Enterprise Software Update Management using Systems Management Server 2.0 Software Update Services Feature Pack
| Archived content. No warranty is made as to technical accuracy. Content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist. |
Click here to download a copy of this document.
On This Page
Introduction
Understanding Security Update Management
Architecture of the Feature Pack Tools
Minimum SMS Configuration
Update Management Scenarios
Feature Pack Tools Features
Checklists for Using the Feature Pack Tools
Performance Considerations
Information Resources
Appendix: Recommended Feature Pack Update Settings
Introduction
This document provides you with an introduction to the software update management capabilities offered by the tools included in the Systems Management Server 2.0 Software Update Services Feature Pack (Feature Pack). It is not intended to be a comprehensive guide for software update management, but it does provide you with useful information about the following topics, in addition to references to other information resources.
This guide helps you understand:
How security updates affect your enterprise and what resources you can use to learn how to assess risk and evaluate updates.
How the Feature Pack tools work together to create a flexible software-update auditing, distribution, tracking, and management solution.
Minimum configuration requirements you must have to set up a Microsoft Systems Management Server (SMS) test site you can use while you are becoming familiar with the Feature Pack tools.
How the Feature Pack and SMS core features work together.
It also provides:
Checklists to help you quickly configure and evaluate the Feature Pack tools.
Information about performance issues to be aware of when implementing these tools in your enterprise.
Understanding Security Update Management
A software update, often referred to as a patch or hotfix, is an update that typically occurs between service packs. A service pack is a periodic update that corrects problems in a particular version of a product. Although a service pack is tested and its release is planned over a longer period of time, software updates are usually created and released expeditiously, in reaction to a specific issue.
Most software updates are created to correct security vulnerabilities and are called security updates. You install security updates to protect the computers and information in your enterprise from security risks associated with specific products running on your computers.
It is imperative that you update the service packs for the systems in your enterprise to defend against any potential vulnerability. However, in the interim between service packs, the most important thing you can do to maintain a secure system is to make sure that the computers in your enterprise are running the most current security updates.
Note: Although security issues are of paramount importance, you should also be aware that software updates can also address non-security issues, such as stability or performance. For example, the Microsoft Office updates often address non-security related issues concerning Office applications.
Challenges in Managing Security Updates
The main challenge in managing security updates is determining which of the many available updates are appropriate to the needs and vulnerabilities of your enterprise.
Some updates are critical and require immediate action to protect your environment. For example, the updates that address risks from newly discovered exploitations, viruses, and worms are considered critical updates.
Some updates can be useful, can increase performance or stability, or can make the end-user experience better, but they might not be considered critical to the safety of your enterprise.
Other updates might not be necessary to your enterprise and can be ignored.
Some updates could create problems (for example, break other line-of-business applications) for your enterprise if you used them.
To keep your enterprise secure, you must establish processes for:
Receiving information about the latest software updates and vulnerabilities.
Auditing your enterprise for applicable software updates.
Assessing and authorizing available software updates.
Deploying authorized software updates within your enterprise in a timely, accurate, and efficient manner.
Tracking update deployment across your enterprise.
Processes and Guidelines
To learn how to determine which updates are critical, useful, irrelevant, or harmful to your enterprise and to create a software update management process for your enterprise, you can do several things:
Be familiar with the current state of the resources in your enterprise.
This includes knowing:
The computers in your enterprise.
Operating systems and versions functioning on the computers.
Software updates in use on your computers (service pack versions, software updates, and other modifications).
The function each computer performs in your enterprise.
The applications and programs running on each computer.
Ownership and contact information.
The assets present in your environment and their relative value, to determine which areas need the most protection.
Known vulnerabilities and the processes your enterprise has for identifying new vulnerabilities or changes in vulnerability level.
Countermeasures that have been deployed to secure your environment.
This information should be updated regularly and should be readily available to those involved in your update management process.
Read the following white papers for information and guidelines for establishing a software update management process for your enterprise by using SMS and the Feature Pack tools.
Table 1 Software Update Management White Papers
Title
Description
The Microsoft Solutions for Management SMS Architecture Guide
For more information about where to find this document, see the Information Resources section later in this document.
Provides architectural guidance for deploying software updates, service packs, and QFE fixes by using SMS and the Feature Pack tools.
The Microsoft Solutions for Management Operational Procedures for Patch Management with SMS
For more information about where to find this document, see the Information Resources section later in this document.
This white paper provides conceptual information, best practices, and detailed procedures related to the process of distributing and managing software updates by using SMS, including essential maintenance tasks and team role responsibilities.
The Microsoft Solutions for Management Software Distribution for Patch Management (SMS)
For more information about where to find this document, see the Information Resources section later in this document.
This white paper includes information about:
Establishing baselines for software update management processes.
Creating subscriptions to software update notifications.
Creating a change initiation process for software update management.
Determining the relevance of software updates and deploying the updates in your enterprise.
How the Feature Pack tools can be used to streamline your deployment process.
Be informed about the latest security developments and technology.
You can be informed by reading, using Web sites, and joining newsgroups to get the latest information. In the Information Resources section later in this document, several Web sites and white papers are listed that can assist you with gathering information.
When you know your assets, are aware of vulnerabilities, threats, and how your environment is configured, and when you have access to the latest security information, you can determine which security issues are relevant to your enterprise, and then you can assess which software updates are relevant to your needs.
Use SMS software distribution features and the Feature Pack tools to streamline and automate some of the functions associated with security update inventory, deployment and management tasks, such as:
Conducting an audit of applicable and installed security updates for all the computers in your enterprise.
Authorizing and deploying the updates to the appropriate computers.
Tracking the inventory and update installation status and progress for all the computers in your enterprise.
Caution The Feature Pack tools help simplify the process of determining which updates are appropriate to your situation, because they only indicate the security and Office updates that are specifically applicable to your computers. However, you should always make sure to thoroughly evaluate and test any updates that you deploy, regardless of the source, to make sure that no damage can be caused as a result of their installation.
Architecture of the Feature Pack Tools
This section describes the Feature Pack tools, how they work with existing SMS software distribution features, and the processes they use to provide you with better software update management solutions.
Systems Management Server
Systems Management Server provides the following critical functions that facilitate deploying, distributing, and managing software updates in your enterprise:
Inventory capabilities that allow you to determine how many computers have been deployed, their location and role in your enterprise, and the software applications and associated updates that have been installed.
Scheduling capabilities that provide you with the ability to schedule the deployment of updates during times that have the least effect on your business operations, such as outside regular working hours.
Status reporting capabilities that allow you to monitor the progress of update installation throughout your enterprise.
Targeting capabilities based on system inventory, that allow you to use an individual computers position in Microsoft Active Directory directory service, or manually created computer collections to target specific computers or sets of computers with specific updates.
Enterprise replication capabilities that allow you to move files around the network easily and effectively.
Support for popular operating systems such as Microsoft Windows NT 4.0, Microsoft Windows 2000, and Microsoft Windows XP.
For additional information about SMS, see https://www.microsoft.com/smserver/
The Feature Pack Tools
The Feature Pack provides a set of five software update management tools, described in the following table. These tools integrate their functionality with the SMS software distribution features described earlier to offer a simplified, largely automated solution for the deployment of security and Office software updates.
Table 2 Feature Pack Inventory, Software Update Distribution, and Reporting Tools
Feature Pack tool |
Description |
|---|---|
Security Update Inventory Installer (SecurityPatch_ENU.exe) |
|
Office Update Inventory Tool (OfficePatch_i386.exe) |
|
Distribute Software Updates Wizard Installer (PatchWiz_i386.exe) |
This tool is used to perform software update distribution tasks and consists of three main components:
|
Web Reports Add-In for Software Updates (SMSWebReporting_i386.exe and SMSAddReports_i386.exe) |
The Web Reports Add-In for Software Updates provides added functionality to the SMS Web Reporting Tool features, and it allows you to view a set of reports that was created from information gathered by software update inventory tools. These reports allow you to track the status of software updates for:
In addition to the preconfigured reports available from the Web Reports Add-In, you can also create custom inventory reports by using SQL Server views and the inventory schema. |
The Process
The Feature Pack tools:
Conduct recurring audits of the computers in your enterprise for installed and applicable security and Office updates by using the latest software update inventory tools and the latest software update database available from Microsoft.
Allow you to review and authorize updates for distribution.
