Articles in this section

Quickstart for SCCM integration

Parag Baxi
  • Updated
Follow

This page walks you through setting up SCCM for your Unified VRM, accessing SCCM, and using some basic features to automate staging of patches.

Microsoft System Center Configuration Manager provides a unified management console with an automated set of administrative tools to deploy software, protect data, monitor health, and enforce compliance across all devices in an organization.

Our integration with SCCM creates a quick path for Unified VRM users to detect and remediate vulnerabilities by automating the process of creating patch Deployments in SCCM. Only SCCM 2012, and only patching of Microsoft product is currently  supported. At this point, only security patches would be deployed through Unified VRM integration.

Before you begin

Here is a few simple configuration steps that must be completed before you begin using Unified VRM’s integration capabilities with SCCM:

  1. The integration must be enabled for your organization. Please reach out to your NopSec account manager to request feature enablement.
  2. A Nopsec virtual appliance (VM) to be deployed in the client’s network, with outbound access to clisc.nopsec.com enabled for communication with Unified VRM backend.
  3. The integration requires the following information to be provided to NopSec:
    1. Windows Domain name
    2. Credential for a domain administrator account with access to SCCM server and access to verify current patch status for assets on the domain.
    3. IP address of SCCM server and the computer (netbios) name of SCCM server
    4. Port of SCCM server (usually 445)
    5. Sitename (details)
    6. A drive (ie: d:\nopsec) on the SCCM server where Nopsec integration tools can create deployment packages.
  4. The client must provide the computer (netbios) name of all Windows servers in the asset upload.

SCCM patch process

After IT and Cybersecurity commit to patching a vulnerability, there are many manual steps until the risk is mitigated. As an example, they include the following:
  1. IT require a formal ticket(s), which Cybersecurity must copy and paste details and assign the ticket to the appropriate IT owner.
  2. IT needs to manually identify all the patches that need to be applied for each vulnerability (e.g., depending on current version installed, OS).
  3. Patch admin manually creates deployment packages in SCCM.
  4. Patch admin deploys patch.
  5. Patch admin notifies Cybersecurity to validate patch remediation of vulnerabilities.
Unified VRM offers two automation features that reduce your MTTR. The steps run separately by default but can be programmed to run consecutively to meet your DevOps needs.
  1. Step 1 is automated by integrating with your ITSM. Change management processes are respected.
  2. Steps 2, 3 and 5 are automated through Unified VRM’s Automated remediation. 
IT exclusively controls Step 4, patch deployment. Unified VRM does not deploy the patches, ensuring business availability.
 
Background:
Microsoft SCCM provides a unified management console with an automated set of administrative tools to deploy software and enforce compliance across all devices in an organization. The integration with SCCM creates a quick path for Unified VRM users to detect and remediate vulnerabilities by automating the process of creating patch deployments in SCCM.
 

image9.jpg

Once all configuration is complete with asset netbios names provided, show patch opportunities using the following process.

  1. When scan data is ingested into Unified VRM, Unified VRM will automatically link vulnerabilities detected with available Microsoft patches (based on Microsoft Security Update Guide).
  2. After scan ingestion finishes, the list of available patches would be available in “Fix” -> “Patch” section on Unified VRM
    image2.png
  3. The Patch page would present all assets available to be patched for each vulnerability, and the list of patches associated.
    image5.png
    Links to Microsoft knowledge base for detailed information about each patch are also available.
    image6.png
  4. The user can then perform “Create Deployment Package” under “Actions” for each vulnerability to send a deployment package configuration to SCCM automatically. It can take up to several minutes to create it.
    image7.png
  5. During the execution, Nopsec SCCM integration would try to create the following configurations in SCCM:
    1. Deployment Package: contains the actual patch binary files that has to be downloaded to SCCM server to be distributed to assets.
      image3.png
    2. Device Collections: contains the assets to be distributed to.
      image4.png
    3. Software Update Group: bundle of multiple windows updates that are selected from individual items in one or more Deployment Packages that can be deployed to selected device collections.  
      image11.png
  6. Once created, the client will be able to see above configurations on the client’s SCCM server, and take over the scheduling and push out of these software update groups.
  7. If the patch is successfully deployed, and the asset was rebooted for the patch to be active, the vulnerability should not be found in the next network scan, and the patched assets would be removed from the patch in the patch panel. If desired, a user can also run “Actions” -> “Sync SCCM” to verify whether a patch is applied before next scan is executed.  The Sync SCCM task will check each asset and verify the status of relevant patches.
  8. It is possible that there are vulnerabilities that users do not want to patch through Unified VRM. In this scenario, the end user can choose to “close” so that all above mentioned actions will not be available to perform. The “closed” vulnerabilities will also show up at the end of the list.
  9. If it is desired to bring the information available on the Unified VRM offline, a user can chose to generate a HTML report (“Actions” -> “Create Report) to print or re-distribute the report to related teams in the organization.  

When creating a deployment package, Nopsec Unified VRM SCCM integration aims to patch all possible asset configurations. However, the updates that get included in any deployment package must be available on the client’s SCCM configuration. If updates are not available in a client SCCM environment, then it is not possible for it to be included in the deployment package. SCCM typically uses WSUS as a repository for software updates, so if a client wishes to make missing updates available in their environment, they can change their SCCM and WSUS configuration to include the necessary patches. Available patches can be searched in SCCM using the list of Knowledge Bases made available on GUI and downloadable patch report in Unified VRM.



Related articles

Comments

0 comments

Article is closed for comments.