ConfigMgr SCCM Patch Management Pros and Cons
Patch management through SCCM has sharpened very well during last few years. I started working on patching since ‘SMS 2003 + ITMU’ days. Every month, we need to perform loads of complex steps to deploy patches during that time period. Now a days SCCM 2007/2012 uses WSUS along with Windows Update to Download, Deploy and Install patches. There are some challenges in SCCM Patch management and I’ve seen lots of organizations are struggling to get good compliance with their patching.
In this post, I’m trying to list down some of the pros and cons of patching via SCCM. Along with some suggestions to improve the compliance and stream line the patching process. Following are the 3 points that I’ll touch base in this post.
1. Advantages of using SCCM Patch Management
2. Disadvantages or Challenges of Using SCCM Patch Management
3. Who can fill the Gaps in SCCM Patch Management?
Advantages of using SCCM Patch Management
1. Very well integrated with WSUS and Windows Update Agent. These are the two patching technologies which are widely accepted by the industry. One Console to perform all the administrative tasks.
2. We can Automate the patching mechanism very well through SCCM. Deploy Patches Automatically to all managed Workstations and Servers.
3. With Same Patch package (Source files), we can Create different patching schedules for different business groups with in the organization as per their business requirements.
4. Easy to Exclude VIP user systems or business critical machines from patch deployments.
5. Using Maintenance Window option, we can plan and schedule server patching via SCCM.
6. Customize the User Notification Behaviour. We can control the notification behaviour for end users.
7. Patch deployment without End User Interaction. The patch installation will be done in the background in supressed mode.
8. Through SCCM, we can easily define or Customize Restart behaviour for different LOBs (Line Of Business). Often, seen that some LOBs required their systems to be forcefully restarted after patching but some are interested to supress reboot until the end user reboot the system.
9. Automated Re Evaluation Settings will help to improve the patch compliance.
10. SCCM patch packages can be deployed as part of Operating System Deployment task sequence process.
Disadvantages or Challenges of Using SCCM Patch Management
1. To manage patches on a hybrid network with Non Windows Operating systems.
2. Every month you need to spend loads of time to deploy patches. Following are some of activities:Select the updates, create Update list, patch package/s and Deployments. However, this is improved in CM 2012 with the introduction of Automatic Deployment Rules.
3. Clean up activity for expired patches is a big challenge. We need find and edit Patch packages to remove an expired update and re-replicate the package again to all DPs. Also, need to remove the updates from deployment management.
4. Conflicts between WSUS and SCCM Group Policy settings. SCAN errors are common problem in SCCM patching because group policy conflicts. Troubleshooting of client side patch issues is not very easy. Required skilled people to troubleshoot scan errors and resolve those. More Details on scan error related troubleshooting here.
5. “Real time” patch failure reports are not available. Compliance scanning is not available as ready to use, we need to use DCM or need to explicitly create collections and advertisements.
6. Not very good at Third Party Application Patching. You can integrate System Center Updates Publisher (SCUP) tool, as it’s free for Configuration Manager customers, with SCCM. However, you need to do loads of manual work and put in more packaging efforts to deploy third party application updates through SCUP and SCCM.
7. Some 3rd party application vendors won’t provide the CAB files for their updates which are compatible with SCUP so you need to build your own cab files and it won’t be possible without expertise in packaging and other programming technologies.
8. Extra configurations like Group Policy Settings and Publishing Certificate required to support third party application patching.
9. Uninstallation of patches is not supported. You need to use manual methods or DISM to uninstall patches. There is no native method in SCCM Patching or Software Updates to achieve this.
10. No native method Suppress Restart Notifications in latest version of SCCM 2012. The work around is to use a combination of domain GPO Adm template settings and Local Policy Adm template settings. More Details here.
Who can fill the Gaps in SCCM Patch Management?
Real time failure notification, Compliance scanning and third party application updates are three main Gaps in SCCM patching. These gaps can be filled by using 3rd party SCCM Patch Management Tools.
There are number of different vendors available in market each with a slightly different approach, that provide commercial catalogs for other 3rd party applications. Some of the 3rd part products are SolarWinds Patch Manager, VMWare vCenter Protect Catalog, and Secunia CSI.
Most of the 3rd party patch management software seamlessly integrates with SCCM and adds more control and scalability in deploying patches. The 3rd party tools also provide pre built and tested updates for common 3rd party applications. Patch admins don’t have to waste their time in building and testing the catalogs. The 3rd party vendors have their dedicated team to test, build and deploy these updates along with some methods to roll back. So all these tasks will be automated for the organization and they don’t want invest money and time for this automation purpose.
Real time patch monitoring solutions are readily available with 3rd part patching tool vendors like SolarWinds. These tools will help increase the overall patching compliance.
Regarding “Disadvantage No2″. Just use my script do get this done: http://www.david-obrien.net/2012/12/02/create-a-new-software-update-group-in-configmgr/
Why not ADR as I mentioned in the post?
Maybe you still want to have the power of selecting the updates that get deployed?! Don’t have that with ADR. Or am I missing a configuration?
Yes, it’s possible. There is an option to Select the property filters and search criteria .The Software update that meet the specified criteria are added to the associated software update group.
Still, it’s every month the same with ADR. Guess it’s more flexible with my way
ADR is more useful as per my understanding. It will create Software Update group, Download patch package , deploy etc … everything automatically
My script also creates the Software Update Group. It won’t download and won’t deploy, that’s correct.
The big disadvantage with ADR is, as I see it, that it’s the same every month. That can be an advantage, but if there’s only one Patch you don’t want to install, you will have to disable it manually.
I only create a Software Update Group out of those Patches I want it to have.
Both have advantages and disadvanteges. People have to decide what’s best for them!
In my organization I wrote few powershell script that reduce this monthly job into: run script, [during running I can observe progress bar and drink cofee], after few hours check if all content on DP is in place, so basicly I save every month a few hours. I’m using those scripts in SCCM 2007, but I have also test it and customize for 2012.
Hi ! – Why not ADR (CM12)? It will select the patches for you, create update list, create package, deploy package and schedule deployments.
Hi Adam,
Could you please share the powersheel script, i think it is very useful in terms of time saving.