Locate and download the updates and associated installation information from the Web.
Advertise, distribute and install authorized updates.
Track the status of the update distribution and installation progress for all the computers in your enterprise.
The Feature Pack tools use the following process to complete these tasks:
The Software Update Inventory Installer (the Installer), which you install on the SMS site server, uses SMS software distribution features to deploy the Software Update Inventory tool (the Scan tool) and the Software Update Sync tool (the Sync tool) to the appropriate client computers in your enterprise.
The Sync tool automatically downloads the latest inventory tools and the latest database or catalog of software updates on a regular basis and distributes them to the computers in your enterprise by using SMS distribution points. This ensures that the latest software updates are available to your enterprise.
The Scan tool, when it is deployed to client computers by the Installer, uses the inventory tools and software update database provided by the Sync tool to collect software update inventory data from your client computers. It then converts that data into a format that is compatible with the SMS site database and forwards the information to the SMS site database during regularly scheduled hardware inventory cycles.
SMS and the Feature Pack tools use the converted inventory data to determine which of the available software updates are installed and which are missing from your client computers.
The Distribute Software Updates Wizard, which you install on the SMS site server, uses the inventory information to compile groups of related software updates. It provides you with the opportunity to:
Review and authorize the updates for installation.
Download authorized updates and installation information.
Specify how the updates will be installed on the client computers (this includes configuring the Software Update Installation Agent settings, such as installation grace period configuration and post-installation restart behavior).
Create SMS packages, programs, and advertisements to distribute the updates to your client computers on a schedule by using SMS distribution points.
The Wizard also deploys the Software Update Installation Agent to the clients through a program included with the update advertisement package.
The client computers use the program created by the Distribute Software Updates Wizard to install the Software Updates Installation Agent. The Installation Agent evaluates the advertisements sent by the Distribution Wizard and facilitates the installation of the authorized software updates.
Inventory and software update status information is forwarded to the SMS site database on a regular cycle, following any changes.
The Web Reports Add-In for Software Updates uses the inventory and status information to create Web reports that you can use to track the progress of update inventory, distribution, and installation in your enterprise. You can view these reports through the SMS Web Reports Viewer in your browser.
The Underlying Technology
The Feature Pack tools use the following existing technology to provide you with a better software update management solution:
Security Patch Bulletin Catalog (MSSecure.XML) This is the security updates database that the Microsoft Baseline Security Analyzer( MBSA) and the Security Update Inventory Tool use to determine which security updates are installed on your computers and which are applicable. The Security Update Sync tool automatically downloads the latest version of this database on a regular basis and distributes it to the computers in your enterprise by using SMS distribution points.
For more information about MSSecure.XML, go to https://www.microsoft.com.
If you do not have a computer with internet access that you can use to automatically download MSSecure.XML by using the Security Updates Sync tool, you can manually download the catalog from Microsoft Download Center.
Microsoft Baseline Security Analyzer (MBSA) MBSA runs on Windows 2000 and Windows XP systems and scans for applicable hotfixes and vulnerabilities in the following products: Windows NT 4.0, Windows 2000, Windows XP, Internet Information Server (IIS) 4.0 and IIS 5.0, SQL Server 7.0 and SQL Server 2000, Internet Explorer (IE) 5.01 and later, and Office 2000 and Office 2002. It uses a version of the Microsoft Network Security Hotfix Checker (HFNetChk) to scan for applicable hotfixes and service packs for Windows operating systems, IIS, and SQL Server. It then creates and stores individual XML security reports for each computer scanned and can display the reports in the graphical user interface in HTML format. The Security Update Sync tool automatically downloads the latest version of this tool on a regular basis and distributes it to the computers in your enterprise by using SMS distribution points.
For more information about the Microsoft Baseline Security Analyzer, see https://www.microsoft.com.
Microsoft Office Update Tool (Invcm.exe) The Office Update Inventory Tool uses the Office Update Tool in conjunction with the Office Update Database (Invcif.exe) to analyze your client computers for applicable Office updates. The data gathered by the Office Update Tool is then converted into a format compatible with the SMS site database. The Office Update Sync tool automatically downloads the latest version of this tool on a regular basis and distributes it to the computers in your enterprise by using SMS distribution points.
For more information about the Microsoft Office Update Tool, see https://support.microsoft.com/default.aspx?scid=kb;en-us;312982&sd=tech.
If you do not have a computer with internet access that you can use to automatically download Invcm.exe by using the Office Updates Sync tool, you can manually download the tool from Microsoft Download Center.
Microsoft Office Update Database (Invcif.exe) This is the database of software updates that the Microsoft Office Update Tool and the Office Update Inventory Tool use to determine which office updates are installed on your computers and which are applicable. The Office Update Sync tool automatically downloads the latest version of this database on a regular basis and distributes it to the computers in your enterprise by using SMS distribution points.
For more information about the Microsoft Office Update Database, see https://support.microsoft.com/default.aspx?scid=kb;en-us;312982&sd=tech.
If you do not have a computer with internet access that you can use to automatically download Invcif.exe by using the Office Updates Sync tool, you can manually download the database from the Microsoft Download Center.
MSXML An XML parser is required (MSXML version 3.0 Service Pack 2) for many of the tools to function correctly. For the tools that require it, MSXML 3.0 SP2 can be installed during tool setup, or you can download and install a standalone version of the Microsoft XML parser from the following location:
Minimum Feature Pack Configurations
This section describes the minimum system and setting configurations necessary to use the Feature Pack tools
The Feature Pack tools require SMS 2.0 (SP3 supported, SP4 recommended) or later.
Table 3 Minimum Systems and Settings Required for Feature Pack Tools
Feature Pack tool |
Component |
MicrosoftSQL Server |
Internet Explorer |
Operating system |
Configurations |
Dependencies |
|---|---|---|---|---|---|---|
Security Update Inventory tool |
Setup |
SQL Server 7.0 or later |
N/A |
Windows NT 4.0 SP6a or later |
SMS primary site server |
MS XML 3.0 |
Security Update Inventory tool |
Sync tool |
N/A |
N/A |
Windows NT 4.0 SP6a or later |
SMS client |
N/A |
Security Update Inventory tool |
Scan tool |
N/A |
IE 5.0 or later |
Windows NT 4.0 SP5 or later |
SMS client |
MS XML 3.0 |
Security Update Inventory tool |
Secure cache |
N/A |
IE 5.0 or later |
Windows NT 4.0 SP5 or later |
Program dependency scenario |
NTFS (Partition) |
Office Update Inventory tool |
Setup |
SQL Server 7.0 or later |
N/A |
Windows NT 4.0 SP6a or later |
SMS primary site server |
MS XML 3.0 |
Office Update Inventory tool |
Sync tool |
N/A |
N/A |
Windows NT 4.0 SP6a or later |
SMS client |
N/A |
Office Update Inventory tool |
Scan tool |
N/A |
IE 5.0 or later |
Windows NT 4.0 SP5 or later |
SMS client |
MS XML 3.0 |
Office Update Inventory tool |
Secure cache |
N/A |
IE 5.0 or later |
Windows NT 4.0 SP5 or later |
Program dependency scenario |
NTFS (partition) |
Distribute Software Updates Wizard |
Setup |
N/A |
N/A |
Windows NT 4.0 SP6a, or later |
SMS Administrator Console |
MS XML 3.0 |
Software Updates Installation Agent |
Notifications (balloons) |
N/A |
IE 5.0 or later |
Windows 2000 or later |
SMS client |
N/A |
Software Updates Installation Agent |
Dialog boxes |
N/A |
IE 5.0 or later |
Windows NT 4.0 SP6a or later |
SMS client |
MS XML 3.0 |
Software Updates Installation Agent |
Secure cache |
N/A |
IE 5.0 or later |
Windows NT 4.0 SP6a or later |
Program dependency scenario |
NTFS (partition) |
Web Reporting tool |
Setup |
SQL Server 7.0 or later |
IE 5.0 or later |
Windows NT 4.0 SP6a or later |
IIS 4.0 |
SQL Server mixed-mode security |
Web Reporting Add-in Pack |
Setup |
SQL Server 7.0 or later |
IE 5.0 or later |
Windows NT 4.0 SP6a or later |
IIS 4.0 |
SQL Server mixed-mode security |
Web Reports |
Browser client |
N/A |
IE 5.0 or later |
Windows NT 4.0 SP6a or later |
N/A |
MS XML 1.0 |
Avoiding problems caused by FAT formatted systems
You should be aware, when configuring your file system format, that the FAT (file allocation table) file system is inherently not secure. Software update solutions involving FAT systems cannot and will not match the level of security available from an NTFS file system format. For example:
Clients that are running NTFS can safely run the inventory scan from a secure local cache (controlled by the Scan tool /cache parameter).
