Jump to content

What software do you use to deploy and manage patch in your company ?


albertwt

Recommended Posts

Hi All,

We are trying to work out whether or not to purchase SCCM 2012 or some other technology to assist with desktop/server fleet management. Today have many disparate systems that all do a subset of what we need. In addition to that we have Windows 7 upcoming and need to deploy it and hundreds of application packages.

The new technology MUST:

Deploy Windows 7 to any bare bones machine (including driver insertion)

Deploy Windows 2008 to any bare bones machine regardless (including driver insertion)

Deploy Software from MSI

Deploy Software from Non-MSI (flat file, single registry key, third party installer)

Deploy Software based on Active Directory Group Membership

Deploy Software with ‘pre-requisites and supersedes’ smarts built in

Deploy Windows Security Patches

Deploy Windows Security Patches with respect to groups (ie node A is patched fully before node B is patched)

Ability to Permanently exclude Security Patches that are irrelevant to a system

Ability to Disapprove a Security Patches

Report on Windows Security Patch Gaps

Report on software deployments for licensing compliance

Support a replicated Multi-tiered infrastructure deployments (Internal, DMZ-I, DMZ-E info all in the same Microsoft SQL database)

Be supported by the supplying vendor on a vmware platform

Provide a configuration management database that lets you put manual descriptions hardware, asset and IP addressing information in

The new technology SHOULD:

Allow you to Add/Remove things from an SOE without having to recreate SOE from scratch.

Deploy user based software that installs on first run instead of installing all your apps upon first log in

Allow administrative removal of an application from a machine when you’re out of a group

Automatically associate users to machines based on the last log on

Report on hardware inventory

Report on software inventory

Report on user to machine inventory

Not require the user to have local administrative privileges

Any kinds of suggestion and input will be greatly appreciated.

Thanks

Link to comment
Share on other sites


As far as SCCM 2007 (current release), 2012 is supposed to be released end of 2011-beginning of 2012, see comments below:

The new technology MUST:

DOES IT (Need PXE boot or vPRO to turn machines on if you complete hands off) - Deploy Windows 7 to any bare bones machine (including driver insertion)

DOES IT (Need PXE boot or vPRO to turn machines on if you complete hands off) - Deploy Windows 2008 to any bare bones machine regardless (including driver insertion)

Needs to configure OSD (Operating System Deployment in SCCM)

DOES IT - Deploy Software from MSI

- can be imported and SCCM will create the package for you with Attended, unattended, per-user, per-computer, and uninstall options created in four easy clicks.

DOES IT - Deploy Software from Non-MSI (flat file, single registry key, third party installer)

Or run and executable file, or script, or any number of other tasks related to running programs and tasks

SORT OF - Deploy Software based on Active Directory Group Membership

n SCCM you create Collections based on your desired target group of machines needing a piece of software. Collections are created using SQL queries of information in the SCCM database and can be based on almost anything you can think of including AD groups or OU membership.

Partly - Deploy Software with 'pre-requisites and supersedes' smarts built in

You can create software packages for deployment and assign other packages that need to be installed before that package is installed. For supersedes there isn't something "built-in" you could create an uninstall package and have it run before your updated package installs though.

YES! All the way down - Deploy Windows Security Patches

Deploy Windows Security Patches with respect to groups (ie node A is patched fully before node B is patched)

Ability to Permanently exclude Security Patches that are irrelevant to a system

Ability to Disapprove a Security Patches

Report on Windows Security Patch Gaps

WSUS can be added to and controlled by SCCM and will do all of the above, including putting a patch back on a machine if a user removes it, removing a patch if you disapprove it, only applies patches relevant to the target system even if the systems are not configured the same so if a machine has Office 2007 and Office 201 patches are in the assigned patch list it will not install them until it sees Office 2010 is installed on the machine. If you have seen the reports you get from WSUS the reports you get in SCCM for patches are 100 times better. We have both WSUS and SCCM with WSUS, the machines looking at WSUS alone are 33% further behind on patch compliance than the machines using SCCM/WSUS combination.

DOES IT - Report on software deployments for licensing compliance

With conditions - Support a replicated Multi-tiered infrastructure deployments (Internal, DMZ-I, DMZ-E info all in the same Microsoft SQL database)

As long as the SCCM server has access to reach machines in all of the networks.

Be supported by the supplying vendor on a vmware platform

Officially not on VMWare, but it does run just fine in VMWare. It is only an issue if they feel the issue you call about is base hardware related. Be sure you discuss with Microsoft what your deployment size will be so you size your "servers" apropriately, and talk with your VM supplier to do the same.

Absofrigginlutely - Provide a configuration management database that lets you put manual descriptions hardware, asset and IP addressing information in

through multiple methods you can extend the inventory database and what is collected from machines

The new technology SHOULD:

Allow you to Add/Remove things from an SOE without having to recreate SOE from scratch.

- Can't think of anything where you have to start over from scratch, at least I have not had to yet, we phased in various different features and no one knew we added them until we turned on all the lights and announced it.

Deploy user based software that installs on first run instead of installing all your apps upon first log in

- It all depends upon how you create your packages and tasks

Allow administrative removal of an application from a machine when you're out of a group

- It all depends upon how you create your packages and tasks

- can also create packages to perform uninstalls

Automatically associate users to machines based on the last log on

- not directly but can be done. Don't recall if that was something I added to the inventory r if it previously existed.

Report on hardware inventory

Report on software inventory

- or network address, or subnet, printers, peripherals, encryption, or what else can you come up with?

Report on user to machine inventory

- not sure what you mean by this one but probably, database extending might be needed

Not require the user to have local administrative privileges

- programs can be advertised or assigned and can be set to install with admin rights or with user rights

I've been using SCCM in two different environments for seven years now and would never want to be without it. We started with a small subset of features and have been adding more as need/demand arises.

Link to comment
Share on other sites

Been there, took over a year for us to implement SMS 3, SCCM 2007 was out for more than 2 years before we upgraded to it, hopefully once 2012 is released we can get it deployed in less than a year this time.

If you have more questions let me know, or check out myitforum.com there is a very large and knowledgeable SCCM community there.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...