Windows Patch Management, SMS 2.0 SUS Feature Pack Operations Page 2
Another component, Web Reports Add-In for Software Updates, simplifies the analysis of information about status of patch distribution and installation. This component contains a number of predefined reports (such as "Installed patches for a specific computer", "Machines with a specific patch installed", and "Machines where a specific patch is applicable"), which are displayed in an Internet Explorer window. They are generated much faster than the inventory information available through the SMS Administrator console because they bypass the WMI layer when deriving information from SMS databases.
While the operation of the remaining components of SMS 2.0 SUS Feature Pack is practically fully automated, no discussion would be complete without noting caveats that apply to the Sync host configuration. This system is intended, by default, to download patches when a user with administrative privileges is logged on. While it is possible to run Sync host in an unattended manner, this requires additional changes. This requirement is related to the fact that with no user logged on, Sync tool executes in the security context of the SMSCliToknAcct& local account with no privileges to access remote computers. In such cases, the package folder containing Scan files (updated by Sync tool) must reside locally on the Sync Host computer. You might also run into problems if your proxy requires authentication for Internet access, since a process running in the background cannot submit required credentials. This can be resolved if your proxy supports IP-address-based exclusions. In addition, you should ensure that Internet Explorer is configured to use HTTP 1.1 through proxy connection. Note that this setting is applied to the computer, not the user configuration, since the unattended connection to Windows Update servers will be established in the security context of the SMSCliToknAcct& account. The per-machine option can be enforced using Group Policies (Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Make proxy settings per-machine rather than per-user).
Next, you must modify the following within SMS Administrator Console:
- On the General tab of the Sync Program Properties dialog box for the Update tool package, set the command line option to SYNCXML.EXE /s /unattend /site ScanHost /code SiteCode /target PackageFolder /package PackageID , where ScanHost is the name of the Scan host computer, SiteCode is the SMS Site code, PackageFolder is the destination directory for the Scan Tool package (local to the Sync Host), and PackageID is its Package ID.
- On the Environment tab of Sync Program Properties dialog box for the Update tool packages, set the "Program Can Run" option to "Whether Or Not a User is Logged In."
- On the Data Source tab of the Scan tool Package Properties dialog box, set the option to refresh distribution points on schedule. This ensures SMS clients obtain the latest version of catalogs and scanning tools.
If this approach is not possible (e.g., due to proxy authentication limitations), you can manually download tool updates on any system with a direct connection to the Internet (and the Microsoft Update Web site). This can be done by executing the following on that computer: SYNCXML.EXE /s /site Server /code SiteCode /target \\Server\ScanSource /package PackageID, where Server is the name of the computer hosting Scan package source files, SiteCode is the SMS Site code, ScanSource is the share where Scan package source files reside, and PackageID is the Package ID of the Scan Tool package. The /s switch merely makes the execution silent.
This concludes our overview of SMS 2.0 SUS Feature Pack. The next article will review the remaining patch management offers from Microsoft and start our examination of third-party solutions.