Deploying Custom Software Updates with SMS 2003 R2
At a Glance:
- New update management features in SMS 2003 R2
- The Custom Updates Publishing Tool
- The Inventory Tool for Custom Updates
When you need to deploy custom updates for your systems, say for specialized hardware or line-of-business applications, you don’t have the advantage of a managed, automated process as you have with Windows updates. At least you never did before. Now, thanks to Systems Management
Server (SMS) 2003 R2, you can use those same managed-update features to deploy your own custom updates. SMS 2003 R2 includes a number of new features, including an update to the Device Management Feature Pack, links to the Operating System Deployment (OSD) feature pack, and many features that enhance security monitoring. The product has a scan tool for Vulnerability Assessment, which is key to understanding potential system and network vulnerabilities such as weaknesses in OS configuration, user passwords, IIS and SQL Server™ configurations. It also includes an Inventory Tool for Custom Updates (ITCU) and a Custom Updates Publishing Tool (CUPT). These are the two tools I will focus on in this article to help you deploy your own custom updates easily and efficiently.
Custom Updates Publishing Tool
Before you can install and use SMS 2003 R2, the hierarchy, including clients, must be updated to SMS 2003 Service Pack 2 (SP2). To use the CUPT, you need to upgrade to the Microsoft® Management Console (MMC) 3.0. You do not have to install CUPT on the SMS Site Server, but it must be installed on at least Windows® XP, and it requires SQL Server 2005 for hosting its database; SQL Server Express Edition must be installed if SQL Server 2005 is not already available. The CUPT is the key to introducing and managing custom updates in the SMS system and it also has features to test created catalogs prior to publishing them in SMS.
Custom updates can take two forms—updates that are provided by third-party vendors for software they produce, and updates created internally that are unique to a particular environment. CUPT is the tool to use to manage both types. It’s easiest to use custom updates provided by a third party, so let’s start there. At the time of this writing, three companies are producing update catalogs that can be used to scan for and distribute appropriate patches in SMS—Adobe, 1e, and Citrix. Participating companies may be viewed by selecting the custom updates partner catalogs, as shown in Figure 1.
Figure 1 CUPT in action (Click the image for a larger view)
Using partner-supplied updates is a simple matter of downloading the catalogs and adding them to SMS. First download the updates you need and then choose the option on the Action menu to import the updates. A wizard will ask for the location of the .cab files you just downloaded. When the wizard has completed, the new updates will be visible in the CUPT for further configuration and publication to the SMS site server. Note, however, that each update needed must be flagged for publication. If an update is not flagged, it will not be included when the request to publish is made. You can do this in bulk, as shown in Figure 2. Note that the far right-hand column must have the flag enabled in order for the update to be published.
Figure 2 Setting the publish flag (Click the image for a larger view)
You can further customize each downloaded update if required. To do so, simply select the update and choose Edit. Take care when customizing an update, however, as improper configuration can lead to unexpected and unsatisfactory results.
After flagging the updates, it’s time to publish them. You can accomplish this either by publishing to an external .cab file for later use or by synchronizing selected updates with the SMS site database for immediate use. In order to synchronize with the SMS site database, you need to supply configuration information such as the Site Server name and package source path (see Figure 3).
Figure 3 Synchronization information (Click the image for a larger view)
You can find this screen by highlighting the Custom Updates node and then choosing Settings from the Action menu. After you supply an accessible site server name and the path pointing to source directory for the Inventory Tool for Custom Updates, the site code and status will be updated.
With the synchronization options set, CUPT is now ready to synchronize with the SMS Site Server. To perform the synchronization, select the publish updates option from the Action menu. This will initiate the publishing wizard. In order to publish the updates to the SMS database for immediate use, ensure that the option to synchronize with Site Database of Systems Management Server is selected. Happily, this step comes with some visual assistance: this option will be gray if the synchronization settings haven’t been configured.
After the wizard completes, the custom updates are available for action in the SMS administration console. Starting the Distribute Software Updates Wizard provides an option to work with any available custom updates.
Now that you’ve seen the process for consuming and using vendor-produced updates for third-party products, what about custom updates for vendor-supplied software when there are no prepackaged updates available? This is where CUPT really shines. With CUPT, you can create custom updates complete with full targeting criteria to cover almost any situation.
Creating a custom update is not difficult but it does require that the administrator understand how to patch the software, what criteria to use to determine whether a patch is applicable, and what targeting rules should be used to focus the update. Targeting rules are defined separately from the update creation process. They can be viewed by selecting the Manage Rules option from the Action menu.
Custom update creation is initiated by selecting the Create Update item on the Action menu, which launches a wizard where you’ll supply the details of the custom update. Detailed discussion of creating a custom update is beyond the scope of this article, but it is instructive to select properties on one of the imported custom third-party updates to understand what is required in each field when building your own update. The properties of a configured third-party update are shown in Figure 4.
Figure 4 Properties of a third-party update (Click the image for a larger view)
Using the custom updates creation process, you can do more than just updates; you can also configure software to be distributed to client systems. Although this will work, it is important to note that it is not a recommended approach nor is it the intended use of CUPT.
The Inventory Tool for Custom Updates
The ITCU is a new inventory tool that works with custom update catalogs. Like the scan tools before it, ITCU creates custom collections, packages, and advertisements that are used for deploying the scan tools to SMS clients in the enterprise. Just as with previous scan tools, ITCU will retrieve the catalog, in this case the custom updates catalog, from an accessible SMS distribution point, perform the scan based on catalog data, insert the results of that scan into Windows Management Instrumentation (WMI), and report the results via hardware inventory. The main difference in the scan process is the catalog used.
The introduction of SMS 2003 R2 adds a powerful tool to the existing SMS security arsenal. Never before have administrators been able to leverage existing SMS infrastructure for patching third-party and custom applications. SMS R2 is a welcome addition for the patch management administrator.
So now you have two tools at your disposal for handling software updates from sources other than Microsoft. The manageability and convenience that CUPT and ITCU provide will ensure that your custom updates go as smoothly as the Windows updates you’re already using.
Steve Rachui is a Manageability Support Escalation Engineer in the Product Support Services group at Microsoft. He has supported SMS since version 1.2. Steve can be reached at email@example.com.
© 2008 Microsoft Corporation and CMP Media, LLC. All rights reserved; reproduction in part or in whole without permission is prohibited