Deploying Software Updates Using the SMS Software Distribution Feature

Updated : April 7, 2004

Please read the Knowledge Base article Microsoft Baseline Security Analyzer (MBSA) returns note messages for some updates to determine if the security update can be detected by MBSA. If you determine that the update is detected by MBSA, then Microsoft recommends that you detect and deploy security updates using the software update management tools found in SMS.

If you determine that the update is not detected by MBSA, the SMS software update management tools can not be used; however, you can still deploy the update using the SMS software distribution feature and the following procedure:

  1. Read the Knowledge Base article for the security update you want to deploy. You will need the following information from it:

    • Affected platforms, products, versions, and languages

    • File information

    • Command-line options for the patch installation

    • Download locations for the patch binary files

    • Information on how to verify the patch was installed (usually a registry key)

  2. Create collection(s) of affected systems using appropriate queries

    • Create collections for each of the categories of clients which may be affected based on file version and platform details.

      Note: You must enable Software Inventory (SINV) for the related files: usually .dll and/or .exe files.

    • Verify that after SINV comes in from clients and the collections are updated, the member systems are as expected.

  3. Create patch package(s)

    • Create package(s) that hold the patch binary. The download location for the patch binary is included in the Knowledge Base article for the patch.

      Note: You may need to create multiple packages targeted at different collections if there are multiple binaries present. These could be for different platforms, versions, or locale (language) for the affected product.

  4. Create programs

    • For each patch package, create a program using the appropriate command-line options for the patch installer.

    • You may also want to consider the environment variables (such as whether or not a user is logged on, and so on).

  5. Create an advertisement targeting the packages (created in step 3) at the appropriate collection (created in step 2)

    • You may want to create a pilot collection with fewer systems which are accessible before rolling it out to the entire target base.
  6. Verify patch was deployed

    • Use software distribution reports and status messages to verify that targeted systems are installing the patch correctly.

    • Number of machines in the dynamic collections created above should diminish with time as patch deployment progresses.

    • You can use SINV to collect file or registry key information to verify that patch was installed on the targeted system.

Please refer to Microsoft Knowledge Base article How to distribute software updates that are not detected by the Microsoft Baseline Security Analyzer in Systems Management Server 2003 for a specific example to help implement the above guidance.

For more information on software distribution, see the SMS 2003 Operations Guide. Note that some patches are more involved than others, so it is important that you rigorously test the patch deployment, especially the collections created in step 1 above.