ConfigMgr SCCM Patch Management Pros Cons

ConfigMgr SCCM Patch Management Pros Cons. In this post, I’m trying to list down some of the pros and cons of patching via SCCM. Along with some suggestions to improve the compliance and streamline the patching process.

Latest Software Updates Post SCCM Third-Party Software Updates Setup Step By Step Guide 1 (anoopcnair.com).

You can also learn the Difference Between WSUS Vs WUfB Intune Vs SCCM Patching Methods – HTMD Blog #2 (howtomanagedevices.com)

Following are the 3 points that I’ll touch base on in this post. Most of the ConfigMgr SCCM Patch Management Pros and Cons are discussed in this post.

Patch My PC

ConfigMgr SCCM Patch Management Pros Cons

ConfigMgr SCCM Patch Management Pros Cons
ConfigMgr SCCM Patch Management Pros Cons
1. Advantages of using SCCM Patch Management

2. Disadvantages or Challenges of Using SCCM Patch Management

3. Who can fill the Gaps in SCCM Patch Management?

Advantages of using SCCM Patch Management

ConfigMgr SCCM Patch Management Pros Cons
ConfigMgr SCCM Patch Management Pros Cons

1. Very well integrated with WSUS and Windows Update Agent. These are the two patching technologies that are widely accepted by the industry. One Console to perform all the administrative tasks.

2. We can Automate the patching mechanism very well through SCCM. Deploy Patches Automatically to all managed Workstations and Servers.

3. With the Same Patch package (Source files), we can Create different patching schedules for different business groups within the organization as per their business requirements.

4. Easy to Exclude VIP user systems or business-critical machines from patch deployments.

Adaptiva

5. Using the Maintenance Window option, we can plan and schedule server patching via SCCM.

6. Customize the User Notification Behaviour. We can control the notification behavior of end-users.

7. Patch deployment without End User Interaction. The patch installation will be done in the background in a suppressed mode.

8. Through SCCM, we can easily define or Customize Restart behavior for different LOBs (Line Of Business). Often, some LOBs require their systems to be forcefully restarted after patching, but some are interested in suppressing reboot until the end-user reboots the system.

9. Automated Re-Evaluation Settings will help to improve patch compliance.

10. SCCM patch packages can be deployed as part of the Operating System Deployment task sequence.

Disadvantages or Challenges of Using SCCM Patch Management

ConfigMgr SCCM Patch Management Pros Cons
ConfigMgr SCCM Patch Management Pros Cons

1. To manage patches on a hybrid network with Non-Windows Operating systems.

2. Every month, you need to spend loads of time deploying patches. Following are some activities: Select the updates, create an Update list, patch package/s, and Deployments. However, this was improved in CM 2012 with the introduction of Automatic Deployment Rules.

3. Clean-up activity for expired patches is a big challenge. We need to find and edit Patch packages to remove a dead update and re-replicate the box again to all DPs. Also, we need to remove the updates from deployment management.

4. Conflicts between WSUS and SCCM Group Policy settings. SCAN errors are a common problem in SCCM patching because of group policy conflicts. Troubleshooting client-side patch issues are not very easy. Required skilled people to troubleshoot scan errors and resolve those. More Details on scan error-related troubleshooting are here.

5. “Real-time” patch failure reports are not available. Compliance scanning is not available as ready to use; we need to use DCM or explicitly create collections and advertisements.

6. Not very good at Third-Party Application Patching. You can integrate System Center Updates Publisher (SCUP) tool, as it’s free for Configuration Manager customers, with SCCM. However, it would help if you did loads of manual work and put in more packaging efforts to deploy third-party application updates through SCUP and SCCM.

7. Some 3rd party application vendors won’t provide the CAB files for their updates that are compatible with SCUP. Hence, you need to build your cab files, and it won’t be possible without expertise in packaging and other programming technologies.

8. Extra configurations like Group Policy Settings and Publishing Certificate are required to support third-party application patching.

9.  Uninstallation of patches is not supported. You need to use manual methods or DISM to uninstall patches. There is no native method in SCCM Patching or Software Updates to achieve this.

10. No native method. Suppress Restart Notifications in the latest version of SCCM 2012. The workaround is to use a combination of domain GPO Adm template settings and Local Policy Adm template settings. More Details here.

Who can fill the Gaps in SCCM Patch Management?

ConfigMgr SCCM Patch Management Pros Cons

Real-time failure notification, Compliance scanning, and third-party application updates are three main Gaps in SCCM patching. These gaps can be filled by using 3rd party SCCM Patch Management Tools.

There are a number of different vendors available in the market, each with a slightly different approach, that provides commercial catalogs for other 3rd party applications. Some of the 3rd part products are SolarWinds Patch Manager, VMWare vCenter Protect Catalog, and Secunia CSI.

