Windows Patch Management, SMS 2.0 SUS Feature Pack Operations
June 4, 2004
The previous article in this series presented an architectural overview of the SMS 2.0 Software Update Services Feature Pack. We also described its main components and deployment procedures. This installment of our Windows Patch Management series focuses on operational aspects and concludes our coverage of Systems Management Server (SMS). The next article will overview the new patch-management-related features of Software Update Services components incorporated in the recently released SMS 2003.
Previous installments in this series have listed relevant components and explained their availability, installation process, and role in the patch management process. Thus far, all of the components have been free downloads from the Microsoft Web site. However, we have not yet discussed prerequisites for their operation.
To run effectively, SUS Feature Pack should be installed on SMS 2.0 SP3 or later. SP 4.0 is recommended due to its built-in support for XP Professional clients and software distribution enhancements. Also, scan and sync inventory tools running on SMS clients require Windows NT 4.0 SP6a or later, along with Internet Explorer 5.0 and MS XML 3.0. Finally, the Web Reporting Add-in pack relies on the SQL Server hosting an SMS database operating in the mixed-mode security.
The SMS hardware inventory must be enabled in the site where SMS clients reside, since this is the primary mechanism on which the collection of patch-level information is based. You might also want to evaluate whether the weekly default inventory interval is sufficient to keep the environment properly patched. The same applies to SMS software installation functionality, although in this case, it is advisable to disable the sitewide countdown for assigned programs and notification of software distribution (since both settings are available in the Feature Pack) and change Advertised Program Manager interval from its one-hour default to match your expected deployment schedule without affecting the overall performance of SMS clients. It is also recommended to have at least one test computer in pre-production collections for Security and Office updates for each type of production system in an environment. Thus, if clients are running Windows 2000 SP3 and Windows XP SP1, you should ensure that identically configured workstations are available for evaluating the impact of each patch. It is also a good idea to account for differences in major hardware components.
As explained in the previous article, installing Feature Pack components on the SMS Site Server results in the creation of several collections, packages, and advertisements. Together, they form the framework of patch management operations. During installation, a system is designated to serve as a Sync host. The Sync host automatically keeps track of the latest security and MS Office updates released by Microsoft. While the host does not need to be an SMS server, it does require an SMS client.
The primary responsibility of an SMS administrator is to run Distribute Software Wizard whenever a new patch must be deployed. The wizard analyzes patch status information reported by SMS clients and updated on a regular basis by the Scan tool running locally on each system and based on the inventory tools and catalog data provided by the Sync host. It creates appropriate packages and advertisements targeting selected collections according to the results of this analysis. The packages contain missing patches, which are downloaded from the Microsoft Windows Updates Web site. The patches are then distributed to Windows systems within these collections using standard SMS software deployment mechanisms. They are installed with help from the Software Updates Installation Agent, which runs on every target system.
The Distribute Software Updates Wizard launches from the All Tasks -> Distribute Software Updates context-sensitive menu of any of the Collections, Packages, or Advertisements nodes in the SMS Administrator console. When running the wizard, the following actions are prompted:
Another component, Web Reports Add-In for Software Updates, simplifies the analysis of information about status of patch distribution and installation. This component contains a number of predefined reports (such as "Installed patches for a specific computer", "Machines with a specific patch installed", and "Machines where a specific patch is applicable"), which are displayed in an Internet Explorer window. They are generated much faster than the inventory information available through the SMS Administrator console because they bypass the WMI layer when deriving information from SMS databases.
While the operation of the remaining components of SMS 2.0 SUS Feature Pack is practically fully automated, no discussion would be complete without noting caveats that apply to the Sync host configuration. This system is intended, by default, to download patches when a user with administrative privileges is logged on. While it is possible to run Sync host in an unattended manner, this requires additional changes. This requirement is related to the fact that with no user logged on, Sync tool executes in the security context of the SMSCliToknAcct& local account with no privileges to access remote computers. In such cases, the package folder containing Scan files (updated by Sync tool) must reside locally on the Sync Host computer. You might also run into problems if your proxy requires authentication for Internet access, since a process running in the background cannot submit required credentials. This can be resolved if your proxy supports IP-address-based exclusions. In addition, you should ensure that Internet Explorer is configured to use HTTP 1.1 through proxy connection. Note that this setting is applied to the computer, not the user configuration, since the unattended connection to Windows Update servers will be established in the security context of the SMSCliToknAcct& account. The per-machine option can be enforced using Group Policies (Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Make proxy settings per-machine rather than per-user).
Next, you must modify the following within SMS Administrator Console:
If this approach is not possible (e.g., due to proxy authentication limitations), you can manually download tool updates on any system with a direct connection to the Internet (and the Microsoft Update Web site). This can be done by executing the following on that computer: SYNCXML.EXE /s /site Server /code SiteCode /target \\Server\ScanSource /package PackageID, where Server is the name of the computer hosting Scan package source files, SiteCode is the SMS Site code, ScanSource is the share where Scan package source files reside, and PackageID is the Package ID of the Scan Tool package. The /s switch merely makes the execution silent.
This concludes our overview of SMS 2.0 SUS Feature Pack. The next article will review the remaining patch management offers from Microsoft and start our examination of third-party solutions.