Microsoft Offers Endpoint Configuration Manager Advice for Keeping Remote Clients Patched
Microsoft this week offered advice for organizations using Microsoft Endpoint Configuration Manager (formerly "System Center Configuration Manager") with remote Windows systems that need to get patched, and it also announced Update 2002.
Microsoft's "update Tuesday" patch release for this month will occur on April 14, 2020. Many organizations needing to distribute patches to client devices now have remote workforces to address. Those remote devices may be connecting to company resources via a virtual private network (VPN).
VPNs and Patches
For VPN users, Microsoft has been recommending a split-tunneling networking approach to reduce the demands on a corporate VPN.
In worst-case scenarios, all traffic gets routed through the VPN, which can cause network slowdowns, especially as patches start arriving. Microsoft Endpoint Configuration Manager users are stuck in such situations, according to Rob York, a program manager for Configuration Manager and Microsoft Intune at Microsoft:
If you do have a VPN but it routes all traffic back on premises, then unfortunately you cannot direct ConfigMgr traffic away from the VPN, and all update traffic will flow from the on-premises servers. This can be problematic for normal day-to-day operations, but the impact is likely exacerbated when faced with a patch deployment to remote machines.
Organizations that don't have a VPN can "configure ConfigMgr to leverage cloud services by default." These organizations should also "consider using Intune to manage your Windows Updates deployments without the need for any on-prem infrastructure," York added.
Users of VPNs with a split-tunnel networking arrangement have to make certain configuration changes when using Microsoft Endpoint Configuration Manager. They typically need to create a boundary group associated with a cloud management gateway or cloud distribution point, as described in detail by York.
Some organizations are limited in using the split-tunneling approach, perhaps because they don't want to permit Internet access for security reasons. These organizations can still relieve the traffic on their VPNs by using split tunneling and then whitelisting Microsoft's update URLs, using fully qualified domain name (FQDN) formats.
Apparently, that sort of whitelisting approach was used by Cisco to relieve its VPNs when more of Cisco's workforce needed to switch to working remotely, according to an account by The Register.
Organizations with VPNs that don't permit split tunneling to access whitelisted Microsoft Update URLs can get the patch content either "from an on-prem distribution point over the VPN, or by using a CDP [cloud distribution point] to deliver directly from the Internet and reduce the load on the VPN," York indicated.
Configuration Manager Update 2002
If that weren't enough gristle for IT pros, Microsoft this week also announced the availability of Update 2002 for Microsoft Endpoint Configuration Manager.
Update 2002 includes a new "tenant attach" feature that facilitates client device management using Microsoft's cloud services.
"Starting in Configuration Manager version 2002, you can upload your Configuration Manager devices to the cloud service and take actions from the Devices blade in the admin center," the announcement explained.
Tenant attach apparently is different from the "comanagement" (Intune plus Configuration Manager) "single pane of glass" management view, although it sounds really similar.
Update 2002 also adds the Desktop Analytics dashboard for checking endpoint connectivity. There's also a content management enhancement that lets IT pros "exclude certain subnets for peer content download." Configuration Manager can also serve as a distribution point for the Microsoft Connected Cache with this update.
Organizations using Update 2002 can onboard devices to use the Microsoft Defender Advanced Threat Protection service.
One impressive addition with Update 2002, especially with the coming update Tuesday patch distribution, is its ability to detect Servicing Stack Updates. Here's Microsoft's explanation:
Configuration Manager now detects if a servicing stack update (SSU) is part of an installation for multiple updates. When an SSU is detected, it's installed first. After install of the SSU, a software update evaluation cycle runs to install the remaining updates. This change allows a dependent cumulative update to be installed after the servicing stack update.
Microsoft also now adds the ability to integrate Configuration Manager with Power BI Report Server to add report visualizations.
There are plenty of other goodies in Update 2002. It's getting rolled out to subscribers "globally in the coming weeks." Users will receive a notice when the bits are ready for installation.
Kurt Mackie is senior news producer for 1105 Media's Converge360 group.