by Mark | Jun 19, 2016 | How To, Patch Management, SCCM
Microsoft SCCM update deployment best practices
Microsoft SCCM (System Center Configuration Manager) is a powerful tool for deploying updates to Windows-based computers. However, deploying updates with SCCM can be tricky if you don’t follow best practices. In this article, we will discuss some of the best practices that Microsoft recommends for deploying Microsoft Updates from SCCM 2012.
Limit Software Updates to 1000 in a Single Deployment
One of the best practices recommended by Microsoft is to limit the number of software updates to 1000 for each software update deployment. When you create an automatic deployment rule or manually deploy software updates, do not select more than 1000 updates to deploy. This will prevent the deployment from becoming too large and overwhelming the systems that are receiving the updates.
Create a New Software Update Group for Every Deployment
Another best practice is to create a new software update group each time an automatic deployment rule runs for “Patch Tuesday” or for general deployment. There is a limit of 1000 software updates for a software update deployment. When you create an automatic deployment rule, you can specify whether to use an existing update group or create a new update group each time the rule runs. If you specify criteria in an automatic deployment rule that results in multiple software updates and the rule runs on a recurring schedule, specify to create a new software update group each time the rule runs. This will prevent the deployment from surpassing the limit of 1000 software updates per deployment.
Use an Existing Software Update Group for Endpoint Protection Definition Updates
When you use an automatic deployment rule to deploy Endpoint Protection definition updates on a frequent basis, it is recommended to always use an existing software update group. Otherwise, potentially hundreds of software update groups will be created over time. Typically, definition update publishers will set definition updates to expire when they are superseded by four newer updates. Therefore, the software update group that is created by the automatic deployment rule will never contain more than four definition updates for the publisher: one active and three superseded.
Test updates before deploying them
It’s always a good idea to test updates in a non-production environment before deploying them in a production environment. This can help identify any issues or conflicts that may arise during the deployment process.
Use maintenance windows
Maintenance windows can be used to specify a period of time during which updates can be installed on client machines. This can help prevent updates from being installed during critical business hours or when users are actively working on their computers.
Monitor deployment status
It’s important to monitor the deployment status of updates to ensure that they are being installed successfully. SCCM provides various reports that can be used to monitor deployment status.
Keep SCCM up-to-date
It’s important to keep SCCM up-to-date with the latest updates and hotfixes. This can help ensure that SCCM is functioning properly and can help prevent any issues or bugs from affecting the update deployment process.
SCCM Update Deployment FAQs
| Question |
Answer |
What is SCCM?
|
SCCM stands for System Center Configuration Manager. It is a software management tool that allows organizations to manage and deploy software, updates, and patches across multiple devices and systems. |
What are some best practices for deploying updates with SCCM?
|
Some best practices for deploying updates with SCCM include scheduling updates during non-business hours, testing updates on a small group of devices before deploying to the entire organization, and creating a rollback plan in case of issues. It’s also important to regularly monitor the deployment process and report any issues or errors. |
How should updates be prioritized for deployment?
|
Updates should be prioritized based on their criticality and potential impact on the organization. Security updates should always be prioritized, followed by critical updates and then important updates. Updates that are not critical or important can be deferred or postponed. |
How often should updates be deployed?
|
The frequency of updates deployment can vary depending on the organization’s needs and policies. However, it’s generally recommended to deploy updates at least once a month to ensure that systems are protected against known vulnerabilities and threats. |
How can SCCM help with update deployment?
|
SCCM provides a centralized platform for managing and deploying updates across multiple devices and systems. It allows administrators to automate the update deployment process, monitor the deployment status, and report any issues or errors. SCCM can also help ensure that updates are deployed in a consistent and standardized manner, reducing the risk of errors and inconsistencies. |
Should you have a Patching Process / Schedule?
|
Yes, a patching process will schedule when you regularly deploy your updates. It helps monitor and track when patches should be deployed to which environment. |
What should be included in a rollback plan?
|
A rollback plan should include steps for undoing the update deployment, as well as a plan for communicating with end-users and stakeholders. It should also identify any potential risks or challenges associated with rolling back updates, and outline strategies for mitigating those risks.
