ConfigMgr Patch Reporting – Challenges

I’ve spoken all around the world about different patching challenges. Somehow even after years of patching, reporting is still a challenge. Today, I want to take a different tack, and instead of attacking the technical aspects try to explain the higher-level challenges for management. To do this we are going to approach this from two different angles.

  • Terminology
  • Actionable Data

Terminology

In February of 2019 I ran a poll asking what we should call “something” with a Windows operating system installed on it. That poll received 730 votes, with mixed results.

55% call them workstations – 25 Clients, 15.6 Endpoints – and 3.8% want something else.

If you are a medium to large business you likely have more than one employee responsible for securing your enterprise. This means there will be disparity in terminology and understanding as illustrated above. This disparity grows when trying to link a vulnerability definition to a remediation. For example: CVE-2017-0144. This is how a security expert would refer to and communicate about the WannaCry vulnerability. Unfortunately the CVE identifier is not tracked in WSUS, or ConfigMgr. This makes it challenging when different teams are now trying to report compliance, for a vulnerability that has two different metrics.

Fortunately there is a way to correlate a CVE to the associated KB articles when it comes to Microsoft by browsing:

https://portal.msrc.microsoft.com/en-us/security-guidance

While this does provide a good starting point it’s difficult to search it properly. If you load the CVE in, you’ll get a number of recent reports because the current cumulative rollup address’s this CVE.


As a result, it makes understanding what you are seeing challenging. This is just one example of Terminology challenges there are more.

Additional Terminology Challenges Include:

  • CVE
  • CVRF
  • KB Article ID
  • Bulletin ID

All of these terms may be referenced depending on your staffs background in the industry and time involved in the industry. This makes peer to peer communication difficult.

As a leader it’s important to ensure your team understands and agrees upon common terms to ensure they are providing accurate information and not just the current “buzz word”.

Actionable Data

Developing actionable data from uncertain terminology, in a shifting environment is incredibly complicated and messy. Especially if that data is expected to be provided in any type of “pretty” format.

I promised earlier I wouldn’t go to deep into the technology side of things, yet this merits some explanation. Configuration Manager is an absolute treasure trove of knowledge. The database contains a truly astonishing amount of information. However, as a result the sheer volume of information means the information has to be broken up and then assembled as needed.

As an example if you asked for a report on every machine considered not compliant with CVE-2017-0144 from the ConfigMgr team they would need to assemble information from several different SQL views. Here is an example of a data connection model.

Note we are pulling data from three different sources here and then filtering that data based on CVE. Unfortunately, none of these views (or any other view) contains the CVE information. Additionally some of these views have multiple versions.

Since none of our views have the CVE data it means we have to access the portal to find all patches that CAN resolve the issue and then build the query on that.

Then we have to find a way to reasonably present this data in a timely manner which means putting into SSRS. This means your staff member who is responsible for CM, now needs to either have the following skills themselves, or access to people with these skills.

  • SSRS – (Or PowerBI)
  • SQL Query Language (TSQL)
  • ConfigMgr Knowledge.

However, just knowing the data sources doesn’t do us any good if we don’t understand how and more importantly WHEN the data is updated.

Wrap Up

Patching is complicated and reporting on it no less so. There is confusing and often misleading terminology between different IT disciplines. Combined with shifting parts that mean different things. This sets us up for failrue when we ask “general” questions. Instead focus on asking more specific questions, asking for the right compliance information from the right team. Vulnerability compliance from the security team and their tools, article ID compliance from the Windows Management team.


By Jordan Benzing

Jordan Benzing is a consultant for TrueSec and a Microsoft MVP. Jordan has spoken at several user groups including the TrueSec summit in Stockholm and the Midwestern Management Summit in Minneapolis, on subjects such as reporting, patching and that wonderful thing no one likes doing documentation. In the past Jordan has worked in several ConfigMgr environments including being the ConfigMgr team lead for an organization with 170K endpoints. Jordan is known for his "love" of patching, his PowerBI dashboard templates and various other contributions to the ConfigMgr community.

When he’s not working you can usually find him hanging out on the summoners rift in League of Legends. Jordan has been playing since season one and helped out with beta testing the original gameplay.