Most of the 3rd party patch management software seamlessly integrates with SCCM and adds more control and scalability in deploying patches. The 3rd party tools also provide pre-built and tested updates for common 3rd party applications. Patch admins don’t have to waste their time building and trying the catalogs. 

The 3rd party vendors have their dedicated team to test, build and deploy these updates and some methods to roll back. So all these tasks will be automated for the organization, and they don’t want to invest money and time for this automation purpose.

Real-time patch monitoring solutions are readily available with 3rd part patching tool vendors like SolarWinds. These tools will help increase the overall patching compliance.

Author

Anoop C Nair is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.

26 thoughts on “ConfigMgr SCCM Patch Management Pros Cons”

  1. Maybe you still want to have the power of selecting the updates that get deployed?! Don’t have that with ADR. Or am I missing a configuration?

    Reply
    • Yes, it’s possible. There is an option to Select the property filters and search criteria .The Software update that meet the specified criteria are added to the associated software update group.

      Reply
  2. My script also creates the Software Update Group. It won’t download and won’t deploy, that’s correct.
    The big disadvantage with ADR is, as I see it, that it’s the same every month. That can be an advantage, but if there’s only one Patch you don’t want to install, you will have to disable it manually.
    I only create a Software Update Group out of those Patches I want it to have.

    Both have advantages and disadvanteges. People have to decide what’s best for them!

    Reply
  3. In my organization I wrote few powershell script that reduce this monthly job into: run script, [during running I can observe progress bar and drink cofee], after few hours check if all content on DP is in place, so basicly I save every month a few hours. I’m using those scripts in SCCM 2007, but I have also test it and customize for 2012.

    Reply
  4. Hi Anoop,

    I have deployed patches to a collection, but we found that in machines with users logged in displays 24 hr notification, however if no one is logged-in , it will restart the machine and donet wait for 24hrs.

    Is this normal behaviour of patch managemnet? or we have any alternatives to avaoid the un expected restart

    Reply
  5. Hmm, trying to build a fairly automated patch setup. And come up with this.
    ADR on patch tuesday – Downloads the security and critical patches for our test group.. and stores them in the package.
    ADR 15 minutes later, – uses the same package for storage, but makes the updates availble for preprod 2 days later.
    ADR 15 minutes later again – still same package but makes the updates available 8 days after download, and deploys them to select Prod servers ?

    This way with the buildin delays and maint windows, we should have a fairly hands off setup of updates.. Which currently is only Critical and Security, but could include others as needed..

    On paper it looks good, chances are not extra updates have been relased in the 15 minutes between ADR runs. And the delay in deployments should give us ample to time to react to any probelms.. ?

    Or am I missing something here ?

    Reply
  6. Hi Anoop,

    Can you please tell me how to give snooze options to end users to manage the reboot behavior of their computers after the patch deployment. In my case, end users are not getting reboot prompt instead the reboot is hidden in the tray icon. You need to go and click on that to see the restart timer. Thanks,

    Reply
  7. My personal experience with System Center 2012 R2

    1. Client push installations were pain in the neck, somehow made it work with GPO method and Manual CMD installation
    2. Automatic deployment rules work fine in most cases, but getting optional updates or updates with no Bulletin ID deployed had to be manual.
    3. Deployments automatic or manual deployments were not instantaneous, encountered situations were the deployments just didn’t reach the servers for some *** reason.
    4 SCCM for third party patching like Java, Adobe, Chrome..etc forget about it !!!. It requires ridiculous manual effort and make you feel like ‘I should have done it manually’
    5. All the cons and Pros listed in this article are so true.
    6. Have worked with MS engineers spent days to fix deployment issues, I was never able to promise my manager that server maintenance will be in time and as planned.

    Finally, we decided to leave SCCM and got a third party patch manager.

    Reply
  8. It’s a little work but I found something quite useful; on a single computer run a program called PatchMyPC. It will go out and check for 3rd party updates; useful with Java and Adobe products; then it will install the updates. Now comes the sneaky part. Copy the downloaded files to another location before closing PatchMyPC then use various command line switches to silently install the updates. Bam, you’re done. And you can even do this with SCCM, do it as a Program and not an application.

    Reply
  9. Hi Anoop, require your help. While rolling out 2011 MS security patches, i get GENERAL FAILURE. But 2015 security patches are getting installed without any issues.

    Reply
    • Hi Nirmal ! – Sure, most probably 2011 MS security patches are already expired 🙂 I would suggest to do deep dive into SCCM Log files which can shed some lights into the issues. In SCCM log files are always useful. I would suggest to analyse the patches in the SCCM 2012 update group. Also, think about the fact that do you really require to deploy 2011 patches now? As we are in 2015 🙂

      Also, You can questions into our SCCM Facebook group Forum https://www.facebook.com/groups/ConfigMgr2012/ for more detailed discussions.