If an SMS client is running on a computer that has a FAT file system on a system partition, the Feature Pack software update management tools still utilize a local cache to run the inventory scan (under the /cache parameter), in the same way that an NTFS system would, for performance reasons.
However, that cache is inherently not secure under a FAT system and will not become secure until the system partition has been converted to NTFS, after which it will automatically be secured to system administrators only.
It is recommended you convert clients running FAT systems to NTFS as soon as possible if the computer can support it (common reasons for having a FAT system include dual-booting to Windows 98, or to another operating system that requires a FAT formatted system).
To learn how to convert a system from FAT to NTFS, refer to the help available by typing convert /? from the command prompt.
Minimum SMS Configuration
This section describes the systems and settings necessary to create a minimum configuration of an SMS system to use while testing or evaluating the Feature Pack tools.
Table 4 SMS Minimum Configuration Sites and Settings
SMS sites and settings |
Configuration |
|---|---|
An SMS primary site |
The primary site should be running SMS version 2.0 (SP3 supported, SP4 recommended) or later. For more information about configuring an SMS primary site, see the SMS product documentation. |
At least one SMS client |
The client site can be configured on the site server, or on a separate workstation. One client is sufficient for minimum test purposes. However, if you want to have a representative sample of how the tools will work with all of the systems used in your enterprise, it is recommended that you have at least one client for each representative configuration in your environment. For example, if you have computers running Windows 2000 SP2 and Windows NT 4.0 SP6a, you should have a client computer for each of those operating system in your test configuration. If you do not currently use a certain operating system (for example, Windows XP) in your enterprise, but plan to use it in the future, it is recommended that you add a computer running that system to your test configuration. This allows you to become familiar with how the Feature Pack tools and software updates work with the system before you deploy it in your enterprise. Setting up this type of extended client test configuration allows you to become familiar with software update management in many different ways. By using more than one system, you will be able to:
For more information about configuring SMS client computers, see the SMS product documentation. |
Hardware Inventory Settings |
The SMS hardware inventory feature is used with the Feature Pack software update inventory tools to create an SMS-compatible inventory of installed and applicable software updates on your client computers. By default, the hardware inventory function is disabled on the SMS primary site to reduce system overhead. To set up your test system, you must enable the hardware inventory function and configure the inventory frequency. The default frequency for SMS hardware inventory is an interval of seven days. However, for test purposes, to speed the process of becoming familiar with the Feature Pack tools, you can increase the frequency of the inventory, perhaps running it daily, or even every few hours. Note: The above hardware inventory setting suggestions are for test purposes only. The actual frequency with which you run the hardware inventory in a full-scale deployment of the tools will depend on the needs of your enterprise and performance considerations associated with the generation of additional hardware inventory data. For more information about configuring the Hardware Inventory settings, see the SMS product documentation. For more information about specific performance issues associates with these tools, see the Performance Considerations section of this document. |
Software Distribution Settings |
The SMS software distribution features are used with the Feature Pack tools to distribute software updates to your client computers. Some of the software distribution settings for the SMS product might conflict with those of the Feature Pack tools and could cause confusion. To prevent this possibility, configure the following settings on the SMS primary site:
Note: In a test environment, a short polling interval causes few system resource usage problems. However, when deploying the tools to a larger system, the polling interval should be increased, for example, to a four-hour interval to prevent performance problems. For more information about configuring the SMS software distribution settings, see the SMS product documentation. For more information about specific performance issues associates with these tools, see the Performance Considerations section of this document. |
Post-evaluation settings
The settings and configurations suggested in Table 4 help you become familiar with the Feature Pack tools and how they work with your SMS system on a small-scale, in a test environment.
However, when you deploy these tools on a larger scale, you should be aware that these settings and configurations must change, or performance issues could result. The reason for this is that as the scale of Feature Pack tool deployment increases, so do the demands on your system.
Hardware inventory size, network usage, CPU usage, and disk capacity requirements all increase with increasing deployment scale, and the settings you configure for SMS and the tools influence the impact of the processes on your system. For example, if you were to increase the advertisement schedule for software updates from a weekly to a daily interval, the system overhead caused by that activity would increase from approximately 5% to 15% overall.
For larger scale deployment, the following SMS settings are suggested for use with the Feature Pack tools:
The SMS Hardware Inventory cycle should be scheduled to a weekly frequency.
The SMS software distribution settings should be configured as follows, by using the SMS Administrator console:
Turn off the site-wide countdown for assigned programs.
Turn off the notification for software distribution activity.
As mentioned in Table 4, both SMS and the Feature Pack tools have countdown and notification features for assigned programs. To prevent duplicate countdowns and notifications, disable these features on the SMS primary site. The countdown and notification features provided by the Feature Pack can be changed or eliminated as needed.
Note: There may be other, non-Feature Pack software distribution practices occurring in your enterprise that use the SMS countdown and notification features, which need to be reviewed before you make changes to these settings. That review should take into account the countdown and notification features provided by the Feature Pack set of tools.
Update Management Scenarios
The key scenarios for software update management with the Feature Pack tools are:
Auditing your enterprise to determine which software updates are missing from your client computers.
Authorizing software updates to ensure that only the software updates appropriate to your enterprise are distributed to the client computers in your enterprise.
Tracking inventory and installation progress to determine whether your software update management practices are efficient and successful.
Auditing Your Enterprise
To determine which security updates are installed on or applicable to your client computers, you need to use the Feature Pack Security Update Inventory Tool to conduct an enterprise-wide audit for all the known security updates for Windows NT 4.0 and above. The flow of this scenario is outlined in the following example:
Download the Feature Pack tools from https://technet.microsoft.com/sms/bb676799.aspx.
Install the Security Update Inventory Installer on the SMS site server.
During setup, you can choose whether to automatically deploy the Security Updates Scan tool and the Security Updates Sync tool to client computers by using SMS distribution points. If you select this option, you use setup to create the SMS package and advertisement to distribute the Scan tool to the appropriate client computers.
Use SMS to distribute and advertise the package containing the Scan tool.
Use the command-line interface to configure the Sync tool, which is installed on a computer with Internet access during setup.
The Sync tool downloads the latest Security or Office scan tools and software update database and uses distribution points within your system to send the latest files to client computers.
Allow the Sync tool to download the latest scan tools and database and distribute it to your client computers.
Use the command-line interface to configure the Scan tool.
The Scan tool uses the scan tool MBSA and the security updates database to conduct an audit of your client computers for installed and applicable updates, caches that inventory information, and then forwards it to SMS during the scheduled hardware inventory cycle.
Allow the Scan tool to gather inventory information and to transmit that information to the SMS site database.
Review the inventory information gathered during the audit performed in the previous step, by using the SMS Web Reporting Tool with the Web Reports Add-In, or the SMS Resource Explorer.
The Web Reports Add-In for Software Updates provides the following reports that can show you all the software updates that are applicable to the computers in your enterprise and can show you the number of computers for which each update is applicable.
Table 5 Reports Provided by the Web Reports Add-In for Software Updates
Report
Description
Installed patches for a specific computer
Use this report to obtain a list of installed software updates for a single computer.
Count of installed patches by type
Use this report to obtain an enterprise-wide count of installed software updates by type.
Installation rate for a specific software update
Use this report to obtain enterprise-wide information about the rate of installation for a software update.
Installed patches for a specific product
Use this report to obtain an enterprise-wide list of all installed software updates for a specific product.
Machines with a specific patch installed
Use this report to obtain an enterprise-wide list of computers with a specific software update installed.
Machines with any patch installed
Use this report to obtain an enterprise-wide list of computers with any software updates installed.
Applicable patches for a specific computer
Use this report to obtain a list of all applicable software updates for a specific computer.
Count of applicable patches by type
Use this report to obtain an enterprise-wide count of applicable software updates by type.
Applicable patches for a specific product
Use this report to obtain an enterprise-wide list of all applicable software updates for a specific product.
