Creating a Remediation operation for SCCM

A Remediation operation uses information gathered from a vulnerability management system to create an operation that corrects those vulnerabilities on servers managed with SCCM. You launch a Remediation operation from the Operator Dashboard

This topic contains the following sections:


In TrueSight Vulnerability Management, security personnel typically use the Security Dashboard to assess the vulnerabilities affecting their server environment, spot historical trends, and project days needed to close all vulnerabilities. Operations personnel use the Operator Dashboard to identify vulnerabilities on servers and filter those vulnerabilities down to a set with the highest priority for remediation.  

When you have used the Operator Dashboard to identify a set of vulnerabilities that require remediation, you can launch the Remediation operation wizard directly from the dashboard. When you complete the wizard, TrueSight Vulnerability Management generates operations that deploy software updates, applications, or application packages in SCCM to correct vulnerabilities detected on the servers you manage. A different operation is created for each of those types of deployments. You can view the progress of operations on the home page

Examples of the process

To view a topic that shows how to create a Remediation operation, see Using SCCM to remediate server issues detected in a vulnerability scan.

How does TrueSight Vulnerability Management interact with SCCM?

When you complete the Remediation wizard and launch a Remediation operation, TrueSight Vulnerability Management interacts with SCCM to perform the following actions:

  1. The initial actions differ depending on the type of operation:
    • For Software Updates, TrueSight Vulnerability Management:
      1. Creates a collection of devices based on the targets specified in the the wizard. The collection is created in the background using Powershell calls.
      2. Creates a software update group containing all updates that are mapped to vulnerabilities and specified in the wizard. The software update group is created in the background using Powershell calls.
      3. Creates a deployment package (used to download software updates).
        Device collections, software update groups, and deployment packages are all assigned names using the same convention: OperationName_CollectionName_SRS. For example, JunitJob_All Systems_SRS.
      4. Downloads the contents of the software update group to a shared folder. The shared folder is identified during the onboarding process.
    • For Applications or Application Packages, TrueSight Vulnerability Management creates a device collection of all selected targets on the SCCM server. The collection is created in the background using Powershell calls. The collection is assigned a name using this convention: OperationName_Application/PackageName_DeploymentType_CollectionName_SRS. For example, ToolkitUpdate_Config Mgr Toolkit_Package_All Systems_SRS.
  2. TrueSight Vulnerability Management distributes the deployment package, application, or application package to distribution points for which the user has access. Security scopes control user access to distribution points. You can set configuration parameters to determine what percentage of distribution points must receive the deployment package before the Remediation operation begins.
  3. TrueSight Vulnerability Management starts deployment of remediation content to target devices. The operation remains in a Running state in TrueSight Vulnerability Management until all target devices have a status of compliant, non-compliant, or failed. Deployment can only proceed on a target when the policies defined for that device allow updates. (For example, a policy might specify a periodic software inventory for a server, and that inventory triggers deployment of  remediation content.) Because of this dependency on server-specific policies, the timeframe to complete a deployment can be lengthy.


TrueSight Vulnerability Management does not check for maintenance windows.

Before you begin

For TrueSight Vulnerability Management to interact successfully with SCCM:

  • The TrueSight Vulnerability Management user must have sufficient privileges in SCCM to create device collections, software update groups, and deployment packages. The user could have full administrative privileges in SCCM, but if you do not want to grant such extensive authority, the user must at minimum belong to an Active Directory group that is associated with at least one of the following security roles:
    • Operations Administrator
    • Infrastructure Administrator
  • A shared folder must be created on the SCCM server. All SCCM clients must have access to the shared folder. The shared folder is identified during the onboarding process.
  • Device collections should always be assigned to Active Directory groups.

To create a Remediation operation

  1. Open the Operator Dashboard by selecting TrueSight Vulnerability Management > Operator Dashboard
  2. Use the filtering tools to identify a set of vulnerabilities that require remediation, as described here
  3. Launch the Remediation wizard by clicking Remediate. The wizard opens and shows the Definition page.

