Resources for IT Professionals

Software Updates Frequently Asked Questions

Planning and Deployment

Q. Where is the SUS Feature Pack for SMS 2003? (Updated September 30, 2004)

Q. Do I need to allow my site server to access the internet for software update management to work? (Updated July 27, 2004)

When you install the Security Update Inventory Tool, the site server must have access to the latest mssecure.cab file. If the site server has Internet access, then the setup program will automatically download mssecure.cab and proceed with the installation. If the site server does not have Internet access, you must manually download the .cab file. To download the latest .cab file, clickhere. In the File Download box, confirm that the file is called MSSecure_1033.CAB. Click Save and save the file to the installation folder of the Security Update Inventory tool. (The default folder is C:\Program Files\SecurityPatch\PkgSource\1033. You might be required to create this folder.) After you save the file to this directory, rename the file to mssecure.cab.

When you install the Office Update Inventory tool, the site server must have access to the latest inventory tool (invcm.exe) and the latest update catalog (invcif.exe). If the site server has Internet access, then the setup program will automatically download both required files and proceed with the installation. If the site server does not have Internet access, you must manually download the files. To download the latest inventory engine click here. In the File Download box, confirm that the file is called invcm.exe. Click Save and save the file to the installation directory of the Office Update Inventory tool. (The default folder is C:\Program Files\OfficePatch\PkgSource. You might be required to create this folder.) To download the latest update catalog, click here. In the File Download box, confirm that the file is called invcif.exe. Click Save and save the file to the installation directory of the Office Update Inventory tool. (The default folder is C:\Program Files\Office Update\PkgSource. You might be required to create this folder.)

During installation of either inventory tool, you designate one computer to act as the synchronization host. The synchronization host retrieves the latest update catalog from Microsoft. The Office Update synchronization host also automatically retrieves the latest invcm.exe. Only that synchronization host requires Internet access. That computer can be the administrator’s desktop or any other SMS client computer, but it does not have to be the site server. By default, the synchronization component that retrieves the updates only in attended mode only, but it can be configured for unattended operation.

For more information about configuring the synchronization component to run in attended or unattended mode, search for “Task 4: Deploy the Software Update Inventory Tools” in Chapter 6, “Managing Software Updates,” in the Microsoft Systems Management Server 2003 Operations Guide.

Q. We have a firewall that requires authentication. How will SMS Software Update work in this case?

Q. Do I need to uninstall my SMS 2.0 SUS Feature Pack before upgrading to SMS 2003?

Q. I want to upgrade my SMS 2.0 installation in stages. How will patch management solution work for me? Will I be using both the SMS 2003 and SUS Feature Packs in the interim?

Q. Do I need to create different patch packages for each product?

Q. Can I schedule patches for installation during hours when users are not logged in?

Q. Will my current inventory tools work with the new localized security catalogs, and if so, how do I download them? (Added April 30, 2004)

MBSA Versions

Q. What version of the MBSA scan engine does SMS 2003 use? (Updated September 30, 2004)

Q. Do I need to upgrade from MBSA 1.2 to 1.2.1? (Added August 31, 2004)

Q. Does MBSA 1.2 scan for Windows XP SP2 updates using Systems Management Server? (Added August 31, 2004)

Q. I upgraded to the new Security Update Inventory Tool with MBSA 1.2 and now my reports are showing different data. Does MBSA 1.2 find more updates than MBSA 1.1.1? (Added March 31, 2004)

Q. What version of Microsoft XML do I need for inventory tools to work? (Added June 30, 2004)

Q. How can I verify that I am using MBSA version 1.2? (Added June 30, 2004)

Q. How can I verify that a patch is applicable to a specific client? (Added June 30, 2004)

Office Update Inventory Tool

Q. What is the Office Update Inventory Tool 2.1? (Added July 27, 2004)

Q. What do I do to install the new version of the Microsoft Office Inventory Tool for Updates? (Added July 27, 2004)

Q. Will the Office Update Inventory Tool 2.0 work with the new catalog? (Added July 27, 2004)

Updates Not Detected by MBSA

Q. The Security Update Inventory Tool did not detect the updates just released by Microsoft. What should I do? (Added May 31, 2005)

Q. Does the Extended Security Update Inventory Tool have a catalog and a synchronization host like the Security Update Inventory Tool and the Office Update Inventory Tool? (Added May 31, 2005)

Q. If I already installed a previous scan tool for MS04-028 or MS05-Feb, do I need to uninstall those? Do I need to uninstall the Security Update Inventory Tool and Office Update Inventory Tool? (Added May 31, 2005)

Q. Where do I obtain the Extended Security Update Inventory Tool and the documentation? (Added May 31, 2005)

Distribute Software Updates Wizard

Q. I don’t see patch type Security in the Distribute Software Updates Wizard any more? Instead I see a new patch type called MBSA. What happened?