You can also use SnaPatch, which automates a snapshot of your servers prior to patch deployment. This will allow you to easily roll back should a patch cause an issue to your sever fleet. |
How can SCCM help with update reporting?
|
SCCM provides a variety of reporting tools that allow administrators to monitor the status of update deployments, identify any issues or errors, and report on compliance with organizational policies and regulatory requirements. These reports can help ensure that systems are up-to-date and secure, and can also provide valuable insights into the overall health and performance of the IT environment. |
SCCM Update Deployment Final Thoughts
What is SCCM update deployment?
SCCM (System Center Configuration Manager) is a software management tool used by IT administrators to deploy updates to client machines. SCCM update deployment involves deploying software updates to client machines in a controlled and efficient manner.
Why is SCCM update deployment important?
SCCM update deployment is important because it helps ensure that client machines are up-to-date with the latest security patches and software updates. This can help prevent security vulnerabilities and improve the overall performance and stability of client machines.
What are some best practices for SCCM update deployment?
Some best practices for SCCM update deployment include limiting the number of software updates to 1000 per deployment, creating a new software update group for each automatic deployment rule, using an existing software update group for Endpoint Protection definition updates, testing updates before deployment, using maintenance windows, monitoring deployment status, and keeping SCCM up-to-date with the latest updates and hotfixes.
How do I monitor the deployment status of updates in SCCM?
SCCM provides various reports that can be used to monitor the deployment status of updates. These reports can be accessed from the SCCM console and can provide information on the success or failure of update deployments.
How often should I deploy updates in SCCM?
The frequency of update deployments in SCCM can vary depending on the organization’s needs and policies. However, it is generally recommended to deploy updates on a regular basis, such as monthly or quarterly, to ensure that client machines are up-to-date with the latest security patches and software updates.
by Mark | Jun 19, 2016 | How To, SCCM
Streamlining SCCM Installation with Microsoft’s Prerequisite Tool
Microsoft has recently launched a valuable tool that simplifies the installation process of System Center Configuration Manager (SCCM). The SCCM Installation Prerequisites tool helps administrators ensure that the necessary prerequisites are in place before the installation process begins. This tool also automatically installs the required prerequisites, saving you time and effort.
Checking and Installing Prerequisites Made Easy
With the SCCM Installation Prerequisites tool, you can easily verify that all the required prerequisites are already in place. It checks for prerequisites for a Central Primary site, Primary or Secondary Sites, and other site system roles, such as Management Point, Application Catalog, Distribution Point, Enrollment Point, among others.
Additionally, the tool installs any missing prerequisites automatically. This reduces the risk of errors and makes the installation process smoother and quicker.
Installing SCCM Made More Efficient
Installing SCCM can be a challenging task, particularly when it comes to the setup process. However, the SCCM Installation Prerequisites tool streamlines the installation process and makes it more efficient. The tool is designed to run before the SCCM installation process begins, which ensures that all prerequisites are in place and ready to go.
To use the SCCM Installation Prerequisites tool, simply download it from the Microsoft website and run it before you begin the SCCM installation. It’s that simple!
Overall, Microsoft’s SCCM Installation Prerequisites tool is a valuable tool that simplifies the SCCM installation process. It ensures that all prerequisites are in place and automatically installs any missing ones, making the installation process more efficient and streamlined. So, if you’re an administrator who regularly installs SCCM, this tool is a must-have in your toolkit.
by Mark | Jun 19, 2016 | SCCM
A Comprehensive Guide to SCCM Build Numbers
As an IT professional, it’s essential to be aware of the various build numbers of Microsoft’s System Center Configuration Manager (SCCM). This guide will provide an overview of SCCM build numbers, including their release dates and descriptions. By the end of this guide, you’ll have a better understanding of SCCM build numbers and be able to choose the right version for your organization.
SCCM Build Numbers Overview
SCCM is an enterprise management solution from Microsoft that allows IT teams to manage both traditional and modern devices. It provides a comprehensive set of tools to manage Windows, macOS, Linux, Unix, and mobile devices running iOS, Android, and Windows Phone. SCCM helps manage and deploy software, as well as security updates and patches.
