Most organization must follow various compliance and governance frameworks either from industry or government regulations. Meeting these benchmarks can be difficult and time consuming but the potential damage that could be done in the form of industry sanctions or worse outcomes such as exploited vulnerabilities outweigh the effort required.
ADRs for Windows patches
Location: Software Updates>Automatic Deployment Rules
One of most important preventative actions and typically a compliance requirement is Windows server and workstation patching. The best way to manage Windows Software Updates in MECM is by using Automatic Deployment Rules (ADRs). ADRs can be scheduled to run on Microsoft Patch Tuesday or on any schedule you choose. Many organizations have workstation, development, and production servers that are patched on different cycles. Scheduling the ADRs to run automatically can take human error out of the patching process and ensure patches are deployed in a timely fashion. Applying monthly Microsoft Windows Updates to workstations and servers is a crucial step toward closing security vulnerabilities and it should be performed monthly without fail.
Configuration baselines
Location: Devices and Compliance>Compliance Baseline
MECM can also be used to remediate vulnerabilities that derive from Windows settings or registry entries. It can be thought of as a “mini-GPO” in that you can target devices with a specific vulnerability and apply the compliance setting to just those devices. MECM will also automatically add any new machines that have the identified baseline and apply the fix.
Configuration baselines can be in monitor or remediate modes. Monitor will simply track and report on device that have the identified configuration item. Remediate mode will apply the fix that has been outlined in the configuration item. It is a good idea to thoroughly test any configuration baseline changes on test devices before deploying to production systems. I have seen firsthand that a typo applied to the wrong registry key can completely cripple a machine and prevent it from booting. Take as much care using this feature as you would deploying GPOs.
Reporting
Location: Monitoring>Reporting
Any good compliance plan needs reporting and MECM has plenty of options. There are built in Software Update Compliance reports that should fit most needs but if you need to create custom reports you will need to install Microsoft Report Builder, connect to the database, and build the report manually.
One of the best reports for quickly finding patch compliance is the Monitoring>Reporting>Reports>Software Updates – A Compliance>Overall Compliance. This report can quickly tell you the compliance status of all devices in the Software Update Group used to deploy Windows Updates. This is a high-level report and can be used to show raw numbers for compliant/non-compliant devices.
When troubleshooting deployments of Windows Updates from MECM another useful report is Monitoring>Reporting>Reports>Software Updates – C Deployment State>States 1 – Enforcement States for a Deployment. This report will give details about update deployments and will list machines that failed to install the updates and the error codes.
With just these few feature MECM can provide near complete compliance for Windows Updates and more. Update compliance is a cornerstone of an organizations defensive posture and if your industry requires it, MECM can provide the utility to achieve total compliance.
Rhoddy McKown
Author
SCCM and Desktop Engineer since 2016.