Previous Page
Next Page

SMS Solutions for Security and Patch Management

The SMS software update management feature allows administrators to audit, deploy, and track updates for various software applications throughout the IT infrastructure. Specifically, the feature allows you to manage updates to software such as Microsoft operating systems, Office, Internet Explorer, Microsoft SQL Server, and Exchange.

Software update management relies on software update catalogs published by Microsoft, which contain the up-to-date list of necessary software updates. Because Microsoft continues to release software updates, keeping all computers in an organization compliant with those updates is an ongoing administrative task. Ensuring that clients are up-to-date with security updates is an especially critical task. By using the software update management feature in SMS 2003, you can automate and simplify deployment of software updates in your organization. Additionally, the synchronization component provides an easy way to create a standardized routine for ongoing software update compliance throughout your enterprise with minimal manual steps.

The software update management client components are slightly different on the legacy client and the advanced client. See Chapter 4 for information on these clients. Some features, such as persistent notification and scheduled installation, are available only on the advanced client. The software update management feature consists of several components, some of which use primary features of SMS, such as hardware inventory, software distribution, and reporting. The software update management feature consists of the following components:

  • Software update inventory tools

  • Distribute Software Updates Wizard (DSUW)

  • Software Updates Installation Agent

  • Reports

Let's take a look at each of these components in more detail. Software update inventory tools perform a scan of the client computers in your environment and create a detailed inventory of the installed and applicable system updates. The scanning process helps to identify the clients in your environment that require updates to software such as security, operating system, and Microsoft Office. Software update inventory tools also ensure that only necessary software updates are deployed on clients. The software update inventory tools include the Security Update Inventory Tool, which handles security software updates for software such as Microsoft operating systems, Internet Explorer, SQL Server, and Exchange. Another utility is the Microsoft Office Inventory Tool for Updates, which handles software updates for Microsoft Office. The software update inventory tools are not dependent on each other. You can use either tool without using the other, or use both. Software update inventory tools are not installed on SMS sites by default. They need to be downloaded from the Microsoft web site for SMS.

SMS 2003 utilizes the Security Update Inventory Tool and the Microsoft Office Inventory Tool for Updates to determine the update compliance of systems under management. These tools can be used only within an SMS 2003 site hierarchy, or on SMS 2.0 sites and client computers that report to the SMS 2003 site. The previous release of the SMS 2003 Software Update Scanning Tools used Microsoft Baseline Security Analyzer (MBSA) version 1.2 for the Security Update Inventory Tool. The new scanning tools released with SMS 2003 SP1 also use MBSA 1.2, but include additional code. This version of the scanning tools will work with both SMS 2003 and SMS 2003 SP1.

The SMS Extended Security Update Inventory utility is a scan tool built for the sole purpose of helping customers determine SMS client computers that may need security updates that are not detectable using the existing SMS Security Update Inventory Tool built on MBSA. Like the SMS Software Update Inventory utility, this tool also has the instructions to locate each applicable update, download it from Microsoft, and deploy it using SMS. The SMS Extended Security Update Inventory Tool is built on Enterprise Scan Tool (EST) detection technology. For more information about the exact detection capabilities of EST and how EST differs from MBSA, see Microsoft Knowledge Base Article 894193. For more information on the SMS Extended Security Update Inventory Tool, please see the included user guide and release notes.

SMS 2003 and the SMS 2.0 SUS Feature Pack use MBSA 1.2 and the Microsoft Office Inventory Tool to detect security updates on SMS client computers. The SMS hardware inventory process returns security update information to the SMS site server. Then, SMS administrators can use the Distribute Software Updates Wizard (DSUW) to deploy critical updates. The DSUW is included in SMS 2003 and in the SMS 2.0 SUS Feature Pack. Because of limitations in the products that MBSA 1.2 supports, SMS 2003 and the SMS 2.0 SUS Feature Pack cannot detect all the security updates that are released. Therefore, Microsoft has released the Extended Security Update Inventory Tool to help SMS 2003 and SMS 2.0 administrators detect security updates that MBSA does not detect. This utility also helps deploy these updates by using the DSUW.