Q. I know Microsoft has just released a particular patch. Why don't I see it in the list of patches for approval in the Distribute Software Updates Wizard? (Updated August 31, 2004)

Q. What if the Distribute Software Updates Wizard asks me to download and install inventory tools even though I already have?

Q. I want to approve a newly released patch. Do I need to find a client computer that is missing that patch to populate the SMS inventory with all the patches? (Updated September 30, 2004)

Reporting

Q. I ran patch compliance report in SMS 2003 after I upgraded, and the numbers are very different from SMS 2.0. What happened?

Obtaining Updates

Q. How can I speed up the download of the catalog?

Q. How frequently is MSSecure.xml updated and when? (Updated January 21, 2004)

Q. How frequently is the Office Update Inventory Tool catalog updated and when? (Added October 29, 2004)

Q. How can I be sure the version of the MSSecure.xml file I have is the latest? (Updated June 30, 2004)

Q. What if I don't see a Software Updates node in the Resource Explorer for a particular client computer?What if I don't see a Software Updates node in the Resource Explorer for a particular client computer?

Q. There are often multiple patch binaries (for different versions, languages, or service pack levels) for a single issue. Do we need to authorize all of these, or can they be included in the same patch package?

Q. The SMS Software Update feature reports that my computer is fully patched, but when I run Windows Update, it shows some patches missing. What's wrong? (Updated February 27, 2004)

Troubleshooting

Q. How do I deploy a patch by using SMS if the patch can’t be detected by SMS and MBSA? (Updated July 30, 2004)

Q. Which log files are available for troubleshooting? (Updated September 30, 2004)

Table 2 displays the principal log files that are useful for troubleshooting issues with the SMS 2003 software update management tool. This table is more current than the table in Chapter 6, “Managing Software Updates,” in the Microsoft Systems Management Server 2003 Operations Guide.

Table 2 Log Files for Troubleshooting the Software Update Management Tools

Component	Log file	Location	Description
Security Update Sync Tool (SyncXml.exe)	SecuritySyncXml.log PatchDownloader.log	SMS Client Log folder \%temp%	Log file for the synchronization component; used for troubleshooting firewall and authentication issues.
Microsoft Office Inventory Sync Tool for Updates (SyncXml.exe)	OfficeSyncXml.log PatchDownloader.log	SMS Client Log folder \%temp%	Log file for the synchronization component; used for troubleshooting firewall and authentication issues.
Security Update Inventory Tool (Scanwrapper.exe)	Scanwrapper.log	SMS Client Log folder	Log file maintained by inventory component on SMS client computer.
Security Update Inventory Tool (Scanwrapper.exe)	Results.xml	%windir%\system32\VPCACHE\<PackageID> folder on the SMS client computer	File maintained by scan component on SMS client computer that includes output of MBSA scan, including reasons why MBSA scan detected an update as applicable.
Microsoft Office Inventory Tool for Updates (Scanwrapper.exe)	Scanwrapper.log	SMS Client Log folder	Log file maintained by inventory component on SMS client computer.
Individual Software Update log files	<qnumber>.log	%windir% folder on SMS client computer	Installation log maintained by software update installers. Contains information about actual software update installation.
Software Update Installation Agent (Patchinstall.exe)	PatchInstall.log	SMS 2003 (no service pack): System Temp folder of the SMS client computer SMS 2003 SP1: SMS Client Log folder	Package installation log file maintained by the Software Update Installation Agent on the SMS client computer.
User Notification	PatchUIMonitor.log	SMS Client Log folder	Log file contains information regarding the patch installation scheduling queue.
User Notification	SMSCliUI.log	SMS Client Log folder	Log file contains information about user interaction with the SMS Update icon in the System Tray.

For more information about software update logging, see Chapter 6, “Managing Software Updates,” in the Microsoft Systems Management Server 2003 Operations Guide.

Q. Is there a quick way to see if a particular patch has been authorized?

Q. How do I install or remove a hotfix, and where can I find command-line options for a patch installer?

Q. I have confirmed that my clients are scanning with the latest catalog. Why are my clients not detecting a patch, even though it is listed in the latest security catalog (mssecure.xml)? (Updated February 27, 2004)

Q. The DSUW automatically downloads English security updates. Why doesn’t it download the international security updates automatically? (Updated April 30, 2004)

For More Information

Did you find this information useful? Send your suggestions and comments about the FAQ to smsdocs@microsoft.com.

Top of page