities are Selecting the updates, creating an Update list, patch package/s, and Deploying. However, this was improved in CM 2012 with the introduction of Automatic Deployment Rules.
3. Clean-up activity for expired patches is a big challenge. We must find and edit patch packages to remove a dead update and re-replicate the box for all DPs. Also, we need to remove the updates from deployment management.
4. Conflicts between WSUS and SCCM Group Policy settings. SCAN errors are a common problem in SCCM patching because of group policy conflicts. Troubleshooting client-side patch issues is not easy. Required skilled people to troubleshoot scan errors and resolve those. More Details on scan error-related troubleshooting are here.
5. “Real-time” patch failure reports are not available. Compliance scanning is not available as ready to use; we need to use DCM or explicitly create collections and advertisements.
6. Not very good at Third-Party Application Patching. You can integrate the System Center Updates Publisher (SCUP) tool, as it’s free for Configuration Manager customers, with SCCM. However, it would help if you did loads of manual work and put in more packaging efforts to deploy third-party application updates through SCUP and SCCM.
7. Some 3rd party application vendors won’t provide the CAB files for their updates that are compatible with SCUP. Hence, you need to build your cab files, and it won’t be possible without expertise in packaging and other programming technologies.
8. Extra configurations like Group Policy Settings and Publishing Certificates are required to support third-party application patching.
9. Uninstallation of patches is not supported. You need to use manual methods or DISM to uninstall patches. There is no native method in SCCM Patching or Software Updates to achieve this.
10. No native method. Suppress Restart Notifications in the latest version of SCCM 2012. The workaround is to combine domain GPO Adm template settings and Local Policy Adm template settings. More Details here.
Who Can Fill the Gaps in SCCM Patch Management?
Real-time failure notification, Compliance scanning, and third-party application updates are three main Gaps in SCCM patching. Third-party SCCM Patch Management Tools can fill these gaps.
Several vendors are available in the market, each with a slightly different approach, that provides commercial catalogs for other 3rd party applications. Some 3rd part products are SolarWinds Patch Manager, VMWare vCenter Protect Catalog, and Secunia CSI.
Most third-party patch management software seamlessly integrates with SCCM, adding more control and scalability in deploying patches. The tools also provide pre-built and tested updates for typical third-party applications, so patch admins don’t waste time building and trying the catalogs.
The third-party vendors have a dedicated team to test, build, and deploy these updates and some methods to roll back. So, all these tasks will be automated for the organization, and they don’t want to invest money and time in this automation.
Third-party patching tool vendors like SolarWinds readily offer real-time patch monitoring solutions, which can help increase overall patching compliance.
We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here – HTMD WhatsApp
Author
Anoop C Nair is Microsoft MVP from 2015 onwards for consecutive 10 years! He is a Workplace Solution Architect with more than 22+ years of experience in Workplace technologies. He is a Blogger, Speaker, and Local User Group Community leader. His main focus is on Device Management technologies like SCCM and Intune. He writes about technologies like Intune, SCCM, Windows, Cloud PC, Windows, Entra, Microsoft Security, Career etc…
Regarding “Disadvantage No2”. Just use my script do get this done: http://www.david-obrien.net/2012/12/02/create-a-new-software-update-group-in-configmgr/
Why not ADR as I mentioned in the post?
Maybe you still want to have the power of selecting the updates that get deployed?! Don’t have that with ADR. Or am I missing a configuration?
Yes, it’s possible. There is an option to Select the property filters and search criteria .The Software update that meet the specified criteria are added to the associated software update group.
Still, it’s every month the same with ADR. Guess it’s more flexible with my way 😉
ADR is more useful as per my understanding. It will create Software Update group, Download patch package , deploy etc … everything automatically 🙂
My script also creates the Software Update Group. It won’t download and won’t deploy, that’s correct.
The big disadvantage with ADR is, as I see it, that it’s the same every month. That can be an advantage, but if there’s only one Patch you don’t want to install, you will have to disable it manually.
I only create a Software Update Group out of those Patches I want it to have.
Both have advantages and disadvanteges. People have to decide what’s best for them!