The inventory data provided by the Security Update Inventory Tool and the Microsoft Office Inventory Tool for Updates provides detailed information in a central location about the compliance level of your SMS clients. This information includes a list of currently installed updates and service packs, software updates that are available and applicable, the date and time the update was posted, and the date and time the update was installed. In addition, the software update inventory data includes a link to Microsoft Knowledge Base articles on the applicable updates. This allows you to access the information in context, which helps you to correctly evaluate the need of those updates in your environment.

Each of the software update inventory tools consists of an installer program to install the utility and two additional components — a synchronization component and a scan component. The synchronization component runs on an Internet-connected SMS site server or on an Internet-connected SMS client. It is responsible for keeping software update catalogs and software update inventory tools up-to-date. To ensure that the update catalogs and inventory tools are up-to-date, the synchronization component monitors the Microsoft Download Center web site at a specified interval. It synchronizes the site's copy of the security catalog or the office catalog with the latest catalogs posted by Microsoft. It updates the site's software update inventory tools scan components by downloading any new versions posted by Microsoft.

The scan component runs on SMS clients. It scans client computers for installed software updates. It then evaluates the client's existing software updates against the latest catalogs to determine which updates are installed and which updates are applicable for the client. The scan component stores the results of this evaluation in WMI on the client. From that point on, the SMS hardware inventory feature processes this information as part of the client's hardware inventory data.

The Software Updates Installation Agent facilitates the deployment of software updates on clients, ensuring that only the necessary updates are installed. It compares the list of authorized and available software updates to the list of applicable software updates on the client. It then determines which updates need to be installed on the client to bring it into compliance.

The Software Updates Installation Agent consists of a few executable files, the main one being Patchinstall.exe. The DSUW ensures that Patchinstall.exe is included in every software update package. Patchinstall.exe is specified as the program file for the software update program. When the advertised software update program runs on the client computer, Patchinstall.exe runs and starts the software update deployment. When the Software updates Installation Agent runs on the client, depending on the parameters specified for Patchinstall.exe, the agent can perform tasks such as displaying dialog boxes that allow users to postpone the installation, installing the software updates, and controlling the computer's restart behavior.

Another key component of the SMS software update management features is the Distribute Software Updates Wizard (DSUW). The DSUW is installed on SMS site servers and on remote SMS Administrator Consoles by default. The DSUW provides an intuitive interface that simplifies the software update deployment process. By using the software update inventory data that is provided by the software update inventory tools, the DSUW helps you create the software update packages, programs, and advertisements.

By using the wizard, you can evaluate applicable software updates, access additional information about those updates, and then select the software updates that clients need. You can prioritize the software updates, specify installation parameters, and customize branding for the software updates. You can specify the deployment schedule and other installation parameters such as whether to enforce the update deployment. By using the wizard, you can also attach an RTF file to software update programs. Those RTF files can contain important information for users, such as information about the software updates contained in the package and specific usage instructions.

The DSUW helps you complete the process of updating client software, from downloading the updates source files to advertising the software update program to the appropriate clients. It performs all the software distribution-related tasks as follows:

  • Creates and manages software update SMS packages

  • Downloads software update source files from the Internet to a specified local package source share

  • Distributes software update source files to specified distribution points

  • Creates software distribution programs for software update packages

  • Creates advertisements for the software update programs

Other important features of the SMS software update management features in SMS 2003 include several predefined software update-related reports for tracking software update compliance throughout your company. They display information such as applicable software updates and installation status for a specified software update. Microsoft releases information about software updates in the form of catalogs and Web downloads. The Security Update Catalog and the Microsoft Office Update Catalog are periodically updated as new software updates are released.

The software update management feature in SMS 2003 uses these catalogs as references to evaluate clients. Software update management performs a detailed inventory of the installed and applicable software updates on all of the SMS client computers in your enterprise. Software update inventory tools scan clients and determine what updates are needed to bring the client up-to-date and then administrators use the Distribute Software Updates Wizard to deploy necessary updates.


Previous Page
Next Page