Software Update Management

  • Article

The SMS software update management feature allows administrators to audit, deploy, and track updates for various software applications throughout the organization. Specifically, the feature allows you to manage updates to software such as Microsoft operating systems, Office, Internet Explorer, Microsoft SQL Server(tm), and Exchange.

Software update management relies on software update catalogs published by Microsoft, which contain the up-to-date list of necessary software updates. Because Microsoft continues to release software updates, keeping all computers in an organization compliant with those updates is an ongoing administrative task. Ensuring that clients are up to date with security updates is an especially critical task.

By using the software update management feature in SMS 2003, you can automate and simplify deployment of software updates in your organization. Additionally, the synchronization component provides an easy way to create a standardized routine for ongoing software update compliance throughout your enterprise with minimal manual steps.

The software update management client components are slightly different on the Legacy Client and on the Advanced Client. Some features, such as persistent notification and scheduled installation, are available only on the Advanced Client.

The software update management feature consists of several components, some of which use primary features of SMS, such as hardware inventory, software distribution, and reporting. The software update management feature consists of the following components:

  • Software update inventory tools

  • Distribute Software Updates Wizard

  • Software Updates Installation Agent

  • Reports

Those components are described in the following sections.

Software update inventory tools

Software update inventory tools scan the client computers in your organization and create a detailed inventory of the installed and applicable software updates. This helps to identify the clients in your organization that require updates to software such as security, operating system, and Microsoft Office. Software update inventory tools also ensure that only necessary software updates are deployed on clients.

The software update inventory tools are:

  • The Security Update Inventory Tool, which handles security software updates for software such as Microsoft operating systems, Internet Explorer, SQL Server, and Exchange.

  • The Microsoft Office Inventory Tool for Updates, which handles software updates for Microsoft Office.

Those tools are not dependent on each other. You can use either tool without using the other or use both. Software update inventory tools are not installed on SMS sites by default. Instead, you must download them from https://www.microsoft.com/smserver/downloads.

The inventory data provided by the Security Update Inventory Tool and the Microsoft Office Inventory Tool for Updates provides detailed information in a central location about the compliance level of your SMS clients. This information includes:

  • A list of currently installed updates and service packs.

  • Software updates that are available and applicable.

  • The date and time the update was posted.

  • The date and time the update was installed (if applicable).

Additionally, the software update inventory data includes a link to Microsoft Knowledge Base articles on the applicable updates. This allows you to access relevant information that helps you correctly evaluate the need of those updates in your organization.

Each of the software update inventory tools consists of an installer program to install the tool and two additional components:

Synchronization component This component runs on an Internet-connected SMS site server or on an Internet-connected SMS client. It is responsible for keeping software update catalogs and software update inventory tools up to date. To accomplish this, the synchronization component monitors the Microsoft Download Center Web site at a specified interval. It synchronizes the site's copy of the security catalog or the office catalog with the latest catalogs posted by Microsoft. It updates the site's software update inventory tools scan components by downloading any new versions posted by Microsoft.

Scan component This component runs on SMS clients. It scans client computers for installed software updates. It then evaluates the client's existing software updates against the latest catalogs to determine which updates are installed and which updates are applicable for the client. The scan component stores the results of this evaluation in WMI on the client. From that point on, the SMS hardware inventory feature processes this information as part of the client's hardware inventory data.

On This Page

Software Updates Installation Agent
Distribute Software Updates Wizard
Reports
How Software Update Management Works
Benefits of Software Update Management

Software Updates Installation Agent

The Software Updates Installation Agent facilitates the deployment of software updates on clients, ensuring that only the necessary updates are installed. It compares the list of authorized and available software updates to the list of applicable software updates on the client. It then determines which updates need to be installed on the client to bring it into compliance.

The Software Updates Installation Agent consists of a few executable files, the main one being Patchinstall.exe. The Distribute Software Updates Wizard ensures that Patchinstall.exe is included in every software update package. Patchinstall.exe is specified as the program file for the software update program. When the advertised software update program runs on the client computer, Patchinstall.exe runs and starts the software update deployment.