🙂 As you wish ! I would prefer ADR because of MS 🙂
In my organization I wrote few powershell script that reduce this monthly job into: run script, [during running I can observe progress bar and drink cofee], after few hours check if all content on DP is in place, so basicly I save every month a few hours. I’m using those scripts in SCCM 2007, but I have also test it and customize for 2012.
Hi ! – Why not ADR (CM12)? It will select the patches for you, create update list, create package, deploy package and schedule deployments.
Hi Adam,
Could you please share the powersheel script, i think it is very useful in terms of time saving.
Hi Anoop,
I have deployed patches to a collection, but we found that in machines with users logged in displays 24 hr notification, however if no one is logged-in , it will restart the machine and donet wait for 24hrs.
Is this normal behaviour of patch managemnet? or we have any alternatives to avaoid the un expected restart
Srikanth,
This behaviour is found in the client policy settings. There are different restart timer controls for when a session is open (user logged in) and not.
Hmm, trying to build a fairly automated patch setup. And come up with this.
ADR on patch tuesday – Downloads the security and critical patches for our test group.. and stores them in the package.
ADR 15 minutes later, – uses the same package for storage, but makes the updates availble for preprod 2 days later.
ADR 15 minutes later again – still same package but makes the updates available 8 days after download, and deploys them to select Prod servers ?
This way with the buildin delays and maint windows, we should have a fairly hands off setup of updates.. Which currently is only Critical and Security, but could include others as needed..
On paper it looks good, chances are not extra updates have been relased in the 15 minutes between ADR runs. And the delay in deployments should give us ample to time to react to any probelms.. ?
Or am I missing something here ?
Hi Anoop,
Can you please tell me how to give snooze options to end users to manage the reboot behavior of their computers after the patch deployment. In my case, end users are not getting reboot prompt instead the reboot is hidden in the tray icon. You need to go and click on that to see the restart timer. Thanks,
My personal experience with System Center 2012 R2
1. Client push installations were pain in the neck, somehow made it work with GPO method and Manual CMD installation
2. Automatic deployment rules work fine in most cases, but getting optional updates or updates with no Bulletin ID deployed had to be manual.
3. Deployments automatic or manual deployments were not instantaneous, encountered situations were the deployments just didn’t reach the servers for some *** reason.
4 SCCM for third party patching like Java, Adobe, Chrome..etc forget about it !!!. It requires ridiculous manual effort and make you feel like ‘I should have done it manually’
5. All the cons and Pros listed in this article are so true.
6. Have worked with MS engineers spent days to fix deployment issues, I was never able to promise my manager that server maintenance will be in time and as planned.
Finally, we decided to leave SCCM and got a third party patch manager.
It’s a little work but I found something quite useful; on a single computer run a program called PatchMyPC. It will go out and check for 3rd party updates; useful with Java and Adobe products; then it will install the updates. Now comes the sneaky part. Copy the downloaded files to another location before closing PatchMyPC then use various command line switches to silently install the updates. Bam, you’re done. And you can even do this with SCCM, do it as a Program and not an application.
Hi Chuck Roast ! – I know about PatchMyPC and Justin Chalfant !!
Hi Anoop, require your help. While rolling out 2011 MS security patches, i get GENERAL FAILURE. But 2015 security patches are getting installed without any issues.
Hi Nirmal ! – Sure, most probably 2011 MS security patches are already expired 🙂 I would suggest to do deep dive into SCCM Log files which can shed some lights into the issues. In SCCM log files are always useful. I would suggest to analyse the patches in the SCCM 2012 update group. Also, think about the fact that do you really require to deploy 2011 patches now? As we are in 2015 🙂
Also, You can questions into our SCCM Facebook group Forum https://www.facebook.com/groups/ConfigMgr2012/ for more detailed discussions.
Regards
Anoop
Does anyone know how to deploy Optional update “Internet Explorer 11 Language Pack for Windows 7 for x64-based Systems” using SCCM 2012?
Is there any way to Roll back the updates installed via SCCM or WSUS? except writing task sequence to uninstall an individual KB in SCCM.
I like the idea of patch management software. It makes things so much more organized and easy to work with. I’m going to talk to my boss to see if we can get some for our company.