      Regards
      Anoop

      Reply
  10. Does anyone know how to deploy Optional update “Internet Explorer 11 Language Pack for Windows 7 for x64-based Systems” using SCCM 2012?

    Reply
  11. Is there any way to Roll back the updates installed via SCCM or WSUS? except writing task sequence to uninstall an individual KB in SCCM.

    Reply
  12. 1.) To manage patches on a hybrid network with Non Windows Operating systems.

    1.) Answer: Can be done through 3rd party integration kits. For example, Parallels for SCCM for mac management. Also the latest cumulative update provides some management features as well, nearly closing the gap on mac systems if both are used together. Also Shavlik has a patch SCUP repository that is pretty nice.

    2. Every month you need to spend loads of time to deploy patches. Following are some of activities:Select the updates, create Update list, patch package/s and Deployments. However, this is improved in CM 2012 with the introduction of Automatic Deployment Rules.

    2.) Answer: ADR is very strong and it really depends on the type of updates you are applying. Also this does depend on if you have

    3. Clean up activity for expired patches is a big challenge. We need find and edit Patch packages to remove an expired update and re-replicate the package again to all DPs. Also, need to remove the updates from deployment management.

    3.) – Answer:There is a powershell script that does this very well and will go through all of your software groups. This is on the Technet Gallery. Test it to ensure it does what you need then schedule task it for a regular routine.

    4. Conflicts between WSUS and SCCM Group Policy settings. SCAN errors are common problem in SCCM patching because group policy conflicts. Troubleshooting of client side patch issues is not very easy. Required skilled people to troubleshoot scan errors and resolve those. More Details on scan error related troubleshooting here.

    4.) – Answer: Not sure the definition of skilled is but our common grunt on the Desktop team with proper google-fu could do this fairly well. Also you can build a GPO WSUS using preferences that will appropriately fill the gap between SCCM and WSUS. This could be written into a flow process your typical desktop/helpdesk guy could use.

    5. “Real time” patch failure reports are not available. Compliance scanning is not available as ready to use, we need to use DCM or need to explicitly create collections and advertisements.

    5.) Answer: “There isn’t really anything that will give you real time patch statistics. Compliance scanning is structured entirely differently.

    6. Not very good at Third Party Application Patching. You can integrate System Center Updates Publisher (SCUP) tool, as it’s free for Configuration Manager customers, with SCCM. However, you need to do loads of manual work and put in more packaging efforts to deploy third party application updates through SCUP and SCCM.

    6.) Answer: I refer back to Shavlik for their Patch product for 3rd party apps or Solarwinds SCCM patch manager. Essentially fully configured Scups without any of the headache.Also if you want to go the monolithic way, it’s not really often you have to change your scripts for an 3rd party software update that you may need to package.

    7. Some 3rd party application vendors won’t provide the CAB files for their updates which are compatible with SCUP so you need to build your own cab files and it won’t be possible without expertise in packaging and other programming technologies.

    7.) Answer: CM is a complete toolset so I don’t understand why you scorn this when you can easily deploy it as a package. In most cases, this is usually better.

    8. Extra configurations like Group Policy Settings and Publishing Certificate required to support third party application patching.

    8.) Answer: Won’t debate this but this is common for anything else out there.

    9. Uninstallation of patches is not supported. You need to use manual methods or DISM to uninstall patches. There is no native method in SCCM Patching or Software Updates to achieve this.

    9.) Answer: It sounds like Microsoft is working on this a bit more recently. Technically you could execute removal through the WSUS console via selecting Approved for removal now without it breaking the integration with the SCCM console. Also the usual best practice that is supported is by packaging the update(s) with an uninstall script.

    10. No native method Suppress Restart Notifications in latest version of SCCM 2012. The work around is to use a combination of domain GPO Adm template settings and Local Policy Adm template settings. More Details here.

    10.) Answer: There is a native suppress restart notifications. You may mean there is limitations in what you can configure with it, which if that is the case, then I agree.

    Reply
  13. Hi Anoop, have one query. We have created 2012 R2 SUG for patches from 2014 to 2016 and deployed to a collection. But in software center it shows only october 2016 patches. Bit confused why rest of the patches are not showing in software center.

    Reply
  14. In Client environment, because of the kind of work, there are many users who work remotely or from fields. They do not have access to Client Network for months. They only use webmail to access their emails online. As such the patching process that we undergo every month doesn’t have a healthy compliance %age.

    Hence we have come up with a recommondation to put the SCCM Servers in the DMZ network or use any technique that will complete our patching process online.

    Is der a way we can accomplish this task?

    Reply

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.