Sms Patch Management Pack

If you have been looking for a patch management product and you currently have (SMS) running in your enterprise, then your search is over because you already have one. Microsoft has released a feature pack for SMS 2.0 that allows it to connect to, which is basically a combination of Windows Update and Office Update—but for enterprises. The tools The SMS Software Update Services feature pack is available for download at the. The feature pack requires SMS 2.0 running at least SP3 (but Microsoft recommends SP4). The feature pack consists of four separate tools that give SMS the functionality to provide a complete patch management solution.

• Sms Patch Management Package

The Security Update Inventory Installer (SecurityPatchi386.exe) installs three tools that create an inventory of applicable and installed security patches. These are:. Security Update Inventory Installer: Installed on the SMS site server. Automatically builds the collection, package, and advertisements needed to install the other tool components. Security Update Inventory Tool: Uses Microsoft Baseline Security Analyzer technology together with the security patch bulletin catalog, MSSecure.xml, to perform ongoing scans of client computers to detect installed and missing patches. Security Update Sync Tool: Downloads the latest security bulletin catalogs and distributes them to client computers via SMS distribution points.

The Office Update Installer Tool (OfficePatchi386.exe) installs three tools that perform the same functions as the above security tools to detect needed updates for Office products installed on client computers. (Since these tools are very similar to the security tools, I will not cover them directly in this article.) The Distribute Software Updates Wizard Installer (PatchWizi386.exe) tool manages software distribution tasks. It consists of three components:. Distribute Software Updates Wizard Installer: Installed on the SMS site server. This tool installs the Distribute Software Updates Wizard. Distribute Software Updates Wizard: This tool is responsible for software update distribution on the SMS site server. It downloads updates, builds packages and advertisements, and deploys the Software Updates Installation Agent.

Software Updates Installation Agent: This component facilitates the installation of necessary updates and prevents redundant updates from being installed. The Web Reports Add-In for Software Updates (SMSWebReportingi386.exe and SMSAddReportsi386.exe) provides added functionally to the existing SMS reporting tool. It allows tracking of individual updates, computers, and groups. Installation The download will extract into four separate folders, each containing an executable for each tool along with README and help files. A white paper is also included. Begin the installation by installing the Security Update Inventory Installer. The opening dialog in Figure A will appear, allowing you to select the components to be created and the installed site server.

Figure D The final component to install is the Web Reporting Tool. This tool is not required for patch management to function, but the reports are more detailed than the results from the resource explorer. I found the dashboard function to be a useful window into the SMS system. The Web reporting add-ons installation is the lengthiest of all the tools, requiring more information from the user during installation.

Be prepared to supply the location of the SMS database, the location for Web reporting files, the SQL SA user password, and the anonymous user account password. Using the tools Once all the components are installed, the SMS site is ready to function as a patch management tool. The general concept of the tool package is as follows:. Security Update Installer builds deployment packages for scan tool. Scan tool is distributed to client machines through SMS distribution.

Clients report missing patches during scheduled hardware inventory cycles. SMS admin authorizes patches to be deployed. SMS deploys patches. Web reporting tool or resource explorer verifies successful installation Let's take a look at the individual steps involved in the process and push a patch to a machine. First, verify that the scan tool is deployed on the test machine and a hardware cycle is completed.

Select the collection the PC belongs to in the SMS console. Right-click on the machine and select All Tasks. Select Resource Explorer. Expand the Hardware tab.

An entry titled Software Updates should be present (see Figure E). Figure E If the entry is not present, examine the hardware inventory cycle in SMS and allow it to run sooner. By default, the hardware inventory is disabled on the primary site to reduce overhead. The default interval is seven days. Microsoft recommends that the interval be increased for testing purposes, but cautions about the increased traffic generated. Also check the SMS logs for any errors that may have occurred in distribution. If the scan tool is working, you should see a list of patches with links to the Microsoft 'Q' article, as well as their status as either applicable or installed.

Installing patches The patch installation process is initiated by selecting a machine or group of machines in the collection section. Right-click and select the All Tasks option and the Distribute Software Updates selection (as shown in Figure D).

Click this to launch the Distribute Software Updates Wizard. This wizard is similar to the SMS Software Updates Wizard, but with extra dialogs specific to the security scan tool. After selecting the package that you want to distribute and allowing the title to be selected, the dialog in Figure F appears, prompting you to select an inventory-scanning program. The installed security update tool should be selected. Figure G Select an update by clicking the check box. To see details about each update, select an update and then click the Information button.

In order to install updates, the source files must be downloaded by SMS. The next dialog box allows selection of a source files directory. The dialog box also presents the option to download the source files manually. Unless you have a reason to change the defaults, leave them as set (see Figure H). Clicking the Next button will initiate a download of any needed update files. Figure J Click the Make This Update Valid For All Client Locales check box and add any command line options, if needed.

(Microsoft recommends that command line parameters be specified with each update to minimize user interaction and reduce system reboots.) The Syntax button will direct you to the Knowledge Base article on the update and provide the command line options specific to the patch. Once you have completed this screen, the status in the Ready column should now display 'Yes.'

The next dialogs are common SMS installation dialogs and prompt you to create distribution points and allow you to configure advertisements for the packages. Critical security updates should not be allowed to be postponed by the user. The agents dialog box allows reboots to be postponed on critical systems, such as servers. The final dialog allows the package to be advertised to client computers.

Sms Patch Management Package

In the case of security updates, advertisements may not be necessary, since the SMS admin will likely make the packages mandatory and force installation. Verify installation After the deployment has occurred, the successful installation can be verified by using the resource explorer or the Web-reporting tool. The Web-reporting tool has many predefined reports specific to security patch deployment. Figure K shows a partial listing of reports. Figure L Summary This Software Update Services feature pack add-on can turn your SMS system into a powerful tool for patch management. If you're a seasoned SMS pro, the security tool add-on should be easy to implement in your current enterprise.

The supplied white paper provides good background and many important considerations for implementing and using the tools. However, it is not a good step-by-step guide. If you are new to SMS, you may want to get your feet wet first with the basic SMS concepts before using the software updating tools. Related Topics.