Central Patch and Power Management (CPPM) FAQ
Introduction to CPPM
CPPM uses a commercial software package and service that will improve our ability to keep desktops and laptops patched with the latest security updates, in order to reduce security attacks and keep critical data on campus safe from intrusion. CPPM also provides a power management function that enables policies to save power for the campus community where appropriate.
In November 2007, in close cooperation with several University organizations, ITS deployed CPPM to 120 desktops and servers as part of a pilot project. In April 2008, CSUEB acquired a 3-year 3,500-seat license, centrally funded, in order to install the CPPM software on as many Windows computers as appropriate. Today there are
3000 computers + that are being patched centrally on campus..
Providing a patch management system for CSUEB is part of a larger effort to reduce the individual responsibility that ordinary computer users must accept to maintain their systems securely, and to protect the open CSUEB network from the steadily increasing threats found on the Internet.
If a PC is attached to the CSUEB network, or is used to transact University business, the goal is to ensure that it receives all required security updates quickly and reliably. The CPPM service at CSUEB can help meet that goal.
Microsoft System Center Configuration Manager
Microsoft System Center Configuration Manager (SCCM) is a Windows product that enables the management, deployment and security of devices and applications across an enterprise. Amongst other potential uses, administrators will commonly use SCCM for endpoint protection, patch management and software distribution.
Do note that CPPM cannot handle all aspects of maintaining your computer securely, and only functions as an important element of good security practices
For more information on how to use your computer securely and appropriately please see the Acceptable Use Policy and Secure Computing website
Internet-based attacks on individual desktop and laptop computers are a worldwide problem that is continuing to grow exponentially. It's, therefore, critical to keep operating systems up-to-date by installing security patches as soon as they become available.
Until now it has been each desktop or laptop computer user's individual responsibility to install critical patches. Even people who are doing a good job of keeping their PCs updated sometimes miss important patches. Failures to keep all systems patched can place everyone on the shared network at risk. CPPM helps ITS provide this service in a more reliable and efficient way to the campus community.
CPPM 's main purpose is to provide a very robust computer operating system patch management service to the University community. It will also be used to distribute updates to Microsoft SCEP AntiVirus, the antivirus software licensed for use at CSUEB. It collects inventory information to help patch computers appropriately. In addition, CPPM provides CSUEB power management capabilities so that we can be a model sustainable university and save power where appropriate for the campus.
This month we have deployed the following updates:
Ensure you are patching security updates for our Enterprise level software at CSUEB
Impact/Severity |
Patch Initiated |
Patch Completed |
High |
Within 24 hours of patch release |
Within 1 week of patch release |
Medium |
Within 1 week of patch release |
Within 1 month of patch release |
Low |
Within 1 month of patch release |
Within 2 months of patch release, unless ISO determines this to be an insignificant risk to the environment |
SCCM is patching active clients hourly for AV updates with our Automatic Deployment rules. This ensures that the device has the latest AV dats from Microsoft.
Microsoft Critical updates and all security updates from https://www.cisa.gov/uscert/
There can be no single, complete solution for problems of computer security. CPPM will help to ensure that operating systems are securely patched, but there are additional essential security practices that are beyond the scope of CPPM.
Such practices include having a minimum number of user accounts on your computer, choosing strong passwords, protecting passwords from theft, using up-to-date and properly configured antivirus software, enabling firewall when appropriate, configuring file sharing properly and securely if you need to share files, shutting down your computer when it's not in use, logging off your computer every night, not double-clicking suspicious e-mail attachments, correctly configuring operating system security settings, disabling unnecessary services, and so on.
Installing the CPPM client on your computer doesn't mean that you're safe: it means that you're safer.
For more information about how to secure Windows PCs, please see the Secure Computing web site.
CPPM has two distinct software components, a client and a server. The client software is installed on computers that are to be managed, while the server allows system administrators to monitor those computers and enables the deployment of patches to them.
With respect to patching the machine it's installed on, the CPPM client provides extremely reliable information about the machine’s status. This accurate information is conveyed to the CPPM server, allowing system administrators charged with managing CPPM clients to patch computers appropriately and as needed.
Whenever Microsoft, for example, releases a critical security patch for Windows, it is tested and packaged by SCCM , Inc., and delivered to their customers generally within a matter of hours. The patch is then tested at CSUEB by the CPPM site administrators. After testing, under normal circumstances, tested and approved patches will then be deployed centrally to any computers still in need of them. The testing and approval process may be hastened under extraordinary circumstances.
No. At this time, CPPM will only be installed on University-owned computers. It will not be installed on the privately owned computers of students, guests or visitors.
When critical security patches have been released by Microsoft, and tested at CSUEB, they will be deployed. If necessary, you will be prompted to restart your computer. Please note that all computers may be rebooted Tuesdays after 6 PM to ensure proper patching.
Your work will not be disrupted. You will always be able to save open files and quit gracefully out of any running applications before you choose to restart.
Note that, under extraordinary circumstances, such as an immediate and dangerous attack on an operating system vulnerability, the patch approval and testing process may be curtailed to some degree. In every case, the CPPM site administrators will provide as much advance notice as possible that an emergency patch will be deployed.
The CPPM agent doesn't cause any problems and you won't even notice it's running on your PC. It's sometime the case, however, that the installation of operating system patches causes problems. Be aware that patches will be tested before they are released, in order to ensure that they won't cause widespread problems in the CSUEB environment. Also not that your computer will be rebooted every Tuesday after 6 PM.
- Easiest way would be checking the control panel applet for ConfigMgr on the client. Control Panel > Systemand Security > Configuration Manger
Answers to Technical Questions
The CPPM client software will run on all Windows platforms currently supported by Microsoft. The CPPM central administrators will test new operating system patches, when Microsoft releases them and before deploying them to client PCs, on English versions Windows 11 and 10 all version of Enterprise, all at the latest Service Pack level.
Certain computers can be excluded from automatic patching if appropriate.
If you have concerns about your computer and patching please contact the CPPM administrator (CPPM@csueastbay.edu). If you’d like to request an excpetion from central patching please fill out an ESARF.
Administrative Details & Inventory Information Answers
The answer is yes: you should be worried that hackers might seize control of your computer and gain access to all of your files.
More and more often computer viruses are appearing that attempt to steal confidential information, such as credit card numbers, PayPal passwords, and so forth.
CPPM will help to protect you from such threats.
CPPM will permit authorized staff to collect certain data about your computer, but there are very tight controls on the nature of that data, and very tight controls on how that data may be used. CPPM does not collect data files from your computer.
See the next two questions for more information.
The CPPM site administrator will have access to retrieved properties for all CPPM client computers. Any additional people who want access to the information must be authorized by the appropriate managers within their organizations and by Information Security Office.
CSUEB does not intend to make any use of the information that CPPM retrieves except to help ensure the security of the University's network. You should know, however, that this information - like all information on or about our network - is subject to University policies and relevant laws.
Power Managment is the ability for your desktop to save energy while it its not in use. As a whole, the more desktops that are not in use and remain powered off, the less consumtion there is for electrical demand.
More CPPM Information
If you have questions about using CPPM at CSUEB that aren't covered in the FAQ, please send e-mail to the CPPM team at CPPM@csueastbay.edu.
The tool we are using for the CPPM project is called SCCM
https://www.microsoft.com/en-us/cloud-platform/system-center-configuration-manager
These FAQs were based on the FAQs developed by Stanford University's CPPM Team. We'd like to thank them for sharing their experiences and contributions to this project and the FAQs.
*Working from Home during COVID-19 download our CSUEB VPN here*
See the Software Store for VPN