Application Patching, Testing, and Validation: Closing the Gaps that Microsoft SCCM Doesn’t Address

Written by Rory McCaw on Wednesday, October 24th 2018 — Categories: Azure, Patching, SCCM, Microsoft

Automated patching server application patching can alleviate a lot of work for IT management teams. It shifts the patching and updating process outside of business hours. In an ideal world, Microsoft’s System Center Configuration Manager (SCCM) would flawlessly execute server application patches. 

However, there are some gaps in SCCM patching functionality, especially when it comes to orchestration, validation, and report logs. These can cause issues with QA and risk mitigation and can drive frustrations among your IT staff.

In a perfect world, SCCM would flawlessly execute server patches for common apps like SQL Server, Skype for Business/Lync, Hyper-V virtual servers, Windows Server Clusters, Exchange Server, SharePoint, Open Text RightFax, and Cognos.

Below are three areas where SCCM patching falls short and how they can impact your enterprise.


When a new patch for one of the applications above is detected in SCCM, testing needs to be completed to ensure the environment meets the technical requirements of the patch. If pre-patch testing doesn’t take place, and an update fails, it will trigger an alert to an application developer. This requires them to “tweak” their app to prepare it for patching in the “wee hours” of the morning. Then, they’ll need to apply the patch manually.

Automated patching without automated testing of the application before the update can cause a failure of the patching cycle. Administrators who are on call should updates fail, must sleep with “one eye open” in case they get an alert to take care of a failed update. They might as well stay at the office until the patching is done because SCCM won’t progress beyond a failed update.



SCCM wasn’t developed to confirm or validate an application after a patch job is complete, if the server application comes back online, or whether it is working with its supporting database or web server.

What SCCM lacks is the ability to reboot the system after the SCCM-initiated patching, to ensure everything is patched properly, and reporting reflects all the patching/updating which was done.

Log Reports

For publicly owned companies and public-sector organizations, it isn’t enough to just patch software. They have to maintain granular reports to demonstrate which patches were applied, when they happened, and whether any human intervention was required. Many companies rely on SCCM to keep their business systems stable and secure. Demonstrating patch compliance through SQL reports for servers and clusters with comprehensive reports is a manual process, which doesn’t necessarily address everything an auditor would look for.

Quality Assurance and Risk Mitigation

Server patch automation is great, but if you need to assign a server administrator to “babysit” the updating/patching process on weekly basis to pre-test for patch readiness, and validate patch afterwards, there is still a lot of opportunity to enhance the end-to-end patching process.

Some medium-to-large sized enterprises have worked to develop pre-patch orchestration and post patch validation themselves, or have tried other tools which complement SCCM. These other home- grown and ISV patch automation tools haven’t been able to eliminate all of the pre-and-post patching manual processes throughout the server maintenance lifecycle to the extent that beekeeper can.

Employee Engagement and Technical Staff Turnover

For IT Directors, CIOs and CTOs, maintaining employees who are skilled, familiar with their systems, and are an integral part of their company’s culture is challenging. Manually pre-configuring and validating server patches in pre-dawn hours is time-intensive, repetitive and stressful. Work which isn’t what most technicians find to be career-motivating (and who can blame them). 

Fortunately, we live in the age of machine learning, robotic process automation (RPA), and AI.  Infront built beekeeper, which happily works at all hours of the day and night to address the SCCM functionality gaps described above. It happily pre-tests applications for patching, and validates each update afterwards.

An Infront consultant can program beekeeper to patch other business critical applications for your company. We’re already “heads down” on addressing apps you might already be using, namely SAP and Micros Opera. Further, we handle the update logging and reporting during the night, and alert your team to any gnarly update attempts that need to be sorted out by one of your colleagues.

By automating the full patch management process, your employees will be able to tackle more strategic projects. They can build their AI programming skills, and handle complex, non-standard updates which build skills and understanding to build their career on. 

Want to start a proof of concept of beekeeper in your Hyper-V or physical server environment? Are you building an Azure environment, and want to focus on scaling your information management architecture in the cloud?

Let’s talk.

Chat Now