The previous article in this series presented an architectural overview of the SMS 2.0 Software Update Services Feature Pack. We also described its main components and deployment procedures. This installment of our Windows Patch Management series focuses on operational aspects and concludes our coverage of Systems Management Server (SMS). The next article will overview the new patch-management-related features of Software Update Services components incorporated in the recently released SMS 2003.
We conclude our coverage of SMS’ role in Windows patch management with an examination of configuration requirements and application prerequisites.
Previous installments in this series have listed relevant components and explained their availability, installation process, and role in the patch management process. Thus far, all of the components have been free downloads from the Microsoft Web site. However, we have not yet discussed prerequisites for their operation.
To run effectively, SUS Feature Pack should be installed on SMS 2.0 SP3 or later. SP 4.0 is recommended due to its built-in support for XP Professional clients and software distribution enhancements. Also, scan and sync inventory tools running on SMS clients require Windows NT 4.0 SP6a or later, along with Internet Explorer 5.0 and MS XML 3.0. Finally, the Web Reporting Add-in pack relies on the SQL Server hosting an SMS database operating in the mixed-mode security.
The SMS hardware inventory must be enabled in the site where SMS clients reside, since this is the primary mechanism on which the collection of patch-level information is based. You might also want to evaluate whether the weekly default inventory interval is sufficient to keep the environment properly patched. The same applies to SMS software installation functionality, although in this case, it is advisable to disable the sitewide countdown for assigned programs and notification of software distribution (since both settings are available in the Feature Pack) and change Advertised Program Manager interval from its one-hour default to match your expected deployment schedule without affecting the overall performance of SMS clients. It is also recommended to have at least one test computer in pre-production collections for Security and Office updates for each type of production system in an environment. Thus, if clients are running Windows 2000 SP3 and Windows XP SP1, you should ensure that identically configured workstations are available for evaluating the impact of each patch. It is also a good idea to account for differences in major hardware components.
As explained in the previous article, installing Feature Pack components on the SMS Site Server results in the creation of several collections, packages, and advertisements. Together, they form the framework of patch management operations. During installation, a system is designated to serve as a Sync host. The Sync host automatically keeps track of the latest security and MS Office updates released by Microsoft. While the host does not need to be an SMS server, it does require an SMS client.
The primary responsibility of an SMS administrator is to run Distribute Software Wizard whenever a new patch must be deployed. The wizard analyzes patch status information reported by SMS clients and updated on a regular basis by the Scan tool running locally on each system and based on the inventory tools and catalog data provided by the Sync host. It creates appropriate packages and advertisements targeting selected collections according to the results of this analysis. The packages contain missing patches, which are downloaded from the Microsoft Windows Updates Web site. The patches are then distributed to Windows systems within these collections using standard SMS software deployment mechanisms. They are installed with help from the Software Updates Installation Agent, which runs on every target system.
The Distribute Software Updates Wizard launches from the All Tasks -> Distribute Software Updates context-sensitive menu of any of the Collections, Packages, or Advertisements nodes in the SMS Administrator console. When running the wizard, the following actions are prompted:
- Decide which type of update to apply (i.e., Security or Office). Note that this requires an inventory scanning program associated with the appropriate type of update be present on the SMS clients. If this is not the case, you have an option to locate, download, and initiate the install of the program from within the wizard.
- Create a new or use an existing SMS Package containing software update of the type selected in the previous step. New packages require a unique name and, optionally, a file with additional information for users.
- Authorize which of the updates missing on client computers (determined by results of SMS hardware client inventory for the target collection) should be installed. The wizard provides a listing of all patches applicable to clients as well as easy access (via Information … command button) to relevant Microsoft Knowledge Base articles and security bulletins. This helps with the assessment of an update’s criticality and potential side effects.
- Specify package properties, such as package source directory or sending priority. This is applicable when packages are being distributed across multiple SMS sites.
- Initiate the download of the authorized updates. The wizard also offers the option to download source files separately (e.g., if SMS Site Server does not have direct Internet access).
- Modify program properties, such as command line parameters.
- Select SMS distribution points that will be updated with the package files.
- Fine-tune Software Updates Installation Agent settings, such as a grace period (i.e., allowing users to postpone the installation of low priority updates) or restart (e.g., suppressing it for servers but not workstations), and type of status reports generated (e.g., for failed installations).
- Specify advertisement settings, such as target collection or recurrence interval.