Machines where a specific patch is applicable
Use this report to obtain an enterprise-wide list of all computers for which a specific software update is applicable.
Machines where any patch is applicable
Use this report to obtain an enterprise-wide list of all computers for which any software update is applicable.
List status counts for all software updates
Use this report to view enterprise-wide status counts for all software updates, both authorized and unauthorized.
List status counts for authorized software updates
Use this report to obtain an enterprise-wide status counts for all authorized software updates.
List all software updates with site, machine, user and status
Use this report to obtain an enterprise-wide list of all authorized software updates, including site, computer, and installation status for each.
Machines with greater than or equal to number of applicable updates
Use this report to view computers in your enterprise which have a number of applicable software updates greater than or equal to a value that you select.
Evaluate applicable updates to determine if they are necessary in your environment or configuration.
Authorizing Software Updates
In order to determine which of the installed or applicable security updates are necessary for the client computers in your enterprise, you must evaluate each suggested update and then authorize it for distribution within your enterprise by using the Distribute Software Updates Wizard. The flow of this scenario is outlined in the following example:
For updates determined to be applicable during the audit, evaluate and prioritize the usefulness and importance of each update.
To do this, assess your risks and read about the latest security update information contained in the white papers and Web sites recommended in the Information Resources section later in this document.
There are many software updates made available every day, and not all of them will be useful to you. For each software update identified, you must determine whether the update:
Is applicable to the needs of your enterprise.
Is of critical importance, requiring immediate action, or merely useful, but not of critical importance.
This should include reviewing all associated documentation, including that sent with the update and supporting information, which may be found, for example, on TechNet (https://www.microsoft.com).
For detailed information about how to conduct this assessment of the software updates available to you, see the Software Distribution for Patch Management (SMS) white paper. For more information about where to find this document, see the Information Resources section later in this document.
Quarantine and test the update before authorizing it for distribution.
To test an update, you must authorize the update and distribute it to a test collection containing computers with representative configurations for your enterprise.
The testing objectives are as follows:
Verify that the update installation command-line syntax and installation behavior is what you expected.
Verify that the user experience (as configured by using the Software Updates Distribution Wizard) is what you expected.
Verify that the update performance is what you expected and that it does not break any other enterprise application software.
Use the Distribute Software Updates Wizard to create the package, programs, and advertisements used to distribute the updates.
Using the Microsoft Knowledge Base articles available for each update, determine the ideal command-line syntax to use when configuring the update for installation.
Configure the time of authorization for each update, which, with installation grace period settings, will determine when your users will be required to install the update.
For testing purposes, the time of authorization should be immediate. During an actual deployment, however, you might prefer to select a later time of authorization to allow yourself time to research and test the update before deploying it.
Configure locale dependencies for each update to accommodate clients in different countries or time zones.
Save the configuration changes you selected for the SMS package by completing the Distribute Software Updates Wizard.
Use the Software Updates Installation Agent to install the updates on the client computers.
Tracking Software Update Deployment
In order to determine whether your software update deployment process is successful, you can track the inventory and deployment progress of software updates for all the computers in your enterprise.
Use the Distribute Software Updates Wizard to authorize, download, advertise, and deploy the Software Updates Installation Agent and the software updates you authorized.
Use the Software Updates Installation Agent to install the authorized updates on your client computers.
Use per-update and summary status messages, in addition to inventory to confirm the coverage being achieved.
View reports generated by the Web Reports Add-In for Software Updates to keep track inventory, deployment, and installation information specific to the software updates and computers in your enterprise.
Manage any noteworthy exceptions.
Exceptions typically follow a pattern that can be resolved by refining your software update management process. For example:
If inventory reports are run daily, but inventory schedules occur on a weekly or monthly basis, the reports that you view might not indicate that progress has occurred until the scheduled inventory happens.
There might be fewer computers than expected in the targeted collection, and a review of the collection rule query might be necessary.
There are several Knowledge Base articles (available from https://support.microsoft.com/default.aspx) that can assist you with the process of fine-tuning your software update management process by providing information about how to troubleshoot inventory, software distribution, and status message processing.
Feature Pack Tools Features
The Feature Pack tools include the following inventory, distribution, and reporting features to help you configure and manage software update deployment in your enterprise.
Auditing Features, which you can use to create an up-to-date inventory of installed and applicable, updates for all the computers in your enterprise.
Update Authorization and Distribution Features, which you can use to control which updates are deployed in your enterprise and to control the way in which the updates are distributed and installed on the client computers.
Update Deployment Tracking Features, which allow you to track and evaluate the progress of software update deployment within your enterprise and to spot areas of vulnerability quickly and easily.
Auditing Features
The following features are available through the combination of SMS software distribution and inventory features, and from the SMS Feature Pack Security Update and Office Update Inventory Tools. These features simplify and streamline the process of auditing your client computers, identifying missing security and Office updates, and communicating useful inventory information to your SMS system.
Table 6 Auditing Features
Feature |
Description |
|---|---|
Integrated setup |
The setup process for the Security and Office Update Inventory Tools saves you time and effort by integrating the installation process for the tool with the distribution of the tool components throughout your enterprise, by using SMS software distribution features. |
Database updates |
The latest software update database associated with the software update inventory tool is downloaded to the server and then distributed within your enterprise in an automated, recurring cycle. This ensures that you receive the latest update information regularly and that your inventories reflect this information. |
Expedited results |
A software update inventory scan tool command-line option (/kick) can be used to bypass the regularly scheduled SMS hardware inventory cycle to send software update inventory results from the client computers in your enterprise to the SMS site database in an expedited fashion. This option can be useful when tracking critical update installation progress. |
Automated inventory |
The software update inventory tools run in an automated, recurring cycle, keeping your SMS inventory information in sync with the latest software update database information. |
Office and security updates |
The software update inventory tools currently available from the Feature Pack support the security and Office-related updates available from Microsoft. Updates identified by the Feature Pack tools will always be applicable, because these tools only report updates that are needed in your environment. However, you should always perform a thorough review of any update you deploy in your enterprise, regardless of the source. This applies to updates identified by the Feature Pack tools, in addition to updates identified by using other means. |
Secure local cache |
To reduce network overhead when auditing clients and installing updates, the Value Ppack tools maintain a copy of needed files from the distribution point in a secure location on each client. The Feature Pack tools update these files on a scheduled basis according to the advertisement schedule for the appropriate scan tool (a weekly schedule for updating these files is recommended). Note: This feature is available only to clients running NTFS. FAT-formatted clients cannot use this feature. |
Update Authorization and Distribution Features
The following features, available in combination from the Distribute Software Updates Wizard, the Software Updates Installation Agent, and SMS software distribution functions, make it easier for you to perform software update deployment tasks to meet the needs of your enterprise.
