SCCM Third-Party Patching Best Practices for an Organization Configuration Manager ConfigMgr. I have been involved in patching Windows machines since the ‘SMS 2003 + ITMU’ days. Every month, we need to perform very complex steps to deploy patches.
Nowadays, SCCM 2007/ 2012 /CB uses WSUS along with Windows Update to Download, Deploy and Install patches. There are challenges in the Microsoft patching process using SCCM. And I’ve seen lots of IT Pros struggling to get good compliance reports.
I don’t think most organizations have a process for patching third-party applications. In this post, we will see “Third Party Patching Best Practices for an Organization.”
What is Patching?
All software applications/drivers need to go through the software release life cycle. This Software release life cycle includes bug fixing and improvements.
Each vendor releases a patch to fix the bugs in software and drivers. The process of deploying/installing these patches to one or more systems or devices is called software patching.
Patching of all existing applications is mandatory for the organizations. The patching process helps to keep the environment secure. The software vendors like Microsoft, Adobe, Android, iOS, macOS, Linux and Unix OSes, etc. release patches. These patches cover bug fixes for their software.
What is Third Party Patching? SCCM Third-Party Patching Best Practices for an Organization Configuration Manager ConfigMgr
Now, I hope you understand what patching is. Let’s know what third-party patching is? Third-party patching is the process of deploying/installing bug fixes and improvements to non-Microsoft software applications/Drivers. An application provided by a 3rd party vendor other than the manufacturer of the device and OS.
Microsoft has a systematic approach to patch their Windows OS and applications like Office etc. SCCM can automatically deploy Microsoft monthly patches to all machines in the organization systematically.
Microsoft doesn’t include the patches from other company application software. The Windows OS updates/fixes include drivers for many manufacturers and devices. But, Microsoft is not responsible for providing updates for other manufacturers, so that Microsoft OS updates won’t cover all the vendors.
Some Examples of Third-Party Applications
- Dell/HP/Lenovo Device Drivers
- Any Business applications
Why is Third-Party Patching Important?
The infamous Ransomware attack Bad Rabbit happened because of a flaw in Adobe flash. When a vendor releases a patch for a bug and organizations don’t deploy that patch, then those machines will become vulnerable to security attacks.
Different vendors have different schedules for patching. The reason for this is they follow different software release management cycles. Hence, we can’t expect all vendors to release patches every month on the 2nd Tuesday.
Cyber attacks are the main threat to organizations. Third-party application patching is one of the main areas of concern, and it needs more attention.
The unpatched third-party applications act as a gateway for hackers to get into the corporate network. Once the hackers get access to the corporate network, they can do more damage to the organizations.
Why is Third-Party Patching so Difficult?
Third-party application/driver patching is indeed challenging for most organizations. We have a large ecosystem of third-party applications. We have hundreds of third-party applications used in different organizations. The different vendors of these applications have their software release cycles.
In an ideal world, all the vendors can’t release patches and fixes on the same schedule. Each vendor releases patches depending on their priority. So, the IT Pros should always keep an eye on all vendors to get notifications about the patch release.
Once the patch is released, it should be deployed to all the workstations in the network. There is no unified mechanism to keep track of these 3rd party application patches.
SCCM is managing 90% of Windows devices all around the world. But, SCCM has its challenges in getting the patches from each vendor and uploading it to the database, and deploying them.
IT admins can look for third-party patching solutions to deploy patches via SCCM. Those third-party solutions have their database to keep updated about the patch release from different vendors.
I have posted about the difficulties of SCCM admins concerning third-party application patching. You can refer to that post via the following link “How Tedious for SCCM Admins to Patch 3rd Party Applications via SCUP.” As you can see in the above picture, the situation with SCCM is going to improve soon.
Another big challenge for organizations and 3rd party patch management vendors is none of the SCCM environments are equal. An SCCM infrastructure with
Multiple DP servers may see high numbers of delivery failures due to problems with the content delivery system. If you have just 1% or 2% of DP servers fail, there could be thousands of unpatched workstations in the network. This is a high-risk situation for organizations.
Peer-to-peer delivery technology such as Adaptiva OneSite can make roll-outs faster and easier. OneSite eliminates the need for servers, speeds delivery, and does a lot more to improve your success rates and shrink troubleshooting time and effort.
What are the best practices for Third-party patching?
In my 17 years of IT experience with different organizations, I have never seen a global patching team that is responsible for third-party application patching. Most organizations have a patching team that is responsible for Microsoft patching but not for other 3rd party applications.
The main problem here is there is no single point of contact 3rd party applications. Each department and each business unit has its own set of third-party applications, and those apps are not centrally managed.
So, the best practice is to get an executive sponsor for third-party application patching. The initial step should be running an automatic discovery process (with the help of 3rd party patching vendors) to understand the landscape of apps in your organization.
Once the discovery is completed, the organization can start the remediation process and build a dedicated team to patch third-party applications.
To learn more about how to accelerate deployment of Windows 10, and speed delivery of updates and patches post-deployment, join Adaptiva’s upcoming webinar.
Anoop is Microsoft MVP! He is a Solution Architect in enterprise client management with more than 20 years of experience (calculation done in 2021) in IT. He is Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc………