Understanding the Vulnerability Response patch orchestration integration with Microsoft SCCM

  • Release version: Yokohama
  • Updated January 30, 2025
  • 5 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Understanding the Vulnerability Response patch orchestration integration with Microsoft SCCM

    The Vulnerability Response patch orchestration integration with Microsoft System Center Configuration Manager (SCCM) enables ServiceNow customers to manage patches and patch deployments for critical vulnerabilities on their assets efficiently. This integration allows importing vulnerability and patch data from third-party scanners and Microsoft SCCM, matching vulnerabilities to affected assets, and orchestrating patch deployment and remediation directly within the ServiceNow AI Platform instance.

    Show full answer Show less

    This solution supports multiple operating systems and software, including Windows, CentOS, macOS, and Oracle, helping IT and security teams to automate and monitor patching activities while minimizing disruption by scheduling deployments during off-hours.

    Key Features

    • Integrated Vulnerability and Patch Data: Automatically import vulnerability detection and patch information from Microsoft SCCM and other third-party sources.
    • Comprehensive Visibility: View and monitor vulnerabilities, available patches, and remediation progress within Vulnerability Response Workspaces.
    • Patch Deployment Automation: Schedule and deploy patches to individual machines or device collections managed by SCCM, ensuring timely remediation of vulnerabilities.
    • Contextual Asset Mapping: Uses Configuration Item (CI) lookup rules to accurately match imported vulnerabilities to assets in the CMDB, leveraging Resource ID and Service Graph Connector data.
    • Role-Based Access Control: Supports defined ServiceNow AI Platform roles for administration, configuration, patch management, and approval workflows to maintain security and compliance.
    • On-Premises Integration Support: Requires a dedicated Windows MID Server (not clustered) to facilitate communication between ServiceNow and the SCCM server for script execution and data import.
    • Solution Management Collaboration: Works in conjunction with Vulnerability Solution Management and Patch Orchestration applications to identify preferred patches and track remediation effectively.

    What You Can Expect

    • Improved coordination between vulnerability detection and patch deployment processes, reducing manual effort and accelerating remediation cycles.
    • Enhanced insight into patch status and vulnerability closure progress through integrated dashboards and workspaces.
    • Ability to schedule patches strategically to avoid business disruption while ensuring assets remain secure and compliant.
    • Centralized management of patch requests, approvals, and deployments within the ServiceNow AI Platform, leveraging existing workflows and roles.
    • Accurate asset identification and vulnerability mapping ensuring patches target the correct devices and software versions.

    Preparation and Requirements

    • Install and configure the Vulnerability Response, Patch Orchestration, Vulnerability Solution Management, and Microsoft SCCM integration applications from the ServiceNow Store.
    • Ensure the CMDB integration and Service Graph Connector for SCCM are installed and configured for CI data synchronization prior to running the SCCM patch orchestration integration.
    • Deploy a standalone Windows MID Server to enable secure communication and data exchange between ServiceNow and the SCCM environment.
    • Assign appropriate ServiceNow roles (admin, snvul.vulnerabilityadmin, snvulsccm.configureintegration, snvulpatchorch.configurepatch, etc.) to users responsible for installation, configuration, patch management, and approval workflows.
    • Configure CI lookup rules and SCCM connection aliases if multiple SCCM servers exist to ensure accurate asset matching.

    Manage patches and patch deployments for the critical vulnerabilities on your assets with the Vulnerability Response integration with the Microsoft System Center Configuration Manager (SCCM) product.

    Patch orchestration with Vulnerability Response

    Patch orchestration with Vulnerability Response uses scheduled imports from third-party solution integrations, patch vendors, and vulnerability scanners. Scanner detection data match the assets in your environment to vulnerabilities and to the patch updates that can fix them. You submit patch requests for approval, schedule patch updates to resolve vulnerable items, and monitor remediation progress all from your ServiceNow AI Platform® instance.

    Vulnerability Response patch orchestration with Microsoft SCCM

    When the Vulnerability Response Patch Orchestration with the Microsoft SCCM application is used with the ServiceNow® Vulnerability Solution Management, Patch Orchestration, and Vulnerability Response applications, vulnerability managers and analysts can perform the following tasks:
    • See more context and information about the types of patches and vendors' solutions (patches).
    • View and monitor vulnerability and solution data, as well as vulnerability remediation progress from records in the Vulnerability Response Workspaces.

    IT specialists and remediation owners can perform the following tasks:

    • Deploy patches supported by the Microsoft SCCM product for their Windows, CentOS, macOS, Oracle, and other assets at regular, scheduled intervals during off-hours to avoid conflicts with work.
    • Identify unpatched assets with vulnerabilities, or assets that or were not successfully updated by scheduled patches from imported detection data from third-party scanners.
    • Schedule available patches from either the IT Remediation Workspace or from the classic UI for vulnerable, unpatched assets from patch update, remediation task, and discovered item records.