When the Software updates Installation Agent runs on the client, depending on the parameters specified for Patchinstall.exe, the agent can perform tasks such as:

  • Displaying dialog boxes that allow users to postpone the installation.

  • Installing the software updates.

  • Controlling the computer's restart behavior.

Distribute Software Updates Wizard

The Distribute Software Updates Wizard is installed on SMS site servers and on remote SMS Administrator consoles by default. The Distribute Software Updates Wizard provides an intuitive interface that simplifies the software update deployment process. By using the software update inventory data that is provided by the software update inventory tools, the Distribute Software Updates Wizard helps you create the software update packages, programs, and advertisements.

By using the wizard, you can evaluate applicable software updates, access additional information about those updates, and then select the software updates that clients need. You can prioritize the software updates, specify installation parameters, and customize branding for the software updates. You can specify the deployment schedule and other installation parameters such as whether to enforce the update deployment. By using the wizard, you can also attach an RTF file to software update programs. Those RTF files can contain important information for users, such as information about the software updates contained in the package and specific usage instructions.

The Distribute Software Updates Wizard helps you complete the process of updating client software, from downloading the updates source files to advertising the software update program to the appropriate clients. It specifically performs all the software distribution related tasks as follows:

  • Creates and manages software update SMS packages.

  • Downloads software update source files from the Internet to a specified local package source share.

  • Distributes software update source files to specified distribution points.

  • Creates software distribution programs for software update packages.

  • Creates advertisements for the software update programs.

Reports

SMS 2003 includes several predefined software update-related reports for tracking software update compliance throughout your organization. They display information such as applicable software updates and installation status for a specified software update.

How Software Update Management Works

Microsoft releases information about software updates in the form of catalogs and Web downloads. The security update catalog and the Microsoft Office update catalog are periodically updated as new software updates and are released.

The software update management feature in SMS 2003 uses these catalogs as references to evaluate clients. Software update management performs a detailed inventory of the installed and applicable software updates on all of the SMS client computers in your enterprise. Software update inventory tools scan clients and determine what updates are needed to bring the client up to date and then administrators use the Distribute Software Updates Wizard to deploy necessary updates.

Managing software updates consists of the following phases:

  1. Initiating the software update inventory cycle. The administrator starts this phase by downloading and running the installer program for one or both of the software update inventory tools on the site server. The installer program:

    1. Sets up the synchronization host.

    2. Creates the packages, collections, programs, and advertisements for installing the software update inventory tools' scanning components on the clients.

  2. Software update inventory tools scan the SMS clients and provide information about installed and applicable software updates.

  3. Administrators use the Distribute Software Updates Wizard to assess, authorize, and deploy software updates.

  4. The synchronization host periodically updates the site's local catalogs (weekly by default) and scans components.

  5. Figure 3.4 describes in detail how the various components of the software update management feature are used to manage software updates.

Figure 3.4 Managing software updates process

cpig_003_01c

Figure 3: illustrates the process of managing software updates. The detailed steps are as follows:

  1. Starting the software update inventory cycle:

    1. The SMS administrator downloads from the Microsoft downloads site the Security Update Inventory tool, the Microsoft Office Inventory Tool for Updates, or both.

    2. The administrator runs the respective installer program on the SMS site server.

    3. Each inventory tool installer program creates the necessary packages, collections, and advertisements for distributing the software update inventory tools' scan components to the site's clients.

    4. Each inventory tool installer program creates the necessary packages, collections, and advertisements for distributing the synchronization component to the designated synchronization host.

    5. SMS leverages the software distribution feature to distribute the software update inventory tools' scan components to the site's clients.

    6. The clients run the advertised program and install the software update inventory tools' scan components.

  2. The scan component of one or both software update inventory tools starts to run on SMS clients at the specified interval. The default interval is every seven days.

    Every time a scan component runs, it analyzes the current state of software updates on the client and generates a list of software updates that are installed and software updates that are applicable to the client. The scan component then stores that information in the Win32_PatchState property in WMI.

