As I write this, it’s Patch Tuesday. This month, Microsoft rolled out new Feature Updates for Windows 10, so our previously deployed FUs have expired again. We’ve also had two customers’ ADRs fail to run as the WSUS sync ran longer than normal this month.
For a basic admin task, sometimes Patch Tuesday seems harder than it should be.
The most frustrating aspects of the patching process are the number of moving parts, their interaction and all the areas of potential failure. Keeping track of the whole system and ensuring it’s working the way you need it to requires a huge amount of knowledge and attention.
But the good news? There are some ways to simplify Patch Tuesday for good:
1. Report against an update group
SCCM does a good job of delivering the service for patch management, but it doesn’t do a very good job of showing the health of the service. It can take days to notice that scanning or deploying updates isn’t functioning correctly.
To check scan health you can run this report:
If you remember to run this report from time to time, you might be happy with the results. But there’s no trend and it’s unclear when these 178 devices failed their scan. This data is here but it’s not intuitive and has to be manually run.
To get a view of compliance against the updates you’re looking to deploy this month, you need an update group for the relevant month to report compliance against.
Unfortunately, however, there’s minimal context-sensitivity with this process. You can’t drill through and the data is only a summary of the top five updates for the update group.
2. Use KPIs to measure update compliance
A Microsoft Premier Field Engineer (PFE) has written a blog about how he improved the time consuming process of looking for clients that hadn’t installed necessary updates. He needed a general overview with meaningful KPIs. In the end, he ended up sharing an SQL Server Reporting Services (SSRS) report.
This report should help you identify update problems within a specific collection and a group of systems and is designed to work well for a few thousand clients. He uses different KPIs to measure update compliance, the main KPI can be seen in the first bar below, and the others below should help identify flaws in your deployment strategy.
He does explain, however, that the query might run longer in bigger environments and it might need improving or running outside of business hours to show results, so it’s not ideal.
A fast and fully-actionable updates dashboard, like Callisto, that shows you an overview of absolutely everything to do with your updates would give you a much quicker way of seeing these problems and taking action.
3. Get a one-stop dashboard
Finally, you have the option of using a high-level updates dashboard. One that’s designed to show you everything you need for a software update overview.
For the best results, I’d recommend a single, easy to access, live and constantly updated location to view everything about your software updates. The Callisto Software Updates Dashboard does exactly that. There’s capability to see health, compliance and status at just one glance.
The dashboard shows everything we care about at a summary level. Scan state, sync state, pending restarts, our compliance with last month and this month’s updates, and then individual machine and device compliance.
If we want to view update group compliance we have that available at a single click:
Oh, and if you’re using a 3rd party patch tool like Patch My PC those updates are automatically included too.
The dashboard views give an excellent data-dense view of the overall update compliance picture. We can, however, do much more with drilldown to individual updates, groups and devices. When we view a device, we see significant detail about everything that specific machine can tell us. We can force a restart, update policies, invoke remote control and everything else you need to be able to do to manage the update environment.
So, there’s more than one way to report on compliance
There are one or two tweaks you can make to improve your Microsoft Patch Tuesday processes in SCCM. But still, the outputs are limited. There is a far better way of presenting the data from SCCM when it comes to reporting compliance. And when this data is presented more intuitively, it can be used by your management as well as the technical bods.
As well as providing summary information in dashboard form, the Callisto Software Updates Dashboard lets you drill through on your results. Then, you can export to see more detail including per-update status, per-machine status and individual machine compliance, download, reboot status and more. Finally, if you see something on a machine that needs action, you can invoke this from the Callisto interface. And better still, it can be trialled for free to see if it works for your business.
To read more tips on streamlining Patch Tuesday and improving your SCCM reporting processes, take a look at our playbook From Essential to Beautiful.