SCCM comes in different versions, and each version has its build numbers, release dates, and descriptions. The following is an overview of SCCM build numbers:
System Centre Configuration Manager (SCCM) by Microsoft versions
System Center Configuration Manager 2016
| Build Number |
Release Date |
Description |
| 5.0.8299.1000 |
2015, September 22 |
SCCM 2016 Technical Preview 3 (Update 1509) |
| 5.0.8315.1000 |
2015, October 14 |
SCCM 2016 Technical Preview 3 (Update 1510) |
| 5.0.8325.1000 |
2015, November 12 |
SCCM 2016 Technical Preview 4 (Update 1511) |
| 5.0.8336.1000 |
2015, December 18 |
SCCM 2016 Technical Preview 4 (Update 1512) |
| 5.0.8347.1000 |
2016, January 27 |
SCCM 2016 Technical Preview 4 (Update 1601) |
System Center Configuration Manager 2012 R2
| Build Number |
Release Date |
Description |
| 5.00.7958.1000 |
2013, October 18 |
SCCM 2012 R2 RTM |
| 5.00.7958.1101 |
2013, November 02 |
SCCM 2012 Post R2 Hotfix |
| 5.00.7958.1203 |
2014, March 28 |
SCCM 2012 R2 CU1 |
| 5.00.7958.1303 |
2014, June 27 |
SCCM 2012 R2 CU2 |
| 5.00.7958.1401 |
2014, September 23 |
SCCM 2012 R2 CU3 |
| 5.00.7958.1501 |
2015, February 2 |
SCCM 2012 R2 CU4 |
| 5.00.7958.1604 |
2015, May 6 |
SCCM 2012 R2 CU5 |
| 5.00.8239.1000 |
2015, May 14 |
SCCM 2012 R2 SP1 |
| 5.00.8239.1203 |
2015, August 4 |
SCCM 2012 R2 SP1 CU1 |
| 5.00.8239.1301 |
2015, November 10 |
SCCM 2012 R2 SP1 CU2 |
System Center Configuration Manager 2012 SP1 & SP2
| Build Number |
Release Date |
Description |
| 5.00.7804.1000 |
– |
SCCM 2012 SP1 |
| 5.00.7804.1202 |
|
SCCM 2012 SP1 CU1 |
| 5.00.7804.1300 |
|
SCCM 2012 SP1 CU2 |
| 5.00.7804.1400 |
|
SCCM 2012 SP1 CU3 |
| 5.00.7804.1500 |
|
SCCM 2012 SP1 CU4 |
| 5.00.7804.1600 |
2014, July 23 |
SCCM 2012 SP1 CU5 |
| 5.00.8239.1000 |
2015, May 14 |
SCCM 2012 SP2 |
| 5.00.8239.1203 |
2015, August 4 |
SCCM 2012 SP2 CU1 |
| 5.00.8239.1301 |
2015, November 10 |
SCCM 2012 SP2 CU2 |
System Center Configuration Manager 2012
| Build Number |
Release Date |
Description |
| 5.00.7711.0000 |
2012, March 31 |
SCCM 2012 RTM |
| 5.00.7711.0200 |
2012, August 22 |
SCCM 2012 CU1 |
| 5.00.7711.0301 |
2012, November 27 |
SCCM 2012 CU2 |
System Center Configuration Manager 2007
| Build Number |
Release Date |
Description |
| 4.00.5135.0000 |
|
SCCM 2007 Beta 1 |
| 4.00.5125.0000 |
|
SCCM 2007 Beta 1 Escrow |
| 4.00.5221.0000 |
|
SCCM 2007 Beta 1 Refresh Escrow |
| 4.00.5224.0000 |
|
SCCM 2007 Beta 1 Refresh |
| 4.00.5224.0000 |
|
SCCM 2007 Beta 1 Refresh |
| 4.00.5571.0000 |
|
SCCM 2007 Beta 2 Escrow |
| 4.00.5574.0000 |
|
SCCM 2007 Beta 2 Escrow Update |
| 4.00.5578.0000 |
|
SCCM 2007 Beta 2 with a hotfix |
| 4.00.5578.0002 |
|
SCCM 2007 RC0 Preview |
| 4.00.5790.0000 |
|
SCCM 2007 RC0 Preview |
| 4.00.5815.0000 |
|
SCCM 2007 RC0 |
| 4.00.5924.0000 |
|
SCCM 2007 escrow |
| 4.00.5931.0001 |
|
SCCM 2007 RTM |
| 4.00.6086.1000 |
|
SCCM 2007 SP1 (prerelease) |
| 4.00.6221.1000 |
|
SCCM 2007 SP1 |
| 4.00.6221.1193 |
|
FIX for SCCM 2007 SP1 and SP2 |
| 4.00.6425.2000 |
|
SCCM 2007 SP2 beta |
| 4.00.6468.2001 |
|
SCCM 2007 SP2 RC |
| 4.00.6487.2000 |
|
SCCM 2007 SP2 |
| 4.00.6487.2111 |