    Key terms in the Vulnerability Response and Microsoft SCCM applications

    Configuration item (CI)
    CIs are the existing assets that are listed in your  Configuration Management Database (CMDB). Microsoft SCCM calls CIs, devices.
    Collections and device collections
    Terminology used in the Microsoft SCCM product that refers to a group of assets.
    Vulnerable item
    An imported vulnerability that matches an existing asset in your CMDB.
    Instance
    A distinct account of the Microsoft SCCM application. Each user account can be an instance in the Microsoft SCCM application. This term also refers to a unique, secure web address for a ServiceNow AI Platform instance.
    Integration
    An integration is a scheduled job in the ServiceNow AI Platform that retrieves information from a third-party source, such as the integration with the Microsoft SCCM machines.
    Solution
    There are two types of solutions in the context of this integration, potential and preferred. A potential solution is one that might address a vulnerability. Vulnerabilities often have many potential solutions.  A preferred solution matches the most effective solution for a specific, detected vulnerability.
    Patches
    Software updates that fix vulnerabilities. In the Microsoft SCCM application, patches are called, Patches. For example, Microsoft SCCM has patches for Windows, CentOS, MAC, Oracle and other products.
    Preferred patch
    Preferred patches are software updates that are intended to fix specific vulnerabilities. Patches, once deployed, map to the vulnerable items that are related to specific vulnerabilities and fix them.
    Remediation task or, prior to v15.0 of Vulnerability Response, vulnerability groups
    Lists of vulnerable items in the Vulnerability Response application of actions that are required to fix vulnerabilities.
    Deployment
    Deployment for the purposes of this integration refers to when you apply, initiate, or schedule a patch to a machine. You can deploy the patches you downloaded from Microsoft SCCM in your ServiceNow AI Platform by navigating to discovered items, patches, or remediation tasks from individual records in Vulnerability Response. You can deploy patches with scheduled jobs to individual machines or to computer groups.

    Deployment in the ServiceNow AI Platform can also refer to an integration that supports multi-source. A single integration existence is referred to as a deployment of your integration. A deployment refers to the integrations and products across your environment. For example, you might have multiple deployments of the Microsoft SCCM Vulnerability integration in your environment.

    Vulnerability Solution Management and the Vulnerability Response patch orchestration integration with Microsoft SCCM

    The Vulnerability Solution Management application is a ServiceNow AI Platform application that correlates your vulnerability findings with the breakdown of the solutions (patches) that remediate them. Identify the software patches from third parties for products and services, configuration updates, and other controls that have the highest impact for your organization. Along with third-party scanner information, the Solution Management for Vulnerability Response, Vulnerability Response, and the Vulnerability Response Patch Orchestration with Microsoft SCCM applications work together to roll preferred patches up from the solution, to the vulnerability, to the vulnerable item to help you fix and close vulnerabilities to your environment. The Solution Management for Vulnerability Response, Vulnerability Response, and the Vulnerability Response Patch Orchestration Microsoft SCCM integration applications are all available in the ServiceNow® Store.

    Required ServiceNow AI Platform roles

    The integration installation, configuration, and remediation tasks require the following roles in your  ServiceNow AI Platform instance.

    admin
    Users with this role get entitlements for applications in the ServiceNow Store and downloads them to ServiceNow AI Platform instances.
    sn_vul.vulnerability_admin
    Users with this role activate applications in the ServiceNow AI Platform instance and completes configuration of the Vulnerability Response application. This role has complete access to the Vulnerability Response (VR) application and its records. This admin user configures all VR applications, rules, and third-party integrations.
    sn_vul_sccm.configure_integration
    Users with this role configure the Microsoft SCCM Patch Orchestration Integration application. This role contains the sn_vul_sccm.read_integration granular role.
    sn_vul_sccm.read_integration
    Users with this role can view (read only) the  records of the Vulnerability Response and the Microsoft SCCM Patch Orchestration Integration application and patch orchestration data.
    sn_vul_patch_orch.configure_patch
    Users with this role can configure and apply patches.
    sn_vul_patch_orch.read_patch
    Users with this role can view (read only) patch information.
    Approvers
    Assign uses to the Approver level 1 and Approver level 2 approver groups if you want submitted patch requests approved prior to deployment.

    For more information about assigning these roles using the Setup Assistant, see Assign the Vulnerability Response persona roles using Setup Assistant.

    CI lookup rules

    When data is imported from the Microsoft SCCM application,  the Vulnerability Response application automatically searches for matches in the  Configuration Management Database (CMDB) using Resource ID data. CI lookup rules are used to identify CIs (assets) and add them automatically to vulnerable item (VI) records when VIs are created. The following CI lookup rules are shipped with the base system and are used to identify CIs (assets) and add them to the discovered items.

    This lookup rule relies on the data brought in by the Service graph connector with SCCM. You must install and run the CMDB integration prior to running the SCCM integrations. If you have multiple installations of the SCCM server, you can configure the Service graph connector connection alias in the SCCM patch orchestration configuration page.

    MID Server

    The Vulnerability Response Patch Orchestration with Microsoft SCCM is an on-premises integration. It requires a standalone Windows MID Server that is not part of a MID Server cluster. The MID server is required to runs scripts on remote machines from your instance to import data from the SCCM server. APIs for this integration are called using MID Servers that you set up in your ServiceNow AI Platform instance. Prepare for the Vulnerability Response patch orchestration integration with Microsoft SCCM.