Implementing Ivanti Patch for SCCM (Part 1): Introduction, Planning and Installation
Implementing Ivanti Patch for SCCM (Part 2): WSUS Code Signing Certificate
Implementing Ivanti Patch for SCCM (Part 3): Ivanti Settings
Implementing Ivanti Patch for SCCM (Part 4): Publishing a Third-Party Update
Implementing Ivanti Patch for SCCM (Part 5): End-to-end Demonstration
Patch Tuesday is a term well known by most sysadmins to describe the monthly drop of patches by Microsoft and other vendors for their software and most organisations have some process in place to make sure Windows, Office and other Microsoft products receive these updates via SCCM or WSUS.
However, this leaves out the large number of other products that are frequently used by businesses, from various versions of Java, Google Chrome / Firefox and Adobe Acrobat to simple utility applications like Zoom or 7-Zip. These applications often have just as many issues as Windows and it is just as important to keep these up to date. Updating these manually every month, by updating the deployment packages in SCCM or through other means is a very time-consuming process, which is why it is better to have an automated process for these applications.
Ivanti Patch for SCCM provides a solution that integrates right into the SCCM console and can be used to automatically publish third-party application updates into WSUS for you, allowing you to use familiar SCCM tools such as Automatic Deployment Rules, Deployment Packages and Software Update Groups to manage the updates and decide on the schedule that your clients receive them.
This guide is written for use in a production environment; however, it can easily be tailored for use in a lab or test environment. Once installed, Ivanti Patch for SCCM can be used for 2 months in trial mode before a license must be applied.
Before you start raising your purchase order and installing the SCCM console plugin, you should first consider a few things. First and foremost, does Ivanti provide updates for some of the key software used in your organisation? Ivanti publishes a list of supported products that can be found here: List of Ivanti Supported Products. You should review this list and ensure there are enough products there that you use to make it worthwhile.
You will also need to know how many clients you intend to patch with Ivanti, as licensing is provided per client and the number must be specified when purchasing. The cost per seat may depend on your reseller and what rate they can negotiate for you; plus, any multi-year licensing discounts you may be able to get. Speak to your preferred reseller to find out what rates you can get.
There are some user access and service account considerations as well. During this guide you will need to be a member of the WSUS Administrators group on your WSUS server, and have permission to write to the SCCM database as Ivanti will be creating a new table in there as part of its configuration. You will also need to create a service account that has Logon as a batch job privilages on your management server, and is also an Administrator and WSUS Administrator on the WSUS server. This will be used to run Ivanti scheduled tasks. More on this in Part 4.
There will also be a code signing certificate that must be generated and imported into the Trusted Publishers store on every client you want to be able to install these third-party updates. You have two choices, you can either use a self-signed certificate that Ivanti will generate for you, or you can use an internal PKI to create one. If you use a certificate from your internal PKI, you will also need to configure WSUS over SSL. In either case GPO is the preferred means to deploy it to your clients. This is fully covered in Part 2 of the guide.
Finally, you must enable the setting Allow signed updates from an intranet Microsoft update service location in GPO. This will also be covered in Part 2.
Installing Ivanti Patch for SCCM is a fairly simple process that we will cover here. In this guide I will be installing Ivanti on a management server that has full network access to my SCCM and SQL server (the same server, in my case). You can either install it directly on the your SCCM server, or on any other management server as long as it has the SCCM console installed and has adequate access to the SCCM, WSUS and SQL servers.
Start by downloading the Ivanti Patch for SCCM installer, which can be found here.
There are a few pre-requisites that must also be installed, if they are not already. They are:
Installing these may require a reboot and this reboot should be completed before installing Ivanti Patch for SCCM.
Okay, let’s install Ivanti. Double click the installer executable, accept the license terms and click Install. Note: If any of those pre-requisites are not installed, or the reboot not done, you will now be prompted to complete them before the installation can continue.
And just like that… it’s done! Click Finish to complete the installation.
Now open your SCCM console and navigate to Software Library > Software Updates. You will see a couple of new nodes added: Ivanti Patch and Published Third-Party Updates. If you click on Ivanti Patch, the Ivanti Patch for SCCM settings window will appear. For now, click Cancel. We will return to this, but first you need to decide whether you will be using a self-signed code signing certificate, or one generated from your internal PKI (if you have one).
This will be covered in Part 2!