SCCM Third-Party Patching Best Practices for an Organization Configuration Manager ConfigMgr. I have involved in the patching of Windows machines since ‘SMS 2003 + ITMU’ days. Every month, we need to perform very complex steps to deploy patches.
Nowadays SCCM 2007/ 2012 /CB uses WSUS along with Windows Update to Download, Deploy and Install patches. There are challenges in the Microsoft patching process using SCCM. And I’ve seen lots of IT Pros are struggling to get good compliance reports. I don’t think, most of the organization has a process in place for patching third-party applications. In this post, we will see “Third Party Patching Best Practices for an Organization.”
What is Patching?
All software applications/drivers need to go through the software release life cycle. This Software release life cycle includes bug fixing and improvements.To fix the bugs of software and drivers, each vendor releases a patch. The process of deploying/installing these patches to one or more systems or devices is called software patching.
Patching of all existing applications is mandatory for the organizations. The patching process helps to keep the environment secure. The software vendors like Microsoft, Adobe, Android, iOS, MacOS, Linux and Unix OSes, etc. release patches. These patches cover bug fixes for their software.
What is Third Party Patching? SCCM Third-Party Patching Best Practices for an Organization Configuration Manager ConfigMgr
Now, I hope you understood what is patching. Let’s understand what third-party patching is? Third-party patching is the process of deploying/installing bug fixes and improvements to non-Microsoft software applications/Drivers. An application provided by a 3rd party vendor other than the manufacturer of the device and OS.
Microsoft has a systematic approach to patch their Windows OS and applications like Office etc. SCCM can automatically deploy Microsoft monthly patches to all machines in the organization in a systematic way.
Microsoft doesn’t include the patches from other company application software. The Windows OS updates/fixes include drivers for many manufacturers and devices. But, Microsoft is not responsible for providing updates for another manufactures so Microsoft OS updates won’t cover all the vendors.
Some Examples of Third-Party Applications :-
- Dell/HP/Lenovo Device Drivers
- Any Business applications
Why is Third-Party Patching Important?
The infamous Ransomware attack Bad Rabbit happened because of a flaw in Adobe flash. When a vendor releases a patch for a bug and organizations don’t deploy that patch then, those machines will become vulnerable to security attacks.
Different vendors have a different schedule for patching. The reason for this is they follow different software release management cycle. Hence we can’t expect all vendors will release patches on 2nd Tuesday of every month.
Cyber attacks are main threat to organizations. The third-party application patching is one of the main areas of concern and it needs more attention. The unpatched third-party applications act as a gateway for hackers to get into the corporate network. Once the hackers get access to the corporate network then, they can do more damage to the organizations.
Why is Third-Party Patching so Difficult?
It’s true, third-party application/driver patching is challenging for most of the organizations . We have a large ecosystem of third-party applications. We have hundreds of third-party applications used in different organizations. The different vendors of these applications have their software release cycle.
In an ideal world, all the vendors can’t release patches and fixes on the same schedule. Each vendor releases patches depending on their priority. So, the IT Pros should always keep an eye on all vendors to get a notification about the patch release. Once the patch is released, it should be deployed to all the workstations in the network. There is no unified mechanism to keep track of these 3rd party application patches.
SCCM is managing 90% of the Windows devices all around the world. But, SCCM has its challenges to get the patches from each vendor and upload it to the database and deploy. IT admins can look for third party patching solutions to deploy patches via SCCM. Those third party solutions have their database to keep updated about the patch release from different vendors.
I have posted about the difficulties of SCCM admins concerning third party application patching. You can refer to that post via the following link “How Tedious for SCCM Admins to Patch 3rd Party Applications via SCUP.” As you can see in the above picture the situation with SCCM is going to improve soon.
Another big challenge for organizations and 3rd party patch management vendors is none of the SCCM environments are equal. An SCCM infrastructure with
Multiple number of DP servers may see high numbers of delivery failures due to problems with the content delivery system. When you have just 1% or 2% of DP servers fail then, there could be thousands of unpatched workstations in the network. This is the high risk situation for organizations.
Peer-to-peer delivery technology such as Adaptiva OneSite can make roll-outs faster and easier. OneSite eliminates the need for servers, speeds delivery, and does a lot more improve your success rates and shrink troubleshooting time and effort.
What are the best practices for Third-party patching?
In my 17 years of IT experience with different organizations, I have never seen global patching team who is responsible for third-party application patching. Most of the organizations have patching team who is responsible for Microsoft patching but not for other 3rd party applications.
The main problem here is there is no single point of contact 3rd party applications. Each department, each business unit has their own set of third party applications, and those apps are not centrally managed.
So, the best practice is to get an executive sponsor for third-party application patching. The initial step should be running an automatic discovery process (with the help of 3rd party patching vendors) to understand the landscape of apps in your organization.
Once the discovery is completed, the organization can start the remediation process and build a dedicated team to patch third-party applications.
To learn more about how to accelerate deployment of Windows 10, and speed delivery of updates and patches post-deployment, join Adaptiva’s upcoming webinar.
Windows 10 Accelerator Program Webinar
Tuesday November 7th,
9am PST / 5pm GMT / 6pm CET