Table 7 Approval and Distribution Features
Feature |
Description |
|---|---|
Update authorization |
The Distribute Software Updates Wizard provides you with the ability to authorize software updates before you deploy them, enabling you to control the content that is distributed to your client computers. |
Update download |
The Distribute Software Updates Wizard saves you time and effort by providing automated and facilitated download of software updates. |
Update information |
The Feature Pack tools and SMS Web reports provide integrated access to Microsoft Knowledge Base articles and bulletins. These articles and bulletins provide you with update-specific information necessary for assessing and installing software updates. |
Branding |
When you advertise updates to the users in your enterprise, you can customize the name that is used to identify the organization sponsoring the software updates package to users in your enterprise. For example, this can be the name of the organization, department, or division responsible for controlling the software update policy in your enterprise. In addition, you can include HTML content for users to read that provides organization-specific information and identification that gives your users confidence in the authenticity of the update authorization. |
Targeting |
Update targeting gives you the ability to focus your deployment of software updates by department, domain, or by other rules that best suit your enterprise needs. This allows you to focus your efforts where they are most needed, and helps conserve system resources by avoiding redundant or unnecessary update installations. |
Collection-based targeting and applicability rules |
The Feature Pack tools provide additional functionality to the existing collection-based targeting features of SMS by adding detailed applicability rules for software update distribution. These rules are evaluated at each client computer at the time the package is advertised. This helps resolve the limitations of collection-based targeting for software updates and enhances the performance and accuracy of the software update distribution process. |
Grace period |
|
Installation automation |
Provides you with the ability to configure the default installation actions and to provide for unattended or semi-attended installation of software updates. This helps prevent delays in software distribution and update management in your enterprise. |
Language and locale |
The Feature Pack tools provide you with the ability to deploy software updates regardless of locale and allows for the deployment of multilanguage updates as appropriate for your client computers. Some updates may require a manual determination of locale or language requirements prior to distribution. |
Update status reports |
Status reports can be provided on an incremental, per-update basis, as well as on a per-package basis. The status reports allow you to track the progress of software update deployment in your enterprise, to troubleshoot your update deployment, and to evaluate your deployment strategy, as well. |
Runtime behavior control |
Provides you with the ability to configure command-line options specific to each update, which control the way an update is installed and runs on the client. |
Failsafe timeout |
If an update is permitted to remain unresponsive for a long period of time, it could leave the system in a vulnerable and inconsistent state. The failsafe timeout feature provides you with a means for disabling unresponsive updates, while continuing to install other updates in the same package without interruption. |
Update combination |
The Feature Pack tools allow you to distribute software updates singly, or in combination, and allow for the accommodation of dependencies among related updates. |
System restart control |
Includes restart request detection, restart suppression for specific computer roles (workstations or servers), and graceful or forced application closure. It also allows you tailor the post-installation system restart behavior to accommodate the needs of your enterprise, such as enterprise servers, where restarts are manual and scheduled. |
Recurring installation cycles |
These cycles, configured to accommodate the needs of your system, ensure that all the computers in your enterprise have the necessary updates. |
Recurring just-in-time checks |
These cycles, configured to accommodate the needs of your system, ensure that updates are not re-applied or overlooked. This increases performance in your system by preventing redundant update installation and increases your enterprise safety by ensuring that required software updates are applied. |
Update Deployment Tracking Features
The following features, available from the Web Reports Add-In for Software Updates, provide added functionality to the SMS Web Reports features and allow you to view a set of reports created from information gathered by software updates inventory tools.
Table 8 Update Deployment Tracking Feature
Feature |
Description |
|---|---|
Service-level data |
Software update reports are available from the SMS Web reports viewer and include information about updates or client computers, such as update detection time and update installation time. This information allows you to track the progress of a specific update, or to check the update status for a specific computer. |
Rate-of-spread and coverage reporting |
These reports let you know how effective your software update management practices are and help you assess the areas of risk in your enterprise. |
Custom reporting from a rich, documented schema |
The Web Reports Add-In for Software Updates contains several pre-configured reports that you can use to view software update specific information. In addition to using the pre-configured reports, you can also use SQL Server views and the documented inventory schema to create custom software update inventory reports, tailored to the needs of your enterprise. |
Checklists for Using the Feature Pack Tools
The following checklists, grouped by task, are intended to provide you with a step-by-step overview to working with the key features of the Feature Pack tools.
For procedural information about performing the tasks in each checklist, refer to the help documentation included with each tool.
Software Update Inventory Checklist
Perform Setup tasks
After you complete the setup process for the software update inventory tools, perform the following tasks:
Verify that the package and programs needed to deploy the tools are created. To do this, view the packages and programs in the SMS Administrator console.
Verify that the collections and advertisements necessary for the distribution of the tools are created. To do this, view the collections and advertisements in the SMS Administrator console.
Ensure the testing collection membership is adequate, and verify stable behavior. Test collection computers should be representative of all approved configurations for enterprise computers.
For example, if your enterprise uses Windows 2000, Windows XP, and Windows NT 4.0, you will need a minimum of one computer for each configuration.
In addition, you need computers that have other crucial line of business applications running on them (for example, accounting or sales tracking software).
When configuring a test collection, you should also account for variation in hardware within your enterprise (desktop vs. laptop computers) and hardware configurations (low memory vs. multi-processor servers).
To do this, add additional test computers to the collection rules by using the SMS Administrator console, and then run the software update inventory tools on each computer by using the software update advertisement.
After you are finished testing the tools, deploy them more broadly by removing the test-limited query from the main collection.
To do this, modify the Collection Properties dialog box for the main targeting collection membership rule as follows:
Expand the Collections node in the SMS Administrator console, right-click the collection you want to modify, and then click Properties. In the Collection Properties dialog box, click the Membership Rule tab. In the Query Rule Properties dialog box, change the selection from Limit to collection to Not collection limited. Save this setting by clicking OK. Before closing the Collection Properties dialog box, ensure that the collection is updated on an appropriate schedule.
Verify that client computers send results.
To do this, in the SMS Administrator console, go to the appropriate collection containing the test client computer, right-click the collection, select All Tasks, and then select Start Resource Explorer. In the Resource Explorer, expand the Hardware node, and then click the software updates item. View the list of all the inventoried software updates for that client computer.
Review the log file results to view any errors encountered during installation. The Installation Wizard automatically displays this log.
Perform Sync tasks
Ensure that the Software Update Sync tool tasks are properly configured on the server. These are the tasks that download the software update database or catalog from the Internet and make it available to the clients through SMS distribution points.
Verify that the SMSCliTokn& account on the site server computer has firewall authentication access and can download updated catalogs. To do this, grant the SMSCliTokn& account access to the package source directory.
Verify that the advertisement runs correctly to distribute the updated catalogs to the client computers. To do this, view the status messages for the advertisement and check the file dates on the package source folder files and distribution point folders.
Verify that the correct SMS distribution points are automatically updated to include the latest catalogs. To do this, view the status messages for the advertisement and check the file dates on the package source folder files and distribution point folders.
If the SMSCliTokn& account does not have WMI permissions to the package object, the distribution points require a separate, recurring, scheduled update for the latest catalogs, which you configure and add manually. If this is the case, use the /unattend option in the command-line interface for the Sync tool to verify the distribution points are not updated by the Sync tool since the scheduled update would be in effect.
Note: Security bulletin catalog data on the Internet is typically updated on a weekly basis, so the time you select for the Sync tool tasks should immediately follow that schedule to ensure that the latest updates catalog is available to your enterprise. In the same manner, the distribution of the latest catalog update to each client computer should be scheduled to follow the catalog sync for the distribution points.
Software Update Distribution Checklist
Perform setup tasks
- After you complete the setup process for the Distribute Software Updates Wizard on a computer running the SMS Administrator console, run the wizard from the new Distribute Software Updates menu item in the console.
Obtain updates and configure restart behavior
Use the Browse, Syntax, and Download buttons on the Software Update Properties page in the wizard to obtain software updates from the Web.
Ensure that silent, non-restart behavior is configured for software update installation. Configure this behavior on the Software Update Details page of the Distribute Software Updates Wizard by using the Parameters field and the Syntax button.
Perform object creation and maintenance tasks
Ensure that the proper permissions are enforced. For example, SMS administrators who have no access to SMS or advertisements should not be able to create or modify packages or advertisements associated with software updates or the Feature Pack tools. For more information about the SMS object security model and delegation, see the SMS product documentation.
Ensure that the necessary objects or settings are created or updated as needed for the SMS packages, programs, and advertisements used to distribute the software updates. To do this, view the packages, programs, collections, and advertisements in the S MS Administrator console.
Perform distribution and advertisement tasks
Verify that compartmentalization of package and advertisement tasks works. That is, verify that one person, with the proper permissions, can build the packages containing the updates and that another person, with the proper permissions, can advertise those packages without problems.
Observe that the package builder role should be separate from the advertisement builder role, with separate permissions to preserve a system of checks and balances for security purposes.
Verify download experience
- Firewall authentication can create problems for software update downloads. When firewall authentication is in use, verify that logged-on users are prompted as needed when they are downloading software updates into the package source folder.
Investigate locale-specific scenarios
Ensure that the client locale and the client language is reported for clients requesting updates.
Certain updates can be distributed and installed on clients regardless of language or locale. Verify which requested updates must be distributed as locale-specific and which updates are language-neutral, as appropriate by using the Microsoft Knowledge Base articles associated with the update.
To do this, use the Information button, available on the Software Updates Status Page in the Distribute Software Updates Wizard to access the Microsoft Knowledge Base articles that provide specifics about any international update variations that are available.
Software Update Installation Checklist
Become familiar with command-line syntax
- Become familiar with the command-line options that are supported by the Software Update Installation Agent. These options control how the updates install, and each option has an equivalent setting that you can use in the Distribute Software Updates Wizard, on the Software Update Details page by using the Parameters field and the Syntax button.