     If the Remediate button is not enabled, click here for more information.

    The Remediate button is only enabled when a set of conditions are satisfied, as illustrated in the following flowchart.

      Enable Remediate button flowchart

    If you answer yes to all the questions in the flowchart and the Remediate button is still not enabled, contact BMC Support

  4. Perform the following steps:

    1. Complete each page in the Remediation Operation wizard. The pages are listed below. Each page corresponds to one of the following sections on this page.
      After you provide all required information for a page, proceed to the next page by clicking Next (at bottom) or clicking the next chevron in the ribbon at top. At any time you can click Back (at bottom) to display the previous page in the process. Do not use the browser's Back button.

    2. When you have finished defining the operation, click Finish.
      When you click Finish, a placeholder message appears on the home page. The placeholder states that one or more operations are being created. You can follow links in the message to check the status of any operations being created. Refreshing the page shows the updated status of the operations. When the creation of the operation is complete, you can refresh the page so the operation appears on the home page. You can run the operation immediately or it can run according to its schedule. 
      You can also click Finish to save the operation even if you have not visited all the pages in the wizard.

The following sections describe in detail each step in the Remediation Operation wizard.


The Definition page provides general information about the operation.

The Definition page includes the following options:


Name of the operation.

When the wizard creates operations, it uses the following conventions to generate names:

For Software Update operations:

<text entered in Name field>_<target system collection>_SRS

For example, if you name this operation SCCMPasswordSecurity, and the operation is a software update that will be deployed to all managed servers, the operation will be named SCCMPasswordSecurity_All Systems_SRS

For Application and Package operations:

<text entered in Name field>_<type of operation>_<target system collection>_SRS

For example, if you name this operation SCCMPasswordSecurity, and the operation is an application package that will be deployed to all managed servers, the operation will be named SCCMPasswordSecurity_Package_All Systems_SRS.


Optional descriptive text for the operation.

By default, descriptive text is added that lists the filters in effect and the scan files being used when you launched this wizard.

Security GroupSpecifies your current security group. If you are assigned to more than one group, this option is available. If you are assigned to only one group, this option defaults to that group and you cannot edit this option.

The boxes at right summarize the information provided for each page in the wizard.


The Remediations page consists of a list of vulnerabilities requiring remediation. Each row represents a separate vulnerability that has been discovered on an endpoint and mapped to remediation content.

To appear on the Remediations page, a vulnerability must appear in the Actionable Vulnerabilities list of the Operator Dashboard. You can use filters on the Operator Dashboard to control the contents of the Actionable Vulnerabilities list.

Using the Remediations page, you can remove remediations from the list of those being deployed by clearing checkmarks on each row.

If necessary, you can sort the list of remediations by clicking on header names. You can also filter the items displayed in the list using the search boxes at the top of each column. Be aware that filtering items so they do not appear in the list does not remove those items from the list of remediations to be corrected. To remove a vulnerability, you must explicitly deselect that row so it does not include a check mark.

Modifying contents of the list

To remove a target from the list, click on a row representing a server. Clicking the row again, selects the target.

To remove all targets from the list, click the deselect all option, shown below. Clicking the option again, selects all targets.


Sorting data in columns

Sort columns of data on this page by clicking on column headers.

Filtering data in columns

Using the text boxes at the top of each column, enter any number of characters. As you enter characters, the list narrows its results to show only items with data that includes the text string you have entered. Clear all text from the search box to show all items. You can enter data in multiple columns to show only results that match all criteria.

Some columns provide a list of choices that you can select. The columns are filtered to show only the values you select.

SCCM Configuration Details

The SCCM Configuration Details page shows some configuration details.

This page is read only, and it only applies when TrueSight Vulnerability Management is connected to SCCM. The values on this page are established during the onboarding process. This information may be useful for troubleshooting purposes.

