Understanding the Vulnerability Response patch orchestration integration with Microsoft SCCM

  • Release version: Zurich
  • Updated September 5, 2025
  • 6 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Understanding the Vulnerability Response patch orchestration integration with Microsoft SCCM

    The Vulnerability Response patch orchestration integration with Microsoft System Center Configuration Manager (SCCM) enables ServiceNow customers to manage patch deployments efficiently for critical vulnerabilities across their IT assets. This integration combines vulnerability data from third-party scanners with patch information from SCCM, allowing users to schedule, approve, deploy, and monitor patch remediation—all within their ServiceNow AI Platform® instance.

    Show full answer Show less

    This integration supports patch deployment for Windows, CentOS, macOS, Oracle, and other assets managed through SCCM, helping IT and vulnerability teams coordinate remediation efforts while minimizing disruptions by scheduling updates during off-hours.

    Key Features

    • Unified Visibility: Vulnerability managers and analysts gain comprehensive views of patch types, vendors, vulnerability data, and remediation progress via Vulnerability Response Workspaces.
    • Patch Deployment: IT specialists can deploy patches through SCCM integration, targeting individual machines or groups (collections) from the ServiceNow platform, with scheduling capabilities for off-hours.
    • Automated Asset Matching: Vulnerable items identified through imported scanner data are automatically matched to Configuration Management Database (CMDB) assets using CI lookup rules, ensuring accurate remediation targeting.
    • Patch Request and Approval Workflow: Patch requests can be submitted for approval using defined approver groups before deployment, enhancing governance and compliance controls.
    • On-premises Integration Architecture: Utilizes a dedicated standalone Windows MID Server to securely communicate with the SCCM server and execute patch orchestration tasks.
    • Role-based Access Control: Specific ServiceNow roles such as admin, vulnerabilityadmin, and SCCM integration configurators control installation, configuration, patch management, and viewing permissions.

    Important Concepts

    • Configuration Items (CIs): Assets tracked in the CMDB, mapped to devices in SCCM.
    • Collections: Groups of devices in SCCM used for targeted patch deployment.
    • Vulnerable Items: Vulnerabilities mapped to CIs that require remediation.
    • Solutions and Patches: Potential or preferred patches that address vulnerabilities, with preferred patches being the most effective fixes.
    • Remediation Tasks: Lists of actions to fix vulnerabilities, scheduled and monitored within ServiceNow.
    • Integration Instance and Deployment: Refers to unique configurations of the Microsoft SCCM integration within the ServiceNow instance, which can be scaled across environments.

    Practical Benefits for ServiceNow Customers

    • Streamlines vulnerability remediation by automating patch identification, approval, scheduling, and deployment directly from ServiceNow.
    • Enhances coordination between vulnerability management and IT operations teams, reducing time-to-remediate and operational disruptions.
    • Improves asset and vulnerability visibility by linking scanner data, CMDB, and patch information in a single platform.
    • Supports compliance and security governance through controlled patch request approvals and detailed remediation tracking.
    • Leverages existing SCCM infrastructure for patch deployment, preserving investment while extending capabilities with ServiceNow’s AI Platform.

    Implementation Considerations

    • Requires installation and configuration of the Vulnerability Response, Patch Orchestration, Vulnerability Solution Management, and Microsoft SCCM integration applications from the ServiceNow Store.
    • Configuration involves setting up CI lookup rules, establishing the MID Server for on-premises communication, and defining user roles and approval groups.
    • Multiple SCCM servers and ServiceNow instances can be managed by configuring distinct integration instances and connection aliases.
    • Ensure CMDB integration is active and up-to-date before running SCCM integrations to enable accurate asset matching.

    Manage patches and patch deployments for the critical vulnerabilities on your assets with the Vulnerability Response integration with the Microsoft System Center Configuration Manager (SCCM) product.

    Patch orchestration with Vulnerability Response

    Patch orchestration with Vulnerability Response uses scheduled imports from third-party solution integrations, patch vendors, and vulnerability scanners. Scanner detection data match the assets in your environment to vulnerabilities and to the patch updates that can fix them. You submit patch requests for approval, schedule patch updates to resolve vulnerable items, and monitor remediation progress all from your ServiceNow AI Platform® instance.

    Vulnerability Response patch orchestration with Microsoft SCCM

    When the Vulnerability Response Patch Orchestration with the Microsoft SCCM application is used with the ServiceNow® Vulnerability Solution Management, Patch Orchestration, and Vulnerability Response applications, vulnerability managers and analysts can perform the following tasks:
    • See more context and information about the types of patches and vendors' solutions (patches).
    • View and monitor vulnerability and solution data, as well as vulnerability remediation progress from records in the Vulnerability Response Workspaces.

    IT specialists and remediation owners can perform the following tasks:

    • Deploy patches supported by the Microsoft SCCM product for their Windows, CentOS, macOS, Oracle, and other assets at regular, scheduled intervals during off-hours to avoid conflicts with work.
    • Identify unpatched assets with vulnerabilities, or assets that or were not successfully updated by scheduled patches from imported detection data from third-party scanners.
    • Schedule available patches from either the IT Remediation Workspace or from the classic UI for vulnerable, unpatched assets from patch update, remediation task, and discovered item records.

