ConfigMgr SCCM Patch Management Pros and Cons
Patch management through SCCM has sharpened very well during last few years. I started working on patching since ‘SMS 2003 + ITMU’ days. Every month, we need to perform loads of complex steps to deploy patches during that time period. Now a days SCCM 2007/2012 uses WSUS along with Windows Update to Download, Deploy and Install patches. There are some challenges in SCCM Patch management and I’ve seen lots of organizations are struggling to get good compliance with their patching.
In this post, I’m trying to list down some of the pros and cons of patching via SCCM. Along with some suggestions to improve the compliance and stream line the patching process. Following are the 3 points that I’ll touch base in this post.
1. Advantages of using SCCM Patch Management
2. Disadvantages or Challenges of Using SCCM Patch Management
3. Who can fill the Gaps in SCCM Patch Management?
Advantages of using SCCM Patch Management
2. We can Automate the patching mechanism very well through SCCM. Deploy Patches Automatically to all managed Workstations and Servers.
3. With Same Patch package (Source files), we can Create different patching schedules for different business groups with in the organization as per their business requirements.
4. Easy to Exclude VIP user systems or business critical machines from patch deployments.
5. Using Maintenance Window option, we can plan and schedule server patching via SCCM.
6. Customize the User Notification Behaviour. We can control the notification behaviour for end users.
7. Patch deployment without End User Interaction. The patch installation will be done in the background in supressed mode.
8. Through SCCM, we can easily define or Customize Restart behaviour for different LOBs (Line Of Business). Often, seen that some LOBs required their systems to be forcefully restarted after patching but some are interested to supress reboot until the end user reboot the system.
9. Automated Re Evaluation Settings will help to improve the patch compliance.
10. SCCM patch packages can be deployed as part of Operating System Deployment task sequence process.
Disadvantages or Challenges of Using SCCM Patch Management
2. Every month you need to spend loads of time to deploy patches. Following are some of activities:Select the updates, create Update list, patch package/s and Deployments. However, this is improved in CM 2012 with the introduction of Automatic Deployment Rules.
3. Clean up activity for expired patches is a big challenge. We need find and edit Patch packages to remove an expired update and re-replicate the package again to all DPs. Also, need to remove the updates from deployment management.
4. Conflicts between WSUS and SCCM Group Policy settings. SCAN errors are common problem in SCCM patching because group policy conflicts. Troubleshooting of client side patch issues is not very easy. Required skilled people to troubleshoot scan errors and resolve those. More Details on scan error related troubleshooting here.
5. “Real time” patch failure reports are not available. Compliance scanning is not available as ready to use, we need to use DCM or need to explicitly create collections and advertisements.
6. Not very good at Third Party Application Patching. You can integrate System Center Updates Publisher (SCUP) tool, as it’s free for Configuration Manager customers, with SCCM. However, you need to do loads of manual work and put in more packaging efforts to deploy third party application updates through SCUP and SCCM.
7. Some 3rd party application vendors won’t provide the CAB files for their updates which are compatible with SCUP so you need to build your own cab files and it won’t be possible without expertise in packaging and other programming technologies.
8. Extra configurations like Group Policy Settings and Publishing Certificate required to support third party application patching.
9. Uninstallation of patches is not supported. You need to use manual methods or DISM to uninstall patches. There is no native method in SCCM Patching or Software Updates to achieve this.
10. No native method Suppress Restart Notifications in latest version of SCCM 2012. The work around is to use a combination of domain GPO Adm template settings and Local Policy Adm template settings. More Details here.
Who can fill the Gaps in SCCM Patch Management?
Real time failure notification, Compliance scanning and third party application updates are three main Gaps in SCCM patching. These gaps can be filled by using 3rd party SCCM Patch Management Tools.
There are number of different vendors available in market each with a slightly different approach, that provide commercial catalogs for other 3rd party applications. Some of the 3rd part products are SolarWinds Patch Manager, VMWare vCenter Protect Catalog, and Secunia CSI.
Most of the 3rd party patch management software seamlessly integrates with SCCM and adds more control and scalability in deploying patches. The 3rd party tools also provide pre built and tested updates for common 3rd party applications. Patch admins don’t have to waste their time in building and testing the catalogs. The 3rd party vendors have their dedicated team to test, build and deploy these updates along with some methods to roll back. So all these tasks will be automated for the organization and they don’t want invest money and time for this automation purpose.
Real time patch monitoring solutions are readily available with 3rd part patching tool vendors like SolarWinds. These tools will help increase the overall patching compliance.