locked
Self-initiating security patch scanning method RRS feed

  • Question

  • I am in a very large company running SCCM to deploy security patches and application packages.  Given that Windows Update is blocked by Group Policy and that most users do not have Local Admin permissions, I need to find a way to provide users with a self-initiating security patch scanning method which scans the local PC for security patch compliance against the SCCM patch set and also uses SCCM to install needed patches without requiring Local Admin permissions, has limited (no user interaction would be better) user interaction and limited work day interference.  In other words, once intiated it would use SCCM to security patch scan and install all needed patches and then report results in one execution.

    Right now we are using a mbsacli (packaged as an executible) to point the desktop to a WSUS 3.0 Server.  This scans the local PC but does not automatically install the patches.  SCCM is our standard patching vehicle so we don't want to use WSUS, instead we want to point users to SCCM and we need patches to install regardless of the user's Local Admin permissions. 
    Tuesday, March 9, 2010 2:50 PM

Answers

  • What you are asking makes sense in the form you asked it however it is taking an automated process that's native in SCCM and turning it into a manual process. In other words it's a step backwards and not built into SCCM. There's no reason to have users or technicians run this scan and manually install patches. If you have deployed the patches the computer has them as long as the sccm client is working. The closest you will get to what you are asking is a report on what patches are missing from a particular computer. This may require a custom report but that can be done. Basically once you and your users learn to trust SCCM and those managing it they will never care about patches again.






    John Marcum | http://www.TrueSec.com/en/Training.htm | http://myitforum.com/cs2/blogs/jmarcum
    Thursday, March 11, 2010 11:45 PM

All replies

  • ConfigMgr can make use of WSUS (turning it into a SUP/software update point). Scanning clients can happen on a scheduled basis (according to the software updates client agent) and happens automatically without user intervention.
    See http://technet.microsoft.com/en-us/library/bb680701.aspx for an overview.

    "is our standard patching vehicle so we don't want to use WSUS" So how are you pathing right now? The best way is to integrate WSUS (see above)
    • Proposed as answer by John Marcum Wednesday, March 10, 2010 1:53 PM
    Tuesday, March 9, 2010 10:42 PM
  •  Given that Windows Update is blocked by Group Policy and that most users do not have Local Admin permissions,
    Neither of those affect SCCM's ability to deploy software updates.



    John Marcum | http://www.TrueSec.com/en/Training.htm | http://myitforum.com/cs2/blogs/jmarcum
    Wednesday, March 10, 2010 1:54 PM
  • Thank you for replying.  We use SCCM to deploy patches.  We also desire to give technicians, and more *importantly* users, the ability to initiate an on-demand scan and patch process.  Said differently, here I am at a desktop.  I want to double check to ensure I have all the latest security patches.  Let's call it a sanity check.  I need a way to tell SCCM to scan my desktop here and now and deploy/install any security patches I might need.  The process needs to work for those individuals who are not Local Admins and it needs to be as unobtrusive as possible.  Did I say this okay? 

    Wednesday, March 10, 2010 9:18 PM
  • What you are asking makes sense in the form you asked it however it is taking an automated process that's native in SCCM and turning it into a manual process. In other words it's a step backwards and not built into SCCM. There's no reason to have users or technicians run this scan and manually install patches. If you have deployed the patches the computer has them as long as the sccm client is working. The closest you will get to what you are asking is a report on what patches are missing from a particular computer. This may require a custom report but that can be done. Basically once you and your users learn to trust SCCM and those managing it they will never care about patches again.






    John Marcum | http://www.TrueSec.com/en/Training.htm | http://myitforum.com/cs2/blogs/jmarcum
    Thursday, March 11, 2010 11:45 PM