Verify notification behavior
- If your client computers are running Windows 2000 or later, verify that the notifications (balloons) that indicate software update installation processes, function as expected. Note that computers running Windows NT 4.0 operating systems do not display notification balloons, but rather, display a notification icon in the system tray and display dialog boxes.
Verify grace period.
Verify that the grace period for software update installation is enforced.
To do this, set a grace period for update installation by using the Installation Agent Enforcement Settings page in the Distribute Software Updates Wizard or the command-line interface for the Agent. Allow the grace period to expire, and then verify that the update installs automatically.
For packages with multiple updates, verify that grace period enforcement is based on the time the oldest applicable update in the package was authorized.
To do this, create a package containing multiple updates with different authorization dates (you can configure the authorization date for an update using the Software Update Properties page in the Distribute Software Updates Wizard). Set the grace period for the entire package. Verify that the grace-period expiration time is correct, based upon the oldest authorization date.
Verify that the per-update grace period enforcement leaves unexpired patches in an optional state.
To do this, create a package containing multiple updates, and configure per-update grace period enforcement by using the Installation Agent Enforcement Settings page in the Distribute Software Updates Wizard. Allow the grace period to expire, and then verify that the only updates that have mandatory installation status are those whose grace period has expired.
The non-expired updates should be available for installation, but not mandatory; they are installed only if the user clicks Install Now. If the countdown timer reaches zero and the Agent initiates the installation process, the updates for which the installation grace period has not expired are not be installed automatically.
Verify default action
Ensure the specified failsafe timeout, installation countdown, postponement and default installation actions occur properly if no user interaction is provided.
To configure these settings, use the Distribute Software Updates Wizard or the Installation Agent command-line syntax.
Both SMS and the Feature Pack tools support notification and countdown features for assigned programs. When using the Feature Pack tools to deploy software updates, it is recommended that you disable the SMS versions of the countdown and notification features to prevent confusion. If the SMS versions of these features remain active, end-users see two sets of countdowns and two sets of notifications for each assigned program.
Verify Branding
To test whether your branding is appearing properly, create a file, named summary.htm, in the package source folder, and place some branded content in it. Then, verify that your client computer properly displays the branding. Note that embedded objects such as graphics do not appear on computers running Windows NT 4.0.
Branding is specific to each package, so when you configure branding for a package all updates in the package share the branding. Different packages can have different branding, for example, Critical Updates in one package, and Office Updates in another package, each with different branding.
Verify Failsafe timeout behavior
Test the failsafe timeout behavior by using the Parameters field and the Syntax button on the Software Update Properties page in the Distribute Software Updates Wizard to configure an update that does not suppress user input (that is, it requires user input to install) and then verify that the update is terminated after the timeout has been reached.
Also, after that update terminates, verify that the Installation Agent attempts to install the remaining updates in the package.
Examine status data
- Verify whether the status data for updates is accurate by checking to see if the TimeApplied value is correct for all installed updates processed by the Installation Agent. This information can be viewed in the inventory schema found within the SQL View: v_GS_PATCHSTATE, from the SMS Resource Explorer, or from the sample reports included with the Reporting add-in.
Verify system restart behavior
You can configure system restart behavior using the Installation Agent Status Settings page in the Distribute Software Updates Wizard, or the Installation Agent command-line interface.
You can configure different post-installation system restart behavior for workstations and servers in your enterprise. Based on the settings you configured, ensure that restart detection will function as you expect for each computer role. To do this, configure different system restart settings for different updates, and then monitor the behavior of the system installing the update.
When a system restart is required, the closure of active applications can be configured with a countdown to restart. This provides users with the opportunity to save their work. Alternatively, applications can be closed and the system can be restarted without a grace period. Verify that application closure during post-installation system restart will function as you expect.
Reporting Checklist
Perform Setup tasks
- Install the SMS Web Reporting tool (SMSWebReporting_i386.exe) and then install the Web Reports Add-In for Software Updates (SMSAddReports_i386.exe).
Verify reports
Ensure that the software update reports function properly by viewing the reports and ensuring that useful data, with no errors, appears.
Ensure that the software update reports contain accurate information. To do this, compare the reported information about installed updates to the information about installed updates provided in Add or Remove Programs for a test client computer.
Check tool accuracy
Verify that the Feature Pack tools are providing accurate inventory results and are in agreement with the underlying technology.
Do this by comparing the inventory results with the local client log files or by comparing directly with Microsoft Network Security Hotfix Checker or Microsoft Office Update Tool results.
Verify completeness
Become familiar with sample reports included with the Web Reports Add-In for Software Updates.
Ensure that an adequate number of the correct types of reports are being created. Send feedback about reports that should be automatically included to: mswish@microsoft.com and smsvpfd@microsoft.
You can view the software update reports provided by the Web Reports Add-In for Software Updates in the list under the Software Updates node in the Web Reports tool.
Verify that the inventory accurately indicates when each instance of an update was present or applicable on the client computer.
To do this, verify that each instance of an update in Win32_PatchState and in v_gs_patchstate reflects an appropriate TimeDetected value and TimeApplied value. You can find this information in the log file generated for the update, or by running a query of the WMI class for the update.
Become familiar with custom report creation
- You can create custom software update inventory reports using SQL Server views and the inventory schema.
Performance Considerations
This section describes performance considerations that you should be aware of when you deploy the Feature Pack tools to perform software update management tasks in your enterprise.
Processing Load Generated by Feature Pack Tools
Using the information in the following table, you can develop a general idea of how using the Feature Pack tools to perform inventory tasks, install software updates, and track inventory and installation information can affect your system resource usage.
This information was gathered from a server running a Pentium 3 processor at 633 MHz, 256 MB RAM, and Ultra ATA 100 HD at 5400 RPM.
Table 9 Processing Load Generated on the Server by Feature Pack Tools
Update management server-load factors |
Number of records |
Time to process (seconds) |
Records per second |
%CPU utilization |
RAM utilization |
Disk transfer per second |
|---|---|---|---|---|---|---|
HW Inventory inventory load (percent change in MIF processing load without Feature Pack) |
3,000 |
342 |
8.7719 |
82.379 |
249,583 |
227.984 |
HW Inventory inventory load (percent change in MIF processing load with Office Update Inventory Tool, Security Update Inventory Tool, and Software Updates Installation Agent active) |
3,000 |
369 |
8.13 |
82.946 |
249,742 |
241.662 |
Percent Change change for Feature Pack vs. no Feature Pack |
|
(+) 7.89% |
(-)7.32% |
(+). 567% |
(+). 0067% |
(+) 6% |
HW Inventory inventory load (percent change in MIF processing load without Feature Pack) |
9,000 |
641 |
14.041 |
87.476 |
281,367 |
355.291 |
HW Inventory inventory load (percent change in MIF processing load with Office Update Inventory Tool, Security Update Inventory Tool, and Software Updates Installation Agent active) |
9,000 |
650 |
13.846 |
91.219 |
291,211 |
393.117 |
Percent Change change for Feature Pack vs. no Feature Pack |
|
(+) 1.404% |
(-) 1.389% |
(+) 3.743% |
(+) 3.499% |
(+) 10.646% |
Status Message message load added by Feature Pack |
30,000 |
552 |
54.348 |
90.927 |
285,338 |
411.238 |
Processing Load Added added to client computers by the scan tools
CPU and disk utilization can increase when a software update is being installed on a client computer. The size and duration of the increase varies depending on the particular update. To obtain the exact size of the increase in processing load, it is recommended that you conduct pre-deployment testing for each update and determine the processing load increase by monitoring the test computers.
Database storage capacity
To help you calculate the effect that the inventory and updates will have on your system, use the following estimates for update inventory size according to operating system. To develop a rough estimate of resource usage, multiply the numbers in the following table by the number of clients you will be including in the inventory, and then plan the deployment of these tools accordingly.
The following table indicates the approximate file size both for a full MIF (100% of the inventory for a computer is forwarded to the server, usually a one-time event) and a delta MIF (changes in inventory forwarded to the server on a regular basis) for a single computer, on a per inventory basis, based on the default configuration of the SMS_def.mof file.
These values are based on the software updates available at the time this document is being written and will change over time. The file size will reduce with the continued installation of the most recent service packs.
