Third-Party Patching Tips from ConfigMgr and Infosec Experts

IT pros are feeling anxious about third-party patching in today’s volatile threat landscape. In an ideal scenario, every application on every endpoint would have all the security patches applied as soon as available. Even then, you’d still have to account for functional updates, as well. In reality, you prioritize intelligently and work as efficiently as you can. In this blog, I’ll summarize some tips and tricks experts shared in Adaptiva’s recent ConfigMgr Third-Party Patching Roundtable Webinar.

Some of the world’s leading voices on the topic joined the discussion, including MVP Anoop C. Nair; MVP Harjit Dhaliwal; Bob Kelly, Director, Flexera; and MVP Andy Malone.

Anoop: ConfigMgr Third-Party Overview

Microsoft has all but eliminated the older  System Center Updates Publisher (SCUP). While SCUP is still available, Anoop recommends using a newer technology. With ConfigMgr 1806, Microsoft introduced the ability to do third-party patching without installing SCUP. See what’s new in this overview diagram.

Third Party Patching Overview_1

Anoop also provided a great explanation of how to enable third-party patching in ConfigMgr. You may be able to get what you need from the diagram below. If not, you can watch the webinar on demand.

Enable Third Party Patching_1

Harjit: Supersedence

Harjit reminded the audience that there can be more to application updating than just applying patches. ConfigMgr allows you upgrade or replace existing applications by using a supersedence relationship. You can optionally specify a new deployment type to replace the deployment type of the superseded application.

Applications

Bob: Patching Prioritization

Bob talked about the importance of prioritization. There just are not enough hours in the day to keep up with new application requests, functional updates and security updates. It’s too much to track and and too many decisions points. For that reason, companies often just focus on popular applications.

That’s a major danger, because the top vendors account for only about half of software vulnerabilities.

Bob suggests instead looking a number factors, starting with threat intelligence. It’s not enough to know which applications are vulnerable. You really need to know which of those vulnerabilities are being exploited in the real world. He breaks patching down to four main factors: threat, criticality, prevalence and asset sensitivity.

Patch Prioritization

Andy: Application Security Vulnerability Patching

Andy had some very specific advice for thinking strategically:

He also implored the online audience to know their tech, which is not as simple as some people might think! He offered several suggestions.

Know your tech

More Info

If you’d like to learn more, there’s an easy solution: Watch the webinar on demand, and review the full slide deck, as well.

Screen Shot 2019-07-30 at 8.34.43 PM