Using SCCM to remediate server issues detected in a vulnerability scan

This use case demonstrates how to use TrueSight Vulnerability Management in conjunction with SCCM to generate remediation operations for vulnerabilities detected in a vulnerability scan. This topic continues the process of using TrueSight Vulnerability Management to remediate scan results. The initial steps in the process are described in Mapping vulnerability scan results to a server environment.

This topic includes the following sections:

The following video demonstrates how to use TrueSight Vulnerability Management to analyze and remediate the results of a vulnerability scan by running a software update in SCCM.


You can use TrueSight Vulnerability Management to analyze the results of a vulnerability scan after those results have been imported into TrueSight Vulnerability Management. You can remediate (that is, correct) vulnerabilities by running a Remediation operation, which in turn launches one or more operations, such as Software Updates.

Before you can remediate vulnerabilities, you must first import results of a vulnerability scan from a tool such as Qualys, Nessus, or Rapid7 and then map those results to servers and remediation content in SCCM. Remediation content can be patches, hotfixes, and other types of critical software updates from Microsoft. The full mapping process is demonstrated in Mapping vulnerability scan results to a server environment.

After those steps are complete, you can use the Security Dashboard to assess vulnerabilities from a security standpoint and the Operator Dashboard to identify and prioritize vulnerabilities that require attention. With filtering, you can limit the information presented on either dashboard. After you have refined the display to show a group of vulnerabilities that you want to correct, you can use the Operator Dashboard to launch the Remediation operation wizard, which lets you choose the specific vulnerabilities to address.

When you finish using the Remediation operation wizard, TrueSight Vulnerability Management launches one or more operations, which appear on the home page. You can manage those operations as you do any operation in TrueSight Vulnerability Management. You can also view and use their results just as you do other operations.

What do I need to get started?

  • You must have a user ID that can access and use TrueSight Vulnerability Management. 
  • You must import vulnerability scans and map their assets and vulnerabilities to servers and content in your TrueSight system. For a demonstration of that process, see Mapping vulnerability scan results to a server environment

How to remediate vulnerabilities detected in a scan



Example (click to enlarge) 


Select TrueSight Vulnerability Management > Operator Dashboard.

The Operator Dashboard provides charts and filters that help you identify vulnerabilities that require attention. When you have narrowed the focus down to a set of critical vulnerabilities that require action, you can launch a remediation operation.

By default the dashboard shows data from the last 90 days.


Use filters to limit the number of items in the Actionable Vulnerabilities list. This is the list of servers and their vulnerabilities that you can potentially remediate by running a Remediation operation.

In this example we begin with 258 items in the Actionable Vulnerabilities list. Applying the following filters limits the Actionable Vulnerabilities to five.

  • For Bulletin ID, we select a single bulletin.

  • For Severity, we select 4 and 5, which excludes vulnerabilities with a severity of level 1, 2, or 3.

  • For SLA, we choose to show information for vulnerabilities that are Approaching SLA or Exceeded SLA.

  • For Status, we select Awaiting Attention, which excludes vulnerabilities for which remediation is already in progress.

After selecting filtering options, click Apply Filters to activate your choices. This filtering narrows the scope down to five vulnerabilities.


Click Remediate.

The Remediation operation wizard opens.


On the Definition page of the wizard, enter a name for the operation. If your user ID is assigned to more than one security group, you also must select a security group. Then click Next.

When the wizard generates operations, it uses the name you enter, followed by the collection of systems being targeted, followed by a date and time and then followed by _Deployment. For example, if the name you enter is Fix10-001 , it targets a collection called All_Systems, the operation is called Fix10-001_All Systems_23Mar2017-6_12_09_Deployment.


On the Remediations page, review the list of remediations that the Remediation wizard will deploy. If you do not want to deploy one, select the check mark to deselect it. Then click Next.

If necessary, you can use filters to limit the number of remediations displayed. Bear in mind that filtering remediations does not remove them from the list of remediations to deploy. The only way to remove a remediation is to clear the check mark or to return to the Operator Dashboard and use filters there to control the list of remediations that you are going to remediate.

6The Configuration Details page provides information about your SCCM configuration. There is no action you need to take on this page. Click Next.


The Operation page lets you set up a schedule for any operations being generated.

  1. Under Global Schedule Settings, select With Schedule. This indicates you are defining a schedule for the operations rather than executing them immediately.

  2. Next to Run Once At, use the clock and calendar icons to set a time and date for the operation to execute. You must set a time at least five minutes in the future. In this example, we select a time of 1 AM the next morning, which is our next maintenance window.


In the Planned Operations list, make sure all operations have green checks, indicating they are configured so their execution can launch correctly.


Click Finish. The home page may display a message like the following while the operations you have defined are created:

When the operations have been generated, you can refresh the home page and the operations appear. If you scheduled the operations to run immediately, they may begin to execute immediately. (In SCCM, execution times vary depending on the availability of target servers.) In this example they are ready to execute according to schedule.

Wrapping it up

In this topic you used the Operator Dashboard in TrueSight Vulnerability Management to filter vulnerabilities and then launch the Remediation Operation wizard. The wizard generates two operations to correct vulnerabilities detected in the vulnerability scan.

Where to go from here

You can view the results of the operations that this procedure generates.

If you want to learn more about using the options available in the Remediation Operation wizard, see Creating a Remediation operation for SCCM.

Was this page helpful? Yes No Submitting... Thank you