ConfigMgr SCCM Patch Management Pros Cons. In this post, I’m trying to list down some of the pros and cons of patching via SCCM. Along with some suggestions to improve the compliance and streamline the patching process.
Latest Software Updates Post SCCM Third-Party Software Updates Setup Step By Step Guide 1 (anoopcnair.com).
Following are the 3 points that I’ll touch base on in this post. Most of the ConfigMgr SCCM Patch Management Pros and Cons are discussed in this post.
ConfigMgr SCCM Patch Management Pros Cons
1. Advantages of using SCCM Patch Management 2. Disadvantages or Challenges of Using SCCM Patch Management 3. Who can fill the Gaps in SCCM Patch Management?
Advantages of using SCCM Patch Management
1. Very well integrated with WSUS and Windows Update Agent. These are the two patching technologies that are widely accepted by the industry. One Console to perform all the administrative tasks.
2. We can Automate the patching mechanism very well through SCCM. Deploy Patches Automatically to all managed Workstations and Servers.
3. With the Same Patch package (Source files), we can Create different patching schedules for different business groups within the organization as per their business requirements.
4. Easy to Exclude VIP user systems or business-critical machines from patch deployments.
5. Using the Maintenance Window option, we can plan and schedule server patching via SCCM.
6. Customize the User Notification Behaviour. We can control the notification behavior of end-users.
7. Patch deployment without End User Interaction. The patch installation will be done in the background in a suppressed mode.
8. Through SCCM, we can easily define or Customize Restart behavior for different LOBs (Line Of Business). Often, some LOBs require their systems to be forcefully restarted after patching, but some are interested in suppressing reboot until the end-user reboots the system.
9. Automated Re-Evaluation Settings will help to improve patch compliance.
10. SCCM patch packages can be deployed as part of the Operating System Deployment task sequence.
Disadvantages or Challenges of Using SCCM Patch Management
1. To manage patches on a hybrid network with Non-Windows Operating systems.
2. Every month, you need to spend loads of time deploying patches. Following are some activities: Select the updates, create an Update list, patch package/s, and Deployments. However, this was improved in CM 2012 with the introduction of Automatic Deployment Rules.
3. Clean-up activity for expired patches is a big challenge. We need to find and edit Patch packages to remove a dead update and re-replicate the box again to all DPs. Also, we need to remove the updates from deployment management.
4. Conflicts between WSUS and SCCM Group Policy settings. SCAN errors are a common problem in SCCM patching because of group policy conflicts. Troubleshooting client-side patch issues are not very easy. Required skilled people to troubleshoot scan errors and resolve those. More Details on scan error-related troubleshooting are here.
5. “Real-time” patch failure reports are not available. Compliance scanning is not available as ready to use; we need to use DCM or explicitly create collections and advertisements.
6. Not very good at Third-Party Application Patching. You can integrate System Center Updates Publisher (SCUP) tool, as it’s free for Configuration Manager customers, with SCCM. However, it would help if you did loads of manual work and put in more packaging efforts to deploy third-party application updates through SCUP and SCCM.
7. Some 3rd party application vendors won’t provide the CAB files for their updates that are compatible with SCUP. Hence, you need to build your cab files, and it won’t be possible without expertise in packaging and other programming technologies.
8. Extra configurations like Group Policy Settings and Publishing Certificate are required to support third-party application patching.
9. Uninstallation of patches is not supported. You need to use manual methods or DISM to uninstall patches. There is no native method in SCCM Patching or Software Updates to achieve this.
10. No native method. Suppress Restart Notifications in the latest version of SCCM 2012. The workaround is to use a combination of domain GPO Adm template settings and Local Policy Adm template settings. More Details here.
Who can fill the Gaps in SCCM Patch Management?
Real-time failure notification, Compliance scanning, and third-party application updates are three main Gaps in SCCM patching. These gaps can be filled by using 3rd party SCCM Patch Management Tools.
There are a number of different vendors available in the market, each with a slightly different approach, that provides commercial catalogs for other 3rd party applications. Some of the 3rd part products are SolarWinds Patch Manager, VMWare vCenter Protect Catalog, and Secunia CSI.
Most of the 3rd party patch management software seamlessly integrates with SCCM and adds more control and scalability in deploying patches. The 3rd party tools also provide pre-built and tested updates for common 3rd party applications. Patch admins don’t have to waste their time building and trying the catalogs.
The 3rd party vendors have their dedicated team to test, build and deploy these updates and some methods to roll back. So all these tasks will be automated for the organization, and they don’t want to invest money and time for this automation purpose.
Real-time patch monitoring solutions are readily available with 3rd part patching tool vendors like SolarWinds. These tools will help increase the overall patching compliance.
Anoop C Nair is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.