- CSU East Bay Classroom and Lab Support
- On-Site Computer Labs
- CSUEB Bay Cloud
- AppStream Computing
- Smart Classrooms
SCCM Patch, Security, and Self-Service
Introduction to SCCM
SCCM is a computer and management service that keeps desktops and laptops patched with the latest security updates, providing privacy, and reducing the risk of campus security attacks. SCCM also provides power management capabilities to save power for the campus community. At any one time, approximately 3500 campus computers are under management.
Providing CSUEB patch management is part of a larger effort to minimize the security and maintenance burden on individual computer users.
Microsoft System Center Configuration Manager
Microsoft System Center Configuration Manager (SCCM) is a Windows product that enables the management, deployment and security of devices and applications across an enterprise. Amongst other potential uses, administrators will commonly use SCCM for endpoint protection, patch management, and software distribution.
Note that SCCM cannot handle all aspects of maintaining your computer securely, and only functions as an important element of good security practices
Internet-based attacks on individual desktop and laptop computers are a worldwide problem that is continuing to grow exponentially. It's therefore critical to keep operating systems up-to-date by installing security patches as soon as they become available.
Previously, each desktop or laptop computer user might be responsible to monitor and install critical patches. Even people who are doing a good job of keeping their PCs updated might sometimes miss important patches. Failure to keep all systems patched places everyone on the shared network at risk. SCCM helps ITS provide the campus community a more reliable and efficient way method of maintaining computers.
SCCM 's main purpose is to provide a very robust computer operating system patch management service to the University community. It will also be used to distribute updates to Microsoft SCEP AntiVirus, the antivirus software licensed for use at CSUEB. It collects inventory information to help patch computers appropriately. In addition, SCCM provides CSUEB power management capabilities so that we can be a model sustainable university and save power where appropriate for the campus.
This month we have deployed the following updates:
Ensure you are patching security updates for our Enterprise level software at CSUEB
Within 24 hours of patch release
Within 1 week of patch release
Within 1 week of patch release
Within 1 month of patch release
Within 1 month of patch release
Within 2 months of patch release, unless ISO determines this to be an insignificant risk to the environment
SCCM is patching active clients hourly for AV updates with our Automatic Deployment rules. This ensures that the device has the latest AV data from Microsoft.
Microsoft Critical updates and all security updates from https://www.cisa.gov/uscert/
There can be no single, complete solution for problems of computer security. SCCM helps ensure that operating systems are securely patched, but there are additional essential security practices that are beyond the scope of SCCM.
Such practices include having a minimum number of user accounts on your computer, choosing strong passwords, protecting passwords from theft, using up-to-date and properly configured antivirus software, enabling firewall when appropriate, configuring file sharing properly and securely if you need to share files, shutting down your computer when it's not in use, logging off your computer every night, not double-clicking suspicious e-mail attachments, correctly configuring operating system security settings, disabling unnecessary services, and so on.
Installing the SCCM client on your computer doesn't mean that you're safe: it means that you're safer.
For more information about how to secure Windows PCs, please see the Secure Computing web site.
SCCM has two distinct software components, a client and a server. The client software is installed on computers that are to be managed, while the server allows system administrators to monitor those computers and enables the deployment of patches to them.
With respect to patching the machine it's installed on, the SCCM client provides extremely reliable information about the machine’s status. This accurate information is conveyed to the SCCM server, allowing system administrators charged with managing SCCM clients to patch computers appropriately and as needed.
Whenever Microsoft, for example, releases a critical security patch for Windows, it is tested and packaged by SCCM , Inc., and delivered to their customers generally within a matter of hours. The patch is then tested at CSUEB by the CPPM site administrators. After testing, under normal circumstances, tested and approved patches will then be deployed centrally to any computers still in need of them. The testing and approval process may be hastened under extraordinary circumstances.
No. At this time, SCCM will only be installed on University-owned computers. It will not be installed on the privately owned computers of students, guests or visitors.
When critical security patches have been released by Microsoft, and tested at CSUEB, they will be deployed. If necessary, you will be prompted to restart your computer. Please note that all computers may be rebooted Tuesdays after 6 PM to ensure proper patching.
Your work will not be disrupted. You will always be able to save open files and quit gracefully out of any running applications before you choose to restart.
Note that, under extraordinary circumstances, such as an immediate and dangerous attack on an operating system vulnerability, the patch approval and testing process may be curtailed to some degree. In every case, the SCCM site administrators will provide as much advance notice as possible that an emergency patch will be deployed.
The SCCM agent doesn't cause any problems and you won't even notice it's running on your PC. It's sometime the case, however, that the installation of operating system patches causes problems. Be aware that patches will be tested before they are released, in order to ensure that they won't cause widespread problems in the CSUEB environment. Also note that your computer will be rebooted every Tuesday after 6 PM.
- Easiest way would be checking the control panel applet for ConfigMgr on the client. Control Panel > Systemand Security > Configuration Manger
Answers to Technical Questions
The SCCM client software will run on all Windows platforms currently supported by Microsoft. The SCCM central administrators will test new operating system patches, when Microsoft releases them and before deploying them to client PCs, on English versions Windows 11 and 10 all version of Enterprise, all at the latest Service Pack level.
Certain computers can be excluded from automatic patching if appropriate.
If you have concerns about your computer and patching please contact the SCCM administrator (CPPM@csueastbay.edu). If you’d like to request an exception from central patching please fill out an ESARF in Service Now Service Requests.
Administrative Details & Inventory Information Answers
The answer is yes: you should be worried that hackers might seize control of your computer and gain access to all of your files.
More and more often computer viruses are appearing that attempt to steal confidential information, such as credit card numbers, PayPal passwords, and so forth.
SCCM will help to protect you from such threats.
SCCM will permit authorized staff to collect certain data about your computer, but there are very tight controls on the nature of that data, and very tight controls on how that data may be used. SCCM does not collect data files from your computer.
See the next two questions for more information.
The SCCM site administrator will have access to retrieved properties for all SCCM client computers. Any additional people who want access to the information must be authorized by the appropriate managers within their organizations and by Information Security Office.
CSUEB does not intend to make any use of the information that SCCM retrieves except to help ensure the security of the University's network. You should know, however, that this information - like all information on or about our network - is subject to University policies and relevant laws.
Power Managment is the ability for your desktop to save energy while it its not in use. As a whole, the more desktops that are not in use and remain powered off, the less consumtion there is for electrical demand.
More SCCM Information
If you have questions about using SCCM at CSUEB that aren't covered in the FAQ, please send e-mail to the SCCM team at CPPM@csueastbay.edu.
These FAQs were based on the FAQs developed by Stanford University's Central Patch Management Team. We'd like to thank them for sharing their experiences and contributions to this project and the FAQs.
*Working from Home during COVID-19 download our CSUEB VPN here*
See the Software Store for VPN