In a recent alert, the U.S. Computer Emergency Readiness Team (US-CERT) said that about 85 percent of successful security breaches involve systems that have not been patched. A recent study by research firm Voke Media found that 82 percent of security breaches since 2015 occurred due to unapplied patches that had been available for up to a year.
IT teams recognize the importance of timely patching but can become overwhelmed by the frequency of software updates across large numbers of devices. Microsoft System Center Configuration Manager (SCCM) provides tools for streamlining the deployment of software updates in Windows clients across the enterprise.
There are three primary considerations when managing the update process — the clients to be updated, the patches to be deployed and the time period when they can be deployed. A Software Update Point (SUP) is a system role installed on a Windows Server Update Service (WSUS) server that allows you to create packages of updates according to various criteria. SCCM also allows you to create collections of devices to be updated and to set up maintenance windows with a start date, a start and finish time, and a recurrence pattern.
Once a package is created, it is sent to one or more distribution points. SCCM’s powerful scheduler can then be used to automatically push out updates to target clients according to Automated Deployment Rules (ADRs). Generally, if a maintenance window has not been defined, updates are installed according to the settings in the ADR. If a maintenance window has been defined, updates will install during that window unless the ADR overrides it or the deployment has been set to less than one hour prior to the maintenance window.
The following flow chart illustrates this general process:
This is an overview of the Windows Update process from a SCCM client’s perspective through the Software Update Point (SUP).
*This is the general flow of updates and the decisions surrounding maintenance windows with the client collections. This is just an overall best practice method and does NOT take into account large deployments. Adjust the maintenance window as needed.
SCCM also provides manual deployment tools, which are typically used to get clients up-to-date prior to creating ADRs or to implement out-of-band software updates. A key component of this process is the Software Updates Deployment Evaluation Cycle, which scans new and existing clients to determine the status of their software updates and identify updates that need to be implemented.
Once the scan is complete, the Windows Update Handler initiates the Windows Update Service on each client machine, and installs the updates against the SUP during the maintenance window. The Package Transfer Manager coordinates the transfer of content and creates a log file of its activities.
If the updates fail to run due to a maintenance window conflict, the UpdatesDeployment.log will include a message stating “No current service windows available to run updates assignment with time required.” If this occurs, the Content Transfer Manager downloads the update package from a distribution point so that the updates can be installed on the target machines. Once that’s complete, the SCCM server’s Deployment Status will show that the updates have been successful.
The following screen shots illustrate this process:
1. Start the Evaluate Software Update Deployments cycle manually for testing via console or client (shown below) to trigger the update process.
2. View the Software Update Scan Cycle in WUAHandler.log and Scanstate.log (C:\Windows\CCM\Logs) for “Scan completed successfully” and “successfully completed scan” messages.
3. The Windows Update Handler initiates the Windows Update service against the SCCM SUP. (C:\Windows\WindowsUpdate.log)
4. After the scan is completed, the Updates will begin to install during the maintenance window. Use the UpdatesDeployment.log to view this process (C:\Windows\CCM\Logs\UpdatesDeployment.log)
5. If the updates did not run due to a maintenance window conflict, you will see the message below in the UpdatesDeployment.log – “No current service window available to run updates assignment with time required”
6. Content Transfer Manager (ContentTransferManager.log) finds the Distribution Point (or Microsoft location) and downloads the updates.
7. The updates then install and complete. The status will then show a successful deployment on the SCCM server’s Deployment Status.
While this post provides a general overview of SCCM tools and best practices for deploying updates, it should be noted that adjustments would be needed to accommodate large deployments.
Contact the AdaptivEdge team to discuss your patch management strategy and how you can better leverage SCCM to streamline the update process.
Written and composed by our Senior Microsoft System Center Architect, Jessica Ervin-Hang