Deprecation Notice and Support Limitations
The Microsoft SCCM connector's patching capability is deprecated and isn't supported in new integration setups.
The Microsoft SCCM only supports fetching asset data into the Vulcan Platform (inventory only).
Background
Microsoft SCCM provides a unified management console with an automated set of administrative tools to deploy software and enforce compliance across all devices in an organization.
Vulcan's SCCM connector enables you to:
Deploy patches on selected vulnerabilities faster then ever.
Create software update groups based on correlation from Vulcan's Remediation Database and the available fixes from your SCCM version.
Get full asset coverage by pulling all the managed devices from SCCM and correlating it to other security tools, such as vulnerability scanners or threat intelligence.
Flow
Pre Requisites
Supported version: 1910
Supported site hierarchy: Single standalone primary site
Windows Permissions: The user that will be used to authenticate will need to be in the DomainUsers Group + Remote Desktop Users.
SCCM Permissions: Full Administration to the Domain group the user is part of.
Microsoft SCCM uses a remote power shell to pull the data. An administrator is needed to run remote Powershell.
How to configure SCCM connector
In the Connectors page, click on Add a Connector.
Click on SCCM connector
Fill in the following fields:
SCCM Address - IP or hostname of SCCM server
Username - User with permissions as in section 2. Please keep syntax as Domain_NAME\USERNAME
Password - Password to authenticate with user
Site Code - 3 letters word indicates the site. The Site code is indicated at the top bar of the SCCM application. For example: PRM is the site code in the following SCCM account
*In case of SCCM deployment via Gateway:
1, Make sure the IP and Port configure to reach SCCM (default port is 5985 / or 5986 via SSL).
2. Follow the troubleshooting FAQ to make sure you covered all the necessary configurations.
SCCM as Asset Inventory
Vulcan's SCCM connector will pull all the devices that are managed by SCCM and display them as hosts.
Note that if assets are not part of a scan report from a scanning tool then will not be indicated as vulnerable.
Vulcan's SCCM connector pulls all relevant information and display it all under Asset's Details:
In addition to that, the following properties are created as tags on each asset: Client Type, Device Owner, Full Domain Name, Site Name and Device Collections being part of. Based on those tags you can preform various actions in Vulcan (Read more about tags).
How to create Software Package Update via Vulcan
Vulcan's SCCM connector enables you as a user to create software update groups based on Vulcan's
In the Vulnerabilities page, select a Windows vulnerability that you want to fix on assets that are managed by SCCM. You can do that by using the Search bar and filter by Asset Source: SCCM
Click on a vulnerability you want to patch using SCCM and click on Take Action and then Deploy a patch
Select SCCM
Deploy patch includes 2 simple sections:
Device Collection
Software Update Group
Device Collection
The first step is to choose whether to create a new device collection or use an existing one.
To help make the decision, click on the "view all device collections" dropdown on the bottom - right corner of this section.
If the decision is to use an existing device collection than disabler the creation option and skip to the next section.
If the decision is to create a new device collection:
• The new device collection holds assets that contain the vulnerability and are managed by SCCM by default. If you wish to patch only some of these assets, click on the following button:
On the drop-down, select Specific assets. You can remove the asset from your future device collection by un-check it. Click OK to save the list of devices
• Name the device collection and write a short description of its purpose.
That's it - You've now defined the device collection which the fixes will be deployed on.
• Vulcan will create it automatically once the "deploy fix" will be clicked.
Creating a Software Update Group
Now that we know which assets we want to deploy the fix on, it's time to select the actual fix you want to deploy.
Vulcan will automatically add all the relevant fixes to the software update group. You can edit to choose specific fixes by clicking on the following button:
You un-check the solution you wish not to apply on the device collection. Click OK to approve.
Name the software update group and write a short description of its purpose.
That's it - You've now defined the software update group which will be applied to the device collection.
That's it! Just click on Deploy fix and the software update group will be ready for in SCCM. Now all you need is to deploy the software update in SCCM during the next patch window.
FAQ
How does Vulcan offer the correct solutions?
Vulcan can offer the correct solutions by aggregating data from both our own Remediation Database and from the customer's SCCM environment.
On each vulnerability you can see under Fixes all the available solutions that Vulcan knows. When deploying the patch, only the fixes that are available from the connected SCCM (which are pulled from WSUS) and are available from our Remediation Database will be displayed as an offered solution. That way you will always be able to deploy the most accurate solution that suit your environment.
Does Vulcan automatically triggers patch deployment ?
No, Vulcan can create device collections and software update groups in SCCM. the deployment is triggered in SCCM.
Which site hierarchy the connector supports?
Currently only single standalone primary site.
Can Vulcan pull existing device collection ?
Currently not - but will be possible in the future. Each time you deploy a fix using Vulcan, a new device collection is being created.
Why can't I use SCCM to patch a certain KB?
When you connect SCCM as a connector in Vulcan, the platform automatically detects which KBs are available in your local SCCM and can be deployed to the managed assets. If a certain KB is marked as not patchable through you SCCM connector, it is likely because that KB was not downloaded to your local SCCM yet. Download it to make the KB patchable.
Troubleshooting SCCM deployment via Gateway
In order to communicate with SCCM, we are using a WinRM, which is the implantation of another protocol called WS-Management. We need to make sure that they are functioning, and we are able to utilize them for the sync to work.
We need to make sure that the IP and Port that are configured in our UI can reach the SCCM. (default port is 5985 / or 5986 via SSL). We are adding this test to the UI, until then, ask 1 of us if network connectivity is OK. – Done.
2. On the SCCM, the most basic thing is that we have WS running. Please run the test (Test-WSMan). This example shows that is running.
3. Next, we want to see that WinRM is running, by running: winrm e winrm/config/listener
Here we need to check three things: the Port matches what we configured in the UI, that the ListeningOn containg the IP address configured in Vulcan or 0.0.0.0 (which means everyone), and enabled = True.
4. We also want to check that the local firewall is not blocking the connection on the server itself: Get-NetFirewallRule WINRM-HTTP-In-TCP
5. Credntials wise, make sure that the username is in the following formats:
Domainname\user – for domain computers
computername\user – for workstation computers
.\user – for workstation computers
6. Verify that the user has the correct permissions:
On the windows server – Has to be in the domain users group + and remote desktop users. During the debug phase - might be a good idea to add the user to the local administrators group - to make sure we don't have any more permission blocks for the user.
On the SCCM - Full Administration to the Domain group which the user is part of
7. validate that on the SCCM server, the following configs are met (in order to connect remotely using winrm
WinRM should be allowed to us run over http. On the cmd in SCCM run:
winrm set winrm/config/service '@{AllowUnencrypted="true"}'
8. WinRM should allow basic authentaction. From Powershell on the SCCM run:
winrm set winrm/config/service/auth '@{Basic="true"}'
9. For the user that we are connecting with, should have read + execute permission. On the SCCM run:
Winrm configSDDL default
10. We need to validate that the IP is not blocked in the server management:
From the menu tree, click Computer Configuration > Policies > Administrative Templates: Policy definitions > Windows Components > Windows Remote Management (WinRM) > WinRM Service.
Right-click on Allow remote server management through WinRM and click Edit.
Select Enabled to allow remote server management through WinRM.
Enter an asterisk (*) into each field.
Click OK.
11. Make sure that UAC is not blocking us - by trying to remove it completely:
Select Start > Control Panel.
Select User Accounts > Turn User Account Control on or off.
Deselect Use User Account Control (UAC) to help protect your computer and click OK.
Reboot the machine for changes to take effect.