    Key terms in the Vulnerability Response and Microsoft SCCM applications

    Configuration item (CI)
    CIs are the existing assets that are listed in your  Configuration Management Database (CMDB). Microsoft SCCM calls CIs, devices.
    Collections and device collections
    Terminology used in the Microsoft SCCM product that refers to a group of assets.
    Vulnerable item
    An imported vulnerability that matches an existing asset in your CMDB.
    Instance
    A distinct account of the Microsoft SCCM application. Each user account can be an instance in the Microsoft SCCM application. This term also refers to a unique, secure web address for a ServiceNow AI Platform instance.
    Integration
    An integration is a scheduled job in the ServiceNow AI Platform that retrieves information from a third-party source, such as the integration with the Microsoft SCCM machines.
    Solution
    There are two types of solutions in the context of this integration, potential and preferred. A potential solution is one that might address a vulnerability. Vulnerabilities often have many potential solutions.  A preferred solution matches the most effective solution for a specific, detected vulnerability.
    Patches
    Software updates that fix vulnerabilities. In the Microsoft SCCM application, patches are called, Patches. For example, Microsoft SCCM has patches for Windows, CentOS, MAC, Oracle and other products.
    Preferred patch
    Preferred patches are software updates that are intended to fix specific vulnerabilities. Patches, once deployed, map to the vulnerable items that are related to specific vulnerabilities and fix them.
    Remediation task or, prior to v15.0 of Vulnerability Response, vulnerability groups
    Lists of vulnerable items in the Vulnerability Response application of actions that are required to fix vulnerabilities.
    Deployment
    Deployment for the purposes of this integration refers to when you apply, initiate, or schedule a patch to a machine. You can deploy the patches you downloaded from Microsoft SCCM in your ServiceNow AI Platform by navigating to discovered items, patches, or remediation tasks from individual records in Vulnerability Response. You can deploy patches with scheduled jobs to individual machines or to computer groups.

    Deployment in the ServiceNow AI Platform can also refer to an integration that supports multi-source. A single integration existence is referred to as a deployment of your integration. A deployment refers to the integrations and products across your environment. For example, you might have multiple deployments of the Microsoft SCCM Vulnerability integration in your environment.

    Vulnerability Solution Management and the Vulnerability Response patch orchestration integration with Microsoft SCCM

    The Vulnerability Solution Management application is a ServiceNow AI Platform application that correlates your vulnerability findings with the breakdown of the solutions (patches) that remediate them. Identify the software patches from third parties for products and services, configuration updates, and other controls that have the highest impact for your organization. Along with third-party scanner information, the Solution Management for Vulnerability Response, Vulnerability Response, and the Vulnerability Response Patch Orchestration with Microsoft SCCM applications work together to roll preferred patches up from the solution, to the vulnerability, to the vulnerable item to help you fix and close vulnerabilities to your environment. The Solution Management for Vulnerability Response, Vulnerability Response, and the Vulnerability Response Patch Orchestration Microsoft SCCM integration applications are all available in the ServiceNow® Store.

    Required ServiceNow AI Platform roles

    The integration installation, configuration, and remediation tasks require the following roles in your  ServiceNow AI Platform instance.

    admin
    Users with this role get entitlements for applications in the ServiceNow Store and downloads them to ServiceNow AI Platform instances.
    sn_vul.vulnerability_admin
    Users with this role activate applications in the ServiceNow AI Platform instance and completes configuration of the Vulnerability Response application. This role has complete access to the Vulnerability Response (VR) application and its records. This admin user configures all VR applications, rules, and third-party integrations.
    sn_vul_sccm.configure_integration
    Users with this role configure the Microsoft SCCM Patch Orchestration Integration application. This role contains the sn_vul_sccm.read_integration granular role.
    sn_vul_sccm.read_integration
    Users with this role can view (read only) the  records of the Vulnerability Response and the Microsoft SCCM Patch Orchestration Integration application and patch orchestration data.
    sn_vul_patch_orch.configure_patch
    Users with this role can configure and apply patches.
    sn_vul_patch_orch.read_patch
    Users with this role can view (read only) patch information.
    Approvers
    Assign uses to the Approver level 1 and Approver level 2 approver groups if you want submitted patch requests approved prior to deployment.

    For more information about assigning these roles using the Setup Assistant, see Assign the Vulnerability Response persona roles using Setup Assistant.

    CI lookup rules

    When data is imported from the Microsoft SCCM application,  the Vulnerability Response application automatically searches for matches in the  Configuration Management Database (CMDB) using Resource ID data. CI lookup rules are used to identify CIs (assets) and add them automatically to vulnerable item (VI) records when VIs are created. The following CI lookup rules are shipped with the base system and are used to identify CIs (assets) and add them to the discovered items.

    This lookup rule relies on the data brought in by the Service graph connector with SCCM. You must install and run the CMDB integration prior to running the SCCM integrations. If you have multiple installations of the SCCM server, you can configure the Service graph connector connection alias in the SCCM patch orchestration configuration page.

    MID Server

    The Vulnerability Response Patch Orchestration with Microsoft SCCM is an on-premises integration. It requires a standalone Windows MID Server that is not part of a MID Server cluster. The MID server is required to runs scripts on remote machines from your instance to import data from the SCCM server. APIs for this integration are called using MID Servers that you set up in your ServiceNow AI Platform instance. Prepare for the Vulnerability Response patch orchestration integration with Microsoft SCCM.