dcsimg

Windows Patch Management, SUS Feature Pack (Architectural Review) Page 2

By Marcin Policht (Send Email)
Posted May 7, 2004


It contains the following components:

  • Security Update Inventory Installer (SecurityPatch_ENU.exe), which is responsible for determining the level of Windows security patches on SMS clients. It consists of the following subcomponents:

    1. Security Update Inventory Installer: Software invoked on the SMS site server one time, during the initial installation. It creates default packages, collections, and advertisements, which are then used to deploy the remaining subcomponents and security patches.

    2. Security Update Inventory Tool: SMS client software based on Microsoft Baseline Security Analyzer, which regularly scans SMS client computers to determine the number of installed updates. The results are converted to an appropriate format, included in the SMS hardware inventory, and uploaded to the SMS server inventory database using standard SMS client-server communication (along with other inventory data). Later, other components will use this information to determine the current patch level (for status reports) and updates applicable to specific clients (for patch deployment).

    3. Security Update Sync Tool: Software running periodically (weekly by default) on a designated computer with an Internet connection, downloading the latest security bulletins (in the form of MSSecure.cab file) from the Microsoft Windows Update servers. Its purpose is to ensure Software Update Inventory Tool scan results conducted are up to date. SMS clients are checked to ensure the most recent patches are present. Their absence is reported back to the SMS Site server. This triggers the inclusion of patches in advertisements created by Distribute Software Updates Wizard and subsequent installations. The Sync Tool adds the most recent version of MSSecure.cab file to the package containing Software Update Inventory Tool and replicates it to SMS distribution servers serving as source of downloads to SMS clients.

  • Office Update Inventory Tool (OfficePatch_ENU.exe), which is equivalent to the Security Update Inventory Installer but deals with patches specific to MS Office. It consists of three subcomponents equivalent to the Windows security counterparts described above.

    1. Office Update Inventory Installer: Software invoked on the SMS site server only during the initial installation. It creates default packages, collections, and advertisements, which are then used to deploy other subcomponents and MS Office patches.

    2. Office Update Inventory Tool: SMS client software based on the Network Office Update Tool (Invcm.exe) and Office Update Database (Invcif.exe), which regularly scans SMS client computers to determine the number of installed updates. As with the Software Update Inventory Tool, results are stored in the SMS hardware inventory and pushed to the server for reporting and deployment purposes.

    3. Office Update Sync Tool: Software running periodically (weekly by default) on a designated computer (typically the same one selected for Security Update Sync Tool), downloading the latest version of the Office Update Tool and Office Update Database from the Microsoft Windows Update Web servers. As with Security Update Sync Tool, updated tools are added to the package source, replicated to SMS distribution servers, and eventually pulled down by SMS clients agents.

  • Distribute Software Updates Wizard Installer (PatchWiz_ENU.exe) installs the Distribute Software Updates Wizard on the SMS Site server. The wizard compares the most recent list of patches from Microsoft (collected by a designated computer running Security Update Sync Tool and Office Update Sync Tool) against the inventory information collected from SMS clients (resulting from running Security Update Inventory Tool and Office Update Inventory Tool). It then downloads those that are applicable (based on this comparison) and SMS-administrator-approved, and automatically creates software packages and advertisements (an advertisement is the scheduled deployment of a package to a collection of client computers). It also distributes to SMS clients the Software Updates Installation Agent, which is responsible for enhancing package installation (e.g., ensuring unnecessary patches are not installed), and makes sure the agent is launched as part of each package.

  • Web Reporting Tool for Software Updates (SMSAddWebReports_ENU.exe) is installed on SMS site server. It incorporates software updates information into SMS Web Reporting Tool (part of the SMS 2.0 Administrative Pack downloadable from http://www.microsoft.com/smserver/downloads/20/featurepacks/adminpack/).

>> Managing Patch Deployment

Page 2 of 3


Comment and Contribute

Your name/nickname

Your email

(Maximum characters: 1200). You have characters left.