|
FIX for SCCM 2007 SP1 and SP2 |
| 4.00.6487.2157 |
|
SCCM 2007 SP2 R3 |
| 4.00.6487.2207 |
2012, December 03 |
FIX for SCCM 2007 SP2 |
| 4.00.6487.2700 |
|
SCCM SP2 R2 with ICP2 |
| 4.00.6487.2857 |
|
SCCM SP2 R3 with ICP2 |
SMS 2003
| Build Number |
Release Date |
Description |
| 2.50.2726.0020 |
– |
SMS 2003 RTM |
| 2.50.3174.1018 |
2004, September 10 |
SMS 2003 SP1 |
| 2.50.4160.2000 |
2006, February 13 |
SMS 2003 SP2 |
| 2.50.4253.3000 |
2007, May 2 |
SMS 2003 SP3 |
SMS 2.0
| Build Number |
Release Date |
Description |
| 2.00.1239.0000 |
– |
SMS 2.0 RTM |
| 2.00.1380.1000 |
– |
SMS 2.0 SP1 |
| 2.00.1493.2000 |
– |
SMS 2.0 SP2 |
| 2.00.1493.3000 |
– |
SMS 2.0 SP3 |
| 2.00.1493.4000 |
– |
SMS 2.0 SP4 |
| 2.00.1493.5000 |
– |
SMS 2.0 SP5 |
See how SnaPatch can help with Windows update deployment, further extending your SCCM infrastructure and giving you back more time with your family.
How to check what version of SCCM you are using?
To check the build number of SCCM, you can go to the SCCM Console and click on the “Administration” tab. Then, right-click on “Site Configuration” and select “Sites.” Next, select the site you want to check and click on “Properties.”
In the “Site Properties” window, you can see the build number under the “General” tab in the “Site version” section. The build number is listed as “Version X.0.YYYY.ZZZZ.”
It’s important to keep track of the build numbers for SCCM because Microsoft releases regular updates and hotfixes for SCCM that fix bugs and improve performance. By staying up-to-date with the latest build number, you can ensure that you have the latest features and fixes for SCCM.
In addition, Microsoft also releases new versions of SCCM every few years. The latest version as of the knowledge cutoff date of this response is SCCM 2110. Each new version typically includes significant updates and improvements to the product.
Understanding the build numbers of SCCM is crucial for maintaining a secure, stable, and up-to-date environment. By regularly checking for updates and staying up-to-date with the latest build numbers, you can ensure that your SCCM environment is functioning optimally.
by Mark | Jun 19, 2016 | Patch Management, Patch Releases
The following seventeen Patch Tuesday updates / patches have been released by Microsoft for the June 2016 Update deployment.
Are you ready to start deploying and remove the patching risk using SnaPatch Patch Management Software?
MS16-063 – Critical
Cumulative Security Update for Internet Explorer (3163649)
This security update resolves vulnerabilities in Internet Explorer. The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited the vulnerabilities could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
MS16-068 – Critical
Cumulative Security Update for Microsoft Edge (3163656)
This security update resolves vulnerabilities in Microsoft Edge. The most severe of the vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Microsoft Edge. An attacker who successfully exploited the vulnerabilities could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than users with administrative user rights.