This page provides the following information:

Shared Folder Location (UNC)Read only: A folder on the SCCM server that all SCCM clients can access. The contents of the software update group used for remediation are downloaded to the shared folder. The shared folder is identified during the onboarding process. The location is identified using the Universal Naming Convention (UNC).


The Operation page lets you schedule and configure the operation or operations that the wizard creates. 

The Operation page shows the operations being created by the Remediation operation wizard in the Planned Operations section.

The page also lets you define a schedule for the operations and perform other types of configuration for the operations you are about to perform. The schedule you define corresponds to the "software available time" that can be defined for a software deployment in SCCM. By default a deployment defined through TrueSight Vulnerability Management specifies a software deadline time for this deployment to be one week after the software available time you schedule on this page. If you have configured a connection to TrueSight Orchestration and set up job approval in SCCM, you can also use the Operation page to configure the job approval request, as described in Requesting job approvals.

Defining a schedule

  1. Click With Schedule.
  2. Click the clock icon  beside Run Once At.
    An interface similar to a digital clock appears.
  3. Set the hour and time for the operation. Then click AM or PM to toggle between those choices.
  4. Select the date when the operation runs.
  5. Select a time zone for the operation.

Requesting job approvals

If you set up job approval and change tracking, you can request a job approval through a change management system, such as BMC Remedy ITSM and execute the Change Automation use case. For an overview of the use case, see Change Automation.

To request job approval

Under the Change Approval Information section, select the change template and various approval parameters, as described in Job approval options.

Job approval options


Select Default Template from the list. When you choose this option, change request will be created in BMC Remedy ITSM based on the default template.
You can also create customized templates in BMC Remedy ITSM and configure the DEFAULT_TEMPLATE_MAP parameter in TrueSight Orchestration to display and use that template in Vulnerability Management. For more information about this parameter, see Configuring the ITSM Automation run book in the TrueSight Orchestration documentation.


Enter the urgency of the change being requested.

  • Critical—The change is immediately necessary to prevent severe business impact. Change approval is needed by the CAB or Emergency Committee (CAB/E-CAB).
  • High—The change is needed as soon as possible because of potentially damaging service impact.
  • Medium—The change will solve irritating problems or repair missing functionality. This change can be scheduled.
  • Low—The change will lead to improvements, changes in workflow, or configuration. This change can be scheduled.

Select the scope of the change being requested. For example, is the job targeted for one server or a large number of servers? The default value is Minor/Localized.

  • Extensive—There is significant business service impact because multiple customers are affected by the change. Considerable human and technical resources are needed. Management is involved in the decision process. The RFC must be discussed in the Change Advisory Board (CAB) meeting and approved by the Change Manager. The Change Manager seeks advice on change authorization and planning.
  • Significant—There is clear service impact because at least one customer is affected by the change. The RFC must be discussed in the CAB meeting and approved by the Change Manager. The Change Manager seeks advice on authorization and planning.
  • Moderate—There is little impact on current services because no customers are affected as a result of the change. The Change Manager can authorize this RFC.
  • Minor—The change can be executed without prior approval from the Change Manager because no customers are affected by the change.

Select the reason to be specified in the change request. Valid values are:

  • 1-Fix/Repair
  • 2-New Functionality
  • 3-Maintenance
  • 4-Upgrade
  • 5-Other

Select the class for the change request. Valid values are:

  • Emergency
  • Expedited
  • Latent
  • Normal
  • No Impact
  • Standard

Executing operations immediately

You can schedule the operation to run immediately after you finish the Remediation operation wizard by clicking Execute Now.


You cannot request for job approval if you choose to execute an operation immediately.

Where to go next

After you have launched a remediation operation, it appears on the home page. There you can use the capabilities of TrueSight Vulnerability Management for ongoing management of operations, such as executing the operation (if it has not already run), deleting the operation, or viewing results.

To view results of the remediation operation after it executes, see Using SCCM Remediation operation results.

Was this page helpful? Yes No Submitting... Thank you