Table 10 Size of Inventory
Operating system |
Full MIF |
Delta MIF |
|---|---|---|
Windows NT 4.0 SP6a |
~122 KB |
~15 KB |
Windows 2000 SP 2 |
~100 KB |
~15 KB |
Windows XP |
~78 KB |
~15 KB |
SQL Server Database |
Look for this information in a future release of this document. |
Look for this information in a future release of this document. |
Feature Pack Performance Considerations
When deploying the Feature Pack tools in your enterprise, be aware that the following factors can affect performance.
Scan tool completeness considerations
Scan tool completeness is directly related to how current the database of software updates is. To ensure that the Scan tool is using the latest update information to create your inventory, and that your system resources are not taxed by unnecessary database download cycles do the following:
Ensure that the software update database is current. If the Sync tool does not regularly download the updated version of the database, you risk the possibility of missing critical updates and creating an inaccurate inventory.
Ensure that your process for using the Sync tool to download the latest database of software updates reflects the update frequency for that database. It is best to schedule the database download to occur as soon after the database master copy is updated on the Web.
For example, the Security Updates Bulletin Catalog, MSSecure.xml, contains security update information that Microsoft updates once a week. Therefore, downloading that catalog more than once a week (immediately following the Microsoft update) does not provide any additional benefit or protection to your system. After the catalog is downloaded, distribution points can be either updated automatically after the catalog download or on a separate automated schedule.
A possible scenario for catalog update is as follows:
The SMS site server uses the Sync tool to download the catalog into the package source folder once a week, for example, at 3:00 P.M. on every Thursday.
The SMS distribution points are scheduled to perform updates for the catalog, enterprise-wide, once a week, for example, at 6:00 P.M. on every Thursday.
Client cached copies of the catalog are refreshed once a week, for example, every at 9:00 P.M. on Thursday.
- The Scan tool also performs an inventory of software updates at this time, using the latest catalog.
SMS hardware inventory is scheduled weekly, for example, at 12:00 midnight on every Thursday to forward the 9:00 P.M. software update inventory results to SMS.
Scan tool accuracy considerations
Scan tool accuracy is directly related to the amount of time that is allowed to pass from the completion of the inventory scan to the installation of software updates shown to be applicable.
If the elapsed time between the inventory and the automated installation is too great (for example, if the installation grace period allows users to postpone installation for too long), the tools can attempt to install updates that are not needed, creating unnecessary system resource usage problems.
To avoid such problems, you should configure an installation process that keeps lag time between inventory and installation to a minimum. A possible scenario for expedited update installation is as follows:
Installation of authorized software updates is scheduled at 4:00 P.M. on every fourth workday.
Installation completion forces an immediate software update inventory, using only the cached catalog that was updated at 9:00 P.M. on Thursday (as described in the Scan tool completeness section, above).
Inventory is updated locally, but it is not forwarded to the SMS site database (the forwarding occurs according to the regular Thursday midnight schedule, as described in the Scan tool completeness section, above).
Status message considerations
An increase in status message processing is inevitable when you use the Feature Pack tools to deploy software updates, because the Feature Pack tools generate status messages to track inventory and installation information. However, the size of the processing increase can be affected by your scheduling and configuration choices.
The more frequently you schedule the inventory and installation cycles, the larger the increase in volume of summary status messages are.
Adding per-update success messages (the default configuration for status reports shows only error messages) increases status message volume in direct proportion to the number of updates you are installing.
If status message processing is a concern, then you can create status filter rules to eliminate the messages before they are replicated to the central site server. When creating filtering rules, ensure that the same message IDs are not already in use by other custom applications.
Inventory data considerations
The inventory data accrued for each software update can accumulate according to the number of software updates you are working with and the number of client computers that are reporting the update.
Keep in mind the following information when you select updates and schedule inventory and installation cycles:
Each update creates approximately 900 bytes of inventory data for each client that is reporting the update.
History data for each patch also accrues when an update changes status from Applicable to Installed.
Instantaneous loading considerations
Assignment schedules for updates usually activate at the same time (subject to GMT functionality). As a result, many clients can attempt to install updates at the same time. This can cause system resource usage problems, but assignment schedule activation is an issue that also exists independently of the Feature Pack tools, because it is associated with SMS software distribution features.
General doubling effect for scan tools
The number of scan tools you use to create software update inventories has a direct relationship to the number of software updates, advertisements, and status messages using your system resources.
To minimize the problems associated with using multiple scan tools, you should manage the frequency with which you schedule inventory scans. As you use more scan tools, you should consider configuring the inventory scan cycles to match the download cycle for the latest software update.
- To do this, determine when the updates for the database are published on the Web, and then schedule the catalog download to follow, as described in the Scan tool completeness section, above.
Hardware inventory resynchronization considerations
Feature Pack tools do not cause hardware inventory resynchronizations. However, when installing SMS Web Reporting, which is used by the Feature Pack Web Reports Add-In for Software Updates, you should note that Web Reporting Setup provides the option of extending the SMS_def.mof file (a file that SMS uses to determine which default hardware inventory to gather and report to the SMS site database) for the Enterprise Agreement True-up. If this option were used, it would result in a hardware inventory resynchronization and bring with it the commensurate system resource usage for resynchronization for a given site.
Information Resources
White papers and other documentation
The following white papers and other documentation can provide you with information about the processes and guidelines involved in assessing risks and deploying software updates:
The Microsoft Solutions for Management SMS Architecture Guide
The Microsoft Solutions for Management Operational Procedures for Patch Management with SMS
The Microsoft Solutions for Management Software Distribution for Patch Management (SMS)
Note: The three white papers listed above have not yet been published, but will be released in the near future to the following Web site: https://www.microsoft.com
Until these white papers are published, the materials provided in this document and the other suggested white papers and Web sites in this section provide sufficient information for evaluation and test deployment of these tools.
The Best Practices for Enterprise Security white paper on the Microsoft TechNet Security Best Practices Web Site at https://www.microsoft.com.
For more information about creating custom Web reports using the database schema, see the SMS Class Schema Reference available from the Microsoft Developers Network (MSDN) at https://msdn.microsoft.com/library/en-us/sms/refsms20_9p2d.asp.
Useful references for the Distribute Software Updates Wizard
For detailed information about how to prepare Office updates for best-practice distribution, see Installing Client Update Files with OhotFix, available from https://www.microsoft.com/office/ork/xp/journ/Ohotfix.htm.
For detailed information about how to prepare Windows 2000 updates for best-practice distribution, see the Microsoft Knowledge Base article 262841, Windows 2000 Hotfix.exe Program Description and Command-Line Switches, available from https://support.microsoft.com/default.aspx?scid=kb;EN-US;262841&sd=tech.
For detailed information about how to prepare Windows NT 4.0 updates for best-practice distribution, see the Microsoft Knowledge Base article 184305, How to Install and Remove Hotfixes with HOTFIX.EXE, available from https://support.microsoft.com/default.aspx?scid=kb;EN-US;184305&sd=tech.
For detailed information about how to prepare Internet Explorer updates for best-practice distribution, see the Microsoft Knowledge Base article 197147, Common Command-Line Switches for Self-Installing Update Files, available from https://support.microsoft.com/default.aspx?scid=kb;EN-US;197147&sd=tech.
Web sites
In addition, the following Web sites can provide you with more information about update assessment, deployment guidelines, and security information.
The Microsoft TechNet Web Site
Find How-Tos, problem solving tactics, documentation, and more. https://www.microsoft.com
The TechNet Security Page
Find information about the latest security headlines, advice on how to get secure and stay secure, security planning, security training, and other resources. https://www.microsoft.com
The TechNet HotFix & Security Bulletin Service Page
Search for the latest security update information by product, service pack, or Knowledge Base article Q number. https://www.microsoft.com/technet/security/current.aspx
The TechNet Virus Protection Strategy Page
Find the latest information about viruses, security strategies, and software updates. https://www.microsoft.com/technet/security/guidance/default.mspx
The Microsoft Product Support Services Web site
https://support.microsoft.com/default.aspx.
This site includes many useful resources, including links to the following:
The Knowledge Base Web site
Search for Knowledge Base articles associated with software updates. https://support.microsoft.com/default.aspx?scid=fh;en-us;kbinfo
The Guide to Software Downloads
Learn how and where to find specific software updates and information. https://support.microsoft.com/default.aspx?scid=fh;EN-US;DOWNLOADOVER
The Microsoft Security Web Site
Get the latest security related information from Microsoft.