MS16-069 – Critical
Cumulative Security Update for JScript and VBScript (3163640)
This security update resolves vulnerabilities in the JScript and VBScript scripting engines in Microsoft Windows. The vulnerabilities could allow remote code execution if a user visits a specially crafted website. An attacker who successfully exploited these vulnerabilities could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited these vulnerabilities could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
MS16-070 – Critical
Security Update for Microsoft Office (3163610)
This security update resolves vulnerabilities in Microsoft Office. The most severe of the vulnerabilities could allow remote code execution if a user opens a specially crafted Microsoft Office file. An attacker who successfully exploited the vulnerabilities could run arbitrary code in the context of the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.
MS16-071 – Critical
Security Update for Microsoft Windows DNS Server (3164065)
This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if an attacker sends specially crafted requests to a DNS server.
MS16-072– Important
Security Update for Group Policy (3163622)
This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if an attacker launches a man-in-the-middle (MiTM) attack against the traffic passing between a domain controller and the target machine..
MS16-073 – Important
Security Update for Windows Kernel-Mode Drivers (3164028)
This security update resolves vulnerabilities in Microsoft Windows. The most severe of the vulnerabilities could allow elevation of privilege if an attacker logs on to an affected system and runs a specially crafted application.
MS16-074 – Important
Security Update for Microsoft Graphics Component (3164036)
This security update resolves vulnerabilities in Microsoft Windows. The most severe of the vulnerabilities could allow elevation of privilege if a user opens a specially crafted application.
MS16-075 – Important
Security Update for Windows SMB Server (3164038)
This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if an attacker logs on to the system and runs a specially crafted application.
MS16-076 – Important
Security Update for Netlogon (3167691)
This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if an attacker with access to a domain controller (DC) on a target network runs a specially crafted application to establish a secure channel to the DC as a replica domain controller.
MS16-077– Important
Security Update for WPAD (3165191)
This security update resolves vulnerabilities in Microsoft Windows. The vulnerabilities could allow elevation of privilege if the Web Proxy Auto Discovery (WPAD) protocol falls back to a vulnerable proxy discovery process on a target system.
MS16-078 – Important
Security Update for Windows Diagnostic Hub (3165479)
This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if an attacker logs on to an affected system and runs a specially crafted application.
MS16-079 – Important
Security Update for Microsoft Exchange Server (3160339)
This security update resolves vulnerabilities in Microsoft Exchange Server. The most severe of the vulnerabilities could allow information disclosure if an attacker sends a specially crafted image URL in an Outlook Web Access (OWA) message that is loaded, without warning or filtering, from the attacker-controlled URL.
MS16-080 – Important
Security Update for Microsoft Windows PDF (3164302)
This security update resolves vulnerabilities in Microsoft Windows. The more severe of the vulnerabilities could allow remote code execution if a user opens a specially crafted .pdf file. An attacker who successfully exploited the vulnerabilities could cause arbitrary code to execute in the context of the current user. However, an attacker would have no way to force a user to open a specially crafted .pdf file.
MS16-081 – Important
Security Update for Active Directory (3160352)
This security update resolves a vulnerability in Active Directory. The vulnerability could allow denial of service if an authenticated attacker creates multiple machine accounts. To exploit the vulnerability an attacker must have an account that has privileges to join machines to the domain.
MS16-082 – Important
Security Update for Microsoft Windows Search Component (3165270)
This security update resolves a vulnerability in Microsoft Windows. The vulnerability could allow denial of service if an attacker logs on to a target system and runs a specially crafted application.
MS16-083 – Critical
Security Update for Adobe Flash Player (3167685)
This security update resolves vulnerabilities in Adobe Flash Player when installed on all supported editions of Windows 8.1, Windows Server 2012, Windows Server 2012 R2, Windows RT 8.1, and Windows 10.
by Mark | Jun 12, 2016 | Patch Management
Assess your Security Risk
Are you aware of the potential security risks facing your business? Cyber threats are becoming increasingly sophisticated and can have a devastating impact on your company’s reputation and finances. In this article, we’ll show you how to assess your security risk and take steps to protect your business from harm.
