Windows Patch Management, SUS Feature Pack (Architectural Review) Page 3

Managing Patch Deployment

To manage patch deployment with SUS Feature Pack, first install its four main components on the SMS Site server. This results in the automatic creation of collections, packages, and advertisements necessary to initiate deployment process.

• Collections for pre-production, full deployment, and Sync host for Windows security and Office patches (a total of six collections), to which you can add SMS client computers intended to serve each of these roles.
• Two packages (for Security Update and Office Update Inventory Tools) with three programs each (a program is defined within a package by its installation characteristics, so every package can have multiple programs, depending, for example, on command line options used). The first one is the standard installation, the second is the expedited installation (intended for testing only, since it places additional load on SMS client’s processor utilization), and the third one is the Sync program, to be run periodically on the computer connected to the Internet and downloading patch information from the Microsoft Windows Update servers.
• Three pairs of advertisements (advertisement is a program that targets a collection) for Security Updates and Office Updates tools packages, respectively, for a total of six advertisements.

The installation will then prompt for the name of a computer to run Sync tools. This computer will be automatically added to both Sync host collections. You should also select a number of SMS client computers for testing, add them to pre-production collections, and add all remaining clients to the production collections (for both Security and Office updates).

Sync tools get installed as the result of advertisements targeting Sync host collection. Once installed, both tools download the latest security and office catalogs from the Microsoft Web Site, include them in packages for Security and Office Update Inventory Tools, and replicate them to SMS distribution points. Both Update Inventory Tools are advertised to and installed on all SMS clients that belong to Security and Office Update Tool collections. After the tools run on each client, scan results are recorded as SMS hardware inventory and reported to SMS Site server. At that point, the SMS administrator can launch the Distribute Software Updates wizard from the SMS Administrator console. The wizard evaluates which software updates are applicable to SMS clients (based on the most recent inventory results), prompts it to approve the selected updates, downloads them from the Microsoft Windows Updates Web site, and automatically creates all necessary packages and advertisements. Packages are then replicated to SMS servers functioning as distribution points using the standard SMS mechanism. SMS clients use another standard SMS mechanism to download packages from distribution servers and execute associated with them advertisements.

This concludes our architectural review of SMS 2.0 SUS Feature Pack. The next article, will look into its implementation details.