The Microsoft Training and Certification Web site, Security Product and Technology page
Find the resources you need to stay up to date with the latest network security measures. https://www.microsoft.com/learning/centers/security.asp
The Microsoft MS Press security Web site
Find information about security documentation available from MS Press. https://www.microsoft.com/learning/books/security/default.asp
The Microsoft Security Newsgroup
Join in discussions about security issues, get help, and stay current. https://communities.microsoft.com/Newsgroups/default.asp?NewsGroup=microsoft.public.security&iPageNumber=1
The Microsoft Windows NT Server Security Web site
Find information about security services available for Windows NT Server. https://www.microsoft.com/ntserver/techresources/security/default.asp
The Microsoft Windows Security Web site
Find information maintaining security for Windows operating systems. https://www.microsoft.com/windows/security/default.mspx
The Microsoft Downloads Web site
Download update scan tools, update databases, security updates, service packs, and more. https://www.microsoft.com/downloads/search.aspx
Appendix: Recommended Feature Pack Update Settings
This section provides you with recommended advertisement update and Software Updates Installation Agent settings that you can configure for software update packages using the Distribute Software Updates Wizard.
The following four tables provide you with recommended settings for
Critical Security Updates Use these settings for updates that provide solutions for immediate critical security vulnerabilities, for example, new viruses or worms.
Required, Non-critical Security Updates Use these settings for updates that provide solutions for known, non-critical security vulnerabilities.
Recommended Non-security Related Updates Use these settings for updates that provide recommended non-security related solutions, such as increased stability and performance.
Optional Updates Use these settings for updates that provide optional non-security related solutions, such as new features for applications or programs.
For more information about configuring these settings, see the following topics in the help documentation available from the Help button on first page of the Distribute Software Updates Wizard:
Configure Software Update Client Agent Installation Settings Page
Configure Software Update Client Agent Status Settings Page
Advertise Updates Page
Table 11 Settings for Critical Security Updates
Feature |
Setting |
Description |
|---|---|---|
Default action taken by the Software Updates Installation Agent on behalf of users -and- Countdown delay before installation or restart automatically begins without user input |
|
The Installation Agent automatically begins installing the update without user input when this grace period expires. Installation or post-installation restart automatically begins one minute after the notification of installation or restart appears |
Information included in update status reports |
|
Status information is included in update status reports for both successful and unsuccessful software update installations. |
Advertisement frequency for the package containing the update |
|
The advertisement is sent to client computers on a daily basis |
Inventory initiation after update installation |
|
Inventory changes are reported to the SMS site database immediately following installation of the update, independent of the regularly scheduled hardware inventory cycle. |
System restart behavior after installation |
|
Both servers and workstations are automatically restarted as required by the software update, regardless of possible data loss from programs open at the time. |
Enforcement of update installation |
|
Installation grace period is enforced for individual updates, rather than for the entire package, and the grace period expires for the update according to the time it was authorized. |
Grace period allowed for users to take action |
|
Installation of the update is mandatory, with no postponement grace period allowed. |
Table 12 Settings for Required (Non-critical) Security Updates
Feature |
Setting |
Description |
|---|---|---|
Default action taken by the Software Updates Installation Agent on behalf of users -and- Countdown delay before installation or restart automatically begins without user input |
|
The Agent automatically begins installing the update without user input when the grace period expires. Installation or post-installation restart automatically begins one minute after the notification of installation or restart appears |
Information included in update status reports |
|
Status information is included in update status reports only for unsuccessful software update installations. |
Advertisement frequency for the package containing the update |
|
The advertisement is sent to client computers on a daily basis. |
Inventory initiation after update installation |
|
Inventory changes will be reported to the SMS site database during regularly scheduled hardware inventory cycle. |
System restart behavior after installation |
|
Workstations are automatically restarted as required by the software update, regardless of possible data loss from programs open at the time. Servers can postpone system restarts. |
Enforcement of update installation |
|
Installation grace period is enforced for individual updates, rather than for the entire package, and the grace period expires for the update according to the time it was authorized. |
Grace period allowed for users to take action |
|
Installation of the update is mandatory, with a postponement grace period allowed for 48 hours. |
Table 13 Settings for Recommended, Non-Security Updates
Feature |
Setting |
Description |
|---|---|---|
Default action taken by the Software Updates Installation Agent on behalf of users -and- Countdown delay before installation or restart automatically begins without user input |
|
The Agent automatically begins installing the update without user input when the grace period expires. Installation or post-installation restart automatically begins five minutes after the notification of installation or restart appears |
Information included in update status reports |
|
Status information is included in update status reports for both successful and unsuccessful software update installations. |
Advertisement frequency for the package containing the update |
|
The advertisement is sent to client computers on a weekly basis. |
Inventory initiation after update installation |
|
Inventory changes are reported to the SMS site database during regularly scheduled hardware inventory cycle. |
System restart behavior after installation |
|
Only workstations are automatically restarted as required by the software update. Servers can postpone system restarts. Users are prompted to save their work and close applications before the computer restarts. |
Enforcement of update installation |
|
The installation grace period is enforced for the entire package, and the grace period expires for the update according to the time it was authorized. |
Grace period allowed for users to take action |
|
Installation of the update is mandatory, with a postponement grace period allowed for seven to fourteen days. |
Table 14 Settings for Optional Updates
Feature |
Setting |
Description |
|---|---|---|
Default action taken by the Software Updates Installation Agent on behalf of users -and- Countdown delay before installation or restart automatically begins without user input |
|
The Agent postpones the installation of the update until the mandatory installation grace period (if any) expires. Installation or post-installation restart automatically begins 10 minutes after the notification of installation or restart appears. |
Information included in update status reports |
|
Status information is included in update status reports for both successful and unsuccessful software update installations. |
Advertisement frequency for the package containing the update |
|
The advertisement is sent to client computers on a weekly or monthly basis. |
Inventory initiation after update installation |
|
Inventory changes are reported to the SMS site database during regularly scheduled hardware inventory cycle. |
System restart behavior after installation |
|
Post-installation system restarts are postponed for both workstations and servers. Users are prompted to save their work and close applications before the computer restarts. |
Grace period allowed for users to take action |
|
Installation of the update is not mandatory, and users can postpone installation for an infinite amount of time. |
Suggestions for Expediting Critical Update Distribution
The amount of time it takes for a software updates package to successfully deploy an update is influenced by the installation enforcement settings you configure, as described in Tables 11-14, and by the network and server load caused by the size of the package.
When you are deploying software updates that are time-critical, it is recommended that either you send that update in a separate package to keep the size of the package to a minimum and thus expedite the passage of the package through your network, or you include it in a package with updates that are similarly critical, with the same enforcement settings, to expedite distribution and installation while reducing system overhead.
This facilitates more responsive software distribution times because these files are moved from site to site and onto the distribution points within each site. You can configure packages for other, less critical updates to be installed on a more flexible schedule, and you can you can configure the packages containing those updates in a variety of ways according to your network capacity and the needs of your enterprise.
Update Installation Command-Line Parameters
It is strongly recommended that you specify command-line options for each software update to suppress the following:
User interface
Post-installation restart
This allows the update to install without presenting dialog boxes to the user or initiating restarts of the system.
Neither the Distribute Software Updates Wizard nor the Software Updates Installation Agent can prevent individual updates from performing system restarts or prompting the user. Only the command-line syntax specific to the individual updates can control the update user interface or restart behavior.
Using the Distribute Software Updates Wizard, you can find the information necessary to configure the appropriate behavior for individual updates. In the wizard, click the Syntax button on the Software Update Properties page for the update. This opens the Microsoft Knowledge Base article associated with the update that specifies command-line options associated with the update.
If you do not specify the appropriate command-line options for each update, the updates might restart the computer several times and prompt the user frequently during installation.
The following table contains some common examples of command-line parameters, provided by Knowledge Base articles, which you can use to suppress the user interface and system restart requests for specific updates:
Table 15 Command-Line Parameters from Knowledge Base Articles
Knowledge Base article Q number |
Parameters for UI and restart suppression |
|---|---|
319182 (Internet Explorer) |
319182_IE6.exe /q:a /r:n |
300845 (Windows 2000) |
300845_W2K_SP3_X86_EN.exe /z /m /q |
318203 (XML) |
318203_MSXML30_x86.exe /q:a /c:"dahotfix.exe /q /n" |