Identifying Your Security Risks
To begin, you need to identify your security risks. Microsoft has a great tool that can help you do this. By filling out a simple form, you can assign a dollar value to each of the security risks your business faces. Microsoft provides examples for each of the items to help you make an accurate assessment.
The following are some of the potential risks you may face:
Accidental Data Leakage:
This can occur when employees accidentally share sensitive information, such as customer data, with unauthorized parties.
Malware:
This is a type of software designed to harm your computer system, steal your data, or take control of your devices.
Insider Threat:
This is a risk posed by employees or contractors who may intentionally or unintentionally compromise your security.
Identity Theft:
This is when someone steals personal information, such as social security numbers or bank account details, and uses it for fraudulent purposes.
Malicious Access of Data from Personal Devices:
This can occur when employees use personal devices to access company data, making it vulnerable to security breaches.
Weak Passwords:
This is when passwords are easy to guess or are reused across multiple accounts, making them vulnerable to hacking attempts.
Social Engineering:
This is a tactic used by attackers to trick employees into divulging sensitive information or performing actions that compromise security.
Loss/Corruption of Data:
This can occur due to hardware failures, power outages, or natural disasters, such as floods or fires.
Misconfigured Systems:
This can occur when systems are not configured correctly, leaving them vulnerable to attack.
Outdated Operating System:
This is when systems are not updated to the latest software, leaving them open to known vulnerabilities.
Lack of Encryption:
This is when sensitive data is not encrypted, leaving it vulnerable to theft.
Equipment Failures:
This can occur when hardware such as servers, routers, or switches, fail due to aging, misuse, or other factors.
Unpatched Vulnerabilities:
This is when known security vulnerabilities are not addressed, leaving your system open to attack.
Untrained Employees:
This is when employees lack the knowledge or training to identify security risks or take appropriate action.
Taking Action to Mitigate Risks
Once you’ve identified your security risks, you can take steps to mitigate them. One way to do this is by patching your servers to protect against known vulnerabilities. However, this can be a difficult process, especially if you lack adequate rollback capabilities in case of a problem with the deployed update.
That’s where SnaPatch can help. This software takes a snapshot of your virtual servers and only deploys updates if the snapshot is successful. If the snapshot fails, no updates are deployed. The process is automated, and you receive email updates during the snapshot and deployment.
Protect Your Business Today
Don’t wait until a security breach occurs to take action. Assess your security risk today and take steps to protect your business from potential harm. With the right tools and knowledge, you can safeguard your company’s reputation and finances against cyber threats.
While you are here, I came across a great page from Microsoft that will help you assess your security risk.
Fill out the form with a dollar value for each of the options you choose and it will help you see how each of these breaches of security cost your company lost revenue. (If your not sure of the $ value, Microsoft has some examples for each of the items and their associated costs.)
The threat risk assessment covers the following;
- Accidental Data Leakage
- Malware
- Insider Threat
- Identity Theft
- Malicious Access of data from personal devices
- Weak Passwords
- Social Engineering
- Loss/corruption of data
- Misconfigured Systems
- Outdated Operating System
- Lack of Encryption
- Equipment Failures
- Unpatched Vulnerabilities
- Untrained Empoyees
https://www.microsoft.com/security/security-risk-assessment/index.html?Ocid=C+E%20Social%20FY16_Social_TW_msftsecurity_20160610_489464562#/
If patching your server fleet is difficult to get approved through your change approval board, for lack of adequate roll back in case of an issue with a deployed update, SnaPatch can help. SnaPatch will take a snapshot of your virtual servers (Vmware of HyperV) and only if the snapshot is successful, will it then allow your existing System Centre Configuration Manager (SCCM) to deploy updates to those servers. If the snapshot isnt successful, then no updates are deployed. The whole process is automated with email updates during the snapshot and deployment. Find out more @ Smikar Software
