Windows Patch Management, SMS 2003 Overview Page 2

Besides the changes outlined above, which impact software distribution (including software updates), several patch management specific features differ from the original release of SMS 2.0 SUS Feature Pack, such as:

• Distribute Software Updates Wizard (which can be launched from a Software Updates node in the SMS Administrator Console) became an integral part of SMS 2003. In SMS 2.0, the update wizard was required to run a separate installer program (PatchWiz_ENU.exe) downloadable from the Microsoft Web site. In addition, since the underlying engine for Security Scan is based on Microsoft Baseline Security Analyzer, in fresh installations of SMS 2003, the Security scan tool displayed in the wizard is referred to as MBSA (for upgrades from SMS 2.0, MBSA entry is created along with the Security Tool scanning program entry). SMS 2003 Administrator Console also contains, by default, the Software Updates Installation Agent entry.
• It is possible to specify arbitrarily selected reference computer when running Distribute Software Updates Wizard. This allows you to approve a patch update (and create a relevant package) even if SMS client inventory does not need it. Within the wizard, you can specify the time periods that installations can be performed. This helps prevent reboots of workstations or servers outside of a scheduled maintenance window. With another feature, called dynamic package configuration, it is possible to create multiple programs for a single package and set criteria based on which each program will be applied to a different collection (with different settings).
• Web Reports for patch management have been integrated into SMS Management Console under the Reports node. Note that if you are upgrading from SMS 2.0 to SMS 2003, you should uninstall the Web Reporting tool and Add-in Reports for Software Upgrades (upgrade will not, however, affect existing patch packages and patch settings).
• The method of reporting patch installation status has been modified to reflect the state of SMS clients more accurately. This applies, for example, to computers where a patch has been installed but a required reboot has not yet taken place. In SMS 2.0, this was reported as installed; in SMS 2003, the range of states of patch installation has been considerably extended to include success, restart pending, retrying, postponed, failed, and uninstalled.
• While scan tools are still provided as separate downloads that must be installed on the Site Server, their location is different from their SMS 2.0 SUS Feature Pack equivalents. The Security Update Scan Tool and the Microsoft Office Inventory Tool for Updates are available from http://www.microsoft.com/smserver/downloads/2003/featurepacks/suspack/default.asp.
• Proxy authentication for unattended Sync host operations can be configured with PatchDownloader.exe tool (located in the SMSbini3860000409 folder on the SMS server), using the following syntax:

  PatchDownloader.exe /s:ProxyServer:Port /u:UserName

  You will then be prompted for the password, which will be stored, along with the UserName, in encrypted format in a registry key on the Sync host computer. This step must be taken, along with the configuration options described in the previous article of our series: modifying the command line of the program for the Sync tool package to make it run in unattended manner, configuring the update of distribution points on schedule, setting proxy configuration on a per-machine basis (rather than a per-user basis, as is the case with group policy), and creating a Scan tool package source folder local on the Sync host computer. Note that in unattended mode (i.e., with no user logged on), Sync tool executes in the security context of the Local System account if the Sync host is installed on an SMS 2003 Advanced client (for this purpose, standard clients use SMSCliToknAcct& account).

• SMS Advanced Client includes persistent notification feature, which provides a visual indication about the patch update status of the local computer in the form of a system tray icon (this is independent of the software update advertisement present on standard and Advanced SMS clients).

For more information on SMS 2003 Patch Management functionality (or any other related topic) refer to the SMS 2003 Concept, Planning, and Deployment Guide and the SMS 2003 Operations Guide.

Thus far, all of the information presented in this series has been intended to provide a good understanding of the three main patch management solutions offered by Microsoft: Windows Update, Software Update Services (soon to be replaced by Windows Update Services), and Systems Management Server Software Updates.

In addition to understanding these patch management options, organizations should also be aware of the recent announcements from Microsoft concerning its near-future plans. While Microsoft remains committed to its three main offerings, additional improvements are expected in (same behavior for installation and rollback, common switches and registry tags, use of MSI 3.0), efficiency (reduced patch size with binary delta compression), and manageability (in the form of fewer required reboots). There is also a tendency (visible, for example, in SQL 2005) to offer users the ability to patch installation programs (integrate patches directly into product binaries, so installation and patching take place in a single step).