1.) To manage patches on a hybrid network with Non Windows Operating systems.
1.) Answer: Can be done through 3rd party integration kits. For example, Parallels for SCCM for mac management. Also the latest cumulative update provides some management features as well, nearly closing the gap on mac systems if both are used together. Also Shavlik has a patch SCUP repository that is pretty nice.
2. Every month you need to spend loads of time to deploy patches. Following are some of activities:Select the updates, create Update list, patch package/s and Deployments. However, this is improved in CM 2012 with the introduction of Automatic Deployment Rules.
2.) Answer: ADR is very strong and it really depends on the type of updates you are applying. Also this does depend on if you have
3. Clean up activity for expired patches is a big challenge. We need find and edit Patch packages to remove an expired update and re-replicate the package again to all DPs. Also, need to remove the updates from deployment management.
3.) – Answer:There is a powershell script that does this very well and will go through all of your software groups. This is on the Technet Gallery. Test it to ensure it does what you need then schedule task it for a regular routine.
4. Conflicts between WSUS and SCCM Group Policy settings. SCAN errors are common problem in SCCM patching because group policy conflicts. Troubleshooting of client side patch issues is not very easy. Required skilled people to troubleshoot scan errors and resolve those. More Details on scan error related troubleshooting here.
4.) – Answer: Not sure the definition of skilled is but our common grunt on the Desktop team with proper google-fu could do this fairly well. Also you can build a GPO WSUS using preferences that will appropriately fill the gap between SCCM and WSUS. This could be written into a flow process your typical desktop/helpdesk guy could use.
5. “Real time” patch failure reports are not available. Compliance scanning is not available as ready to use, we need to use DCM or need to explicitly create collections and advertisements.
5.) Answer: “There isn’t really anything that will give you real time patch statistics. Compliance scanning is structured entirely differently.
6. Not very good at Third Party Application Patching. You can integrate System Center Updates Publisher (SCUP) tool, as it’s free for Configuration Manager customers, with SCCM. However, you need to do loads of manual work and put in more packaging efforts to deploy third party application updates through SCUP and SCCM.
6.) Answer: I refer back to Shavlik for their Patch product for 3rd party apps or Solarwinds SCCM patch manager. Essentially fully configured Scups without any of the headache.Also if you want to go the monolithic way, it’s not really often you have to change your scripts for an 3rd party software update that you may need to package.
7. Some 3rd party application vendors won’t provide the CAB files for their updates which are compatible with SCUP so you need to build your own cab files and it won’t be possible without expertise in packaging and other programming technologies.
7.) Answer: CM is a complete toolset so I don’t understand why you scorn this when you can easily deploy it as a package. In most cases, this is usually better.
8. Extra configurations like Group Policy Settings and Publishing Certificate required to support third party application patching.
8.) Answer: Won’t debate this but this is common for anything else out there.
9. Uninstallation of patches is not supported. You need to use manual methods or DISM to uninstall patches. There is no native method in SCCM Patching or Software Updates to achieve this.
9.) Answer: It sounds like Microsoft is working on this a bit more recently. Technically you could execute removal through the WSUS console via selecting Approved for removal now without it breaking the integration with the SCCM console. Also the usual best practice that is supported is by packaging the update(s) with an uninstall script.
10. No native method Suppress Restart Notifications in latest version of SCCM 2012. The work around is to use a combination of domain GPO Adm template settings and Local Policy Adm template settings. More Details here.
10.) Answer: There is a native suppress restart notifications. You may mean there is limitations in what you can configure with it, which if that is the case, then I agree.
Hi Anoop, have one query. We have created 2012 R2 SUG for patches from 2014 to 2016 and deployed to a collection. But in software center it shows only october 2016 patches. Bit confused why rest of the patches are not showing in software center.
In Client environment, because of the kind of work, there are many users who work remotely or from fields. They do not have access to Client Network for months. They only use webmail to access their emails online. As such the patching process that we undergo every month doesn’t have a healthy compliance %age.
Hence we have come up with a recommondation to put the SCCM Servers in the DMZ network or use any technique that will complete our patching process online.
Is der a way we can accomplish this task?