    This information is now treated as hardware inventory data. It is collected during the next hardware inventory cycle and propagates up the hierarchy along with the rest of the hardware inventory data.

    The time it takes for the information to reach the site server depends on the scan component configuration, hardware inventory agent schedule settings, and site server load.

  3. The SMS administrator runs the Distribute Software Updates Wizard to view, evaluate, and authorize applicable software updates. The information that the wizard displays is based on the software update inventory data that was collected during the scanning phase.

    Important:

    • The Distribute Software Updates Wizard will not display information until the hardware inventory cycle has fully completed and the hardware inventory data is stored in the SMS site database.

  4. The Distribute Software Updates Wizard downloads from the Microsoft downloads site the source files for the specified software updates.

  5. The Distribute Software Updates Wizard stores software update source files on a specified package source share.

  6. The Distribute Software Wizard creates or updates the necessary packages, programs, and advertisements for distributing the software updates to SMS clients. To every package that the wizard creates or updates, it appends the necessary Software Updates Installation Agent components and the necessary program to initiate that component.

  7. The Distribute Software Wizard copies the required source files from the package source share to the specified distribution points.

  8. SMS leverages software distribution to advertise the software updates programs to clients.

  9. The advertised programs run on the clients. The Software Updates Installation Agent runs and deploys the software updates. The agent runs the scan component to ensure that only the required software updates are deployed.

  10. The synchronization component synchronizes the software update inventory tools' scan components and software update catalogs:

    1. Periodically (weekly by default), the synchronization component checks the Microsoft Download Center Web site for updates to the software update inventory tools' scan components and software update catalogs. The synchronization component downloads any new updates.

    2. The synchronization host updates the local copy of software update catalogs.

    3. The synchronization host updates the packages, programs, and advertisements that are associated with the software update inventory tools' scan components.

    4. SMS leverages the software distribution feature to advertise to clients the programs that update software update inventory tools' scan components.

    5. Clients run the advertised programs and update their software update inventory tools' scan components.

Benefits of Software Update Management

The software update management feature provides an end-to-end solution for centralized software update management. Assessing and maintaining the integrity of system software in a networked environment through a well-defined software update management program is critical for successful information security, regardless of existing controls over physical access to a system.

The software update management feature gives you full control over the software updates distribution process, allowing you to successfully complete administrative tasks such as:

  • Deploying mandatory software updates without user interface.

  • Defining multiple scopes for the same package, where the same package is distributed with different runtime parameters to multiple collections.

  • Applying updates within specified beginning and end times on the Advanced Client.

  • Using software update templates that are imported from reference computers to expedite the deployment of critical software updates.

The predefined software update reports provide you with an easy way to access the status of software update deployment throughout your enterprise. You can use these reports to view the global compliance level for each authorized patch and reported potential security problem. This is particularly useful in tracking the status of critical software updates, such as those protecting against the actions of a harmful virus. These reports also make it possible for you to create collections of computers to which specific software updates should be applied or to delete collections for which software updates are no longer necessary. By using the dashboard feature in SMS 2003, you can build dashboards that provide a complete view of software updates compliance throughout the organization.

The predefined collections, packages, and advertisements that are created by software update inventory tools are designed to simplify the workflow for your software update deployment. This provides you with an easy way to distribute the software updates to a test collection before deploying them in a production environment.

By carefully planning your software update strategy, you can create and maintain software update packages and distribute them based on any criterion. For example, you can create a package with stringent enforcement rules that contains only critical updates, another that contains recommended updates and has moderate enforcement rules, and a third with lenient enforcement rules that contains optional updates. You can also create packages that contain only updates for specific operating systems or versions, such as Windows NT® 4.0 and Windows 2000, to simplify migration scenarios.

You can use the software update inventory data to perform specific queries, such as querying for clients that have properties that meet criteria in the vulnerability matrix for a given software update. This data can be useful in determining if the patch should be deployed and who might be affected, for example, how many computers are running Internet Information Services (IIS) but are not actually hosting line of business Web sites.

For More Information

Did you find this information useful? Please send your suggestions and comments about the documentation to smsdocs@microsoft.com.