You have sprawling servers, desktops, and mobile devices that need to be protected from the ne’er-do-wells lying on your network. As the first line of defense, you need to deploy new applications and updates, as well as apply patches to fix bugs and vulnerabilities. While you’re at it, how about making sure your systems are protected from malware? To save the day, you only have to open one tool to do it all.
Microsoft System Center Configuration Manager (SCCM) allows you to manage software, data, and compliance all in one platform. In the hands of a competent and directed administrator, SCCM is more than just a tool — it practically makes you a superhero. Here are some ways learning SCCM can help you save the day.
Through SCCM, you can set up policies for how Endpoint Protection (SCEP) — System Center’s version of Windows Defender — protects your client computers from malware threats. You can use Microsoft provided policies, or create your own policies to automate things like the scan schedule, the folder and file types to be scanned, and what actions are to be taken when threats are encountered.
Although Microsoft prefers that you use their malware and virus detection software, SCCM does allow third-party products like Kaspersky and Bitdefender. Microsoft also provides agents for SCCM and SCEP that allow them to work with AV systems running on your UNIX, Linux, or MacOS systems.
SCCM, when combined with System Center Operations Manager (SCOM), can readily monitor numerous elements of systems and application infrastructure. As with malware policies, Microsoft takes a lot of the pain out of your monitoring. They provide a range of Management Packs for typical monitoring scenarios, like:
- Server and service availability
- General health monitoring
- Software update synchronization status
- Collecting software metering (usage) data
- Distribution point configuration monitoring.
Distribution points (DP) are a critical element of your Configuration Manager setup. Software updates, OS deployments, and app management all depend on you setting up an efficient set of points. From there, content files for updates, patches, etc. are ‘pushed or pulled’ to the devices to be updated.
It’s essential therefore to monitor your distribution points on a regular basis to ensure that they are all healthy, have a complete set of the appropriate distribution content, and have sufficient storage space. The SCCM management pack provides for monitoring to ensure that each DP is properly configured for connections. Beyond that, you’ll find tools available from folks in the SCCM community like System Center Dudes.
Many organizations are subject to industry or government rules for how their IT infrastructure does — or does not — operate. Companies with web commerce sites will almost certainly need to comply with the Payment Card Industry (PCI) Data Security Standards. Financial organizations, pharmaceutical and medical device firms, and those in the defense sector will all have to adhere to, and report on, compliance regulations.
Using SCCM’s Desired Configuration Management (DCM), you can define the configuration baseline(s) you need to meet compliance requirements. You can then monitor and report on the level of compliance through the Configuration Manager console.
Patching Powers Activate!
A key element of external compliance requirements is all designated software be up to date with vendor-provided patches. But you shouldn’t need a third party to tell you when you need to apply patches as and when they are issued. A 2017 study reported that lack of timely patching of known vulnerabilities was a key and avoidable cause of security breaches. But even with an automated patch management tool, it’s not a slam dunk.
Most IT organizations are dealing with a continuous flood of vendor patches for various types of software — off-the-shelf packages, open source, custom-built apps, operating software and tools. In order to prioritize which patches to apply, organizations are turning to the industry-standard Common Vulnerability Scoring System (CVSS).
Using CVSS, you can get a good handle on which patches to apply and in what sequence. You can then turn to SCCM to tee up those patches and apply them in a controlled, automated fashion.
Every organization will look at compliance and reporting differently. It’s crucial to be in agreement on how management wants to be informed and set expectations.
For any reasonably sized organization, 100 percent compliance is probably not realistic, but something a little less may allow you to take into account hardware breakdowns, power outages, and all the other typical SNAFUs.
The use of SCCM for software updates can be tailored to fit any compliance reporting need. Configuration Manager itself provides some basic reporting, but if you need more, then help is at hand. First, check out the Software Update Compliance Dashboard on TechNet. A recent blog post, “Yet Another Software Update Dashboard,” introduces a number of free — and not-so-free — dashboards.
Of course, to update and patch Microsoft products, you can use Microsoft’s own tools. Namely, Windows Server Update Services or Configuration Manager. However, they’re not such good options for non-Microsoft OSes and software.
Sure, SCCM can be used to update Linux and UNIX machines, but many admins choose to use third-party software updating tools. Such tools can readily be used in conjunction with SCCM — they just plug-in at the update client level.
Below you’ll find a list of some of our favorite third-party patch management products on the market that will work in tandem with SCCM to patch both non-Microsoft AND Microsoft environments:
Let your powers activate
Mastery of SCCM will make you a go-to pro in your organization. It won’t be easy. They don’t hand out ‘superhero’ badges for nothing — but there are lots of places to get trained up.
First, try Microsoft Docs, where you’ll find a comprehensive Introduction to System Center Configuration Manager.
Next, start Garth Schulte’s latest course: Administering Microsoft SCCM and Cloud Services (70-703). Garth teaches you how to set up and maintain Configuration Manager and then how to use it to manage inventory and apps, and how to deploy, monitor and update system software and apps. This course will prepare you for Microsoft’s 70-703 exam, and potential MCP certification.
Once you’re on the Configuration Manager path, you’ll find lots of fellow SCCP travelers — like the 20,000+ people in the r/SCCM community on Reddit. Just check out the SCCM guides and resources they have collected.
You won’t become a superhero right away. But learning SCCM will benefit your organization superbly — as well as your career.