[Advice with our Patch Management]

Let me preface this with I am sorry if this has been asked previously.  I've tried searching for solutions but phrasing the question in Google is difficult and I keep picking up stuff that doesn't actually address the question.

 

On to the actual question; we are implementing a brand new install of SCCM (the system we inherited is appalling) and everything is going great so far.  I've completely redesigned the patch management using various best practices and what works for us.  For now I've created a monthly patches SUG and a baseline SUG (that contains all updates that have not been superseded or expired).  This is based on an ADR I run manually each month and our first monthly patch went great so I moved the updates from that update group into the baseline and deleted the update group (as it was 100% compliant).  What then happened was all the updates I'd added redownloaded to the source location of the baseline (but they also stayed in the same location for the ADR created monthly deployment).

 

Do I now need to delete the ADR created deployment too, would that then remove the content from the duplicate location and just keep it in the baseline source folder or should I just delete it manually?

[using System Center 2012 Configuration Manager - Part 1. Installation - CAS]

When we install any application, for example an antivirus software - like McAfee on a server...we need admin rights on the server. I can logon using my domain admin credentials and install that application. That software usually does NOT run using my domain admin credentials.

 

How is SCCM 2012 any different?

 

I guess I need to understand what the SMSAdmin user is really for.

Is it a service account [meaning SCCM will be running under that account]?

 

Even if that is true...why the need to logon using SMSAdmin to do the install. Just do the install using any user who has enough rights and then change the services to run under SMSAdmin.

 

.......or I am totally missing something?

 

I'm a little unsure of this too. I can understand the need for the domain user (local admin on clients) for the client installer but not sure how using the SMSAdmin as opposed to domain admin is any more secure in the sense of installing the SCCM & SQL software.

 

Having said that though isn't it best practice to only use Domain Admins accounts as and when you need them as opposed to all the time (which I'm guilty of doing unfortunately)?