Published: September 5, 2005 | Updated: November 2, 2006
A. SMS administrators can use the Inventory Tool for Microsoft Updates (ITMU) to determine the compliance of Microsoft products on managed systems for updates that are security related. At this time, the Inventory Tool for Microsoft Updates does not determine compliance for non-security related updates. The Inventory Tool for Microsoft Updates deploys security updates released through Microsoft Security Response Center, update roll-ups, and service packs.
Inventory Tool for Microsoft Updates includes the following components:
Scan tool for Microsoft product updates to scan Windows desktops and servers for compliance to Microsoft security updates for Microsoft Windows and Microsoft Applications
Synchronization of the Windows Update catalog on a recurring schedule
The latest Windows Update Agent. On the first scan, if managed systems do not have the most recent Windows Update Agent (version 188.8.131.5294 or later) it can be installed to support Microsoft Update detection and deployment
New SMS Advanced Client release, reports, and an updated Distribute Software Update Wizard
A. The Microsoft Update Catalog is a repository for Microsoft software updates and contains updates that address security and reliability issues. Microsoft Update and Windows Update are services from Microsoft that deliver required updates from the Microsoft Update Catalog. The Microsoft Update service queries the Microsoft Update Catalog to determine what updates are available for the PC that Microsoft Update is installed on. The Windows Update services functions the same way but provides updates only for Microsoft operating systems and Windows-based hardware.
By default, the Windows Update Agent runs on Microsoft operating systems and tells end-users when new updates are available from Windows Update. Consumers are familiar with the Microsoft Update website where they can download updates to ensure the health of their computers based on alerts provided by the Windows Update Agent. The Agent can also be configured to automatically download and install updates. Consumers can chose to opt-in to receive updates from the entire Microsoft Update catalog from the Microsoft Update website.
Corporations require more control over provisioning of updates and use additional products and tools like Microsoft Systems Management Server (SMS) or Windows Server Update Services (WSUS) to control the deployment of updates ensuring the health of their corporate network.
A. SMS 2003 service pack 1 (and later) with certain hotfixes applied. Be sure to read the Pre-installation Guide for details on the hotfixes and corresponding pre-requisites when installing Inventory Tool for Microsoft Updates.
A. Inventory Tool for Microsoft Updates v1.0 currently uses Windows Update Agent version 5.8.
A. Inventory Tool for Microsoft Updates v1.0, WSUS 2.0, and MBSA 2.0 use the same scan agent, the Windows Update Agent v5.8. Older versions of MBSA use their own scan tool for update compliance. Review the Windows Server Update Services Frequently Asked Questions and MBSA 2.0 Frequently Asked Questions for more information.
A. Inventory Tool for Microsoft Updates synchronizes its update catalog with Windows Update and Microsoft update and integrates with the Windows Update Agent version 5.8 to provide security update detection and deployment for:
Windows Update and Microsoft Update provide security updates for:
Microsoft Windows 2000 Service Pack 4 and later
Microsoft Windows 64-bit edition (based on Windows Server 2003 SP1 code)
Microsoft Windows XP Embedded
All Windows components (such as MSXML, MDAC, and Microsoft Virtual Machine)
Microsoft Office XP and Office 2003
Microsoft Exchange 2000 and Exchange 2003
Microsoft SQL Server 2000 SP4 and later
A. Continue to use the SMS 2003 Software Update Scanning Tools for products that are not supported by Microsoft Update. These tools use MBSA 1.2, UpdateScan.exe, and Office detection scan engines for assessing current update compliance.
A. Yes, over time. The Window Update Agent and catalog will support updating Windows operating systems and many Microsoft products adding additional Microsoft products over time. Learn more about the SMS 2003 Software update Scanning Tools.
A. Inventory Tool for Microsoft Updates synchronizes with Microsoft Update supporting the Windows operating system and many Microsoft products. By synchronizing with Microsoft Update Inventory Tool for Microsoft Updates adds support to SMS for updating products like Exchange Express, the Microsoft .NET Framework, MSDE, MSN Messenger, Project Server 2002, SQL Server 2005, Windows XP Embedded and Windows Server x64 bit servers. This list of supported products by Microsoft Update will grow rapidly over the course of the next few quarters.
In addition, Inventory Tool for Microsoft Updates now shares the same security update, update rollup, and service pack data as offered by Microsoft Windows Server Update Services (WSUS) by leveraging a common scan agent, the Windows Update Agent. This ensures consistent results, updates, and content based on what is published in Microsoft Update and Windows Update regardless of which tool is used.
By standardizing on a single scan tool, administration costs are greatly reduced resulting in fewer packages and therefore fewer deployments and potentially fewer client reboots.
Inventory Tool for Microsoft Updates also simplifies the deployment of packages by automating tedious command line processes for implementing silent deployments and unattended reboots.
Prior to Microsoft Update, different groups within Microsoft published their own disparate update catalogs on the Windows Download Center. As a result, administrators have had to work with numerous scan agents and corresponding catalogs resulting in a lot of administrative overhead.
Overall, Inventory Tool for Microsoft Updates with the new Windows Update Agent, and the Microsoft Update catalog is a more flexible architecture than previous solutions and will be able to scan for almost any security update in the suite of Microsoft products.
A. Users who have update requirements for legacy products not supported by the Windows Update Agent. The SMS 2003 Software Update Scanning Tools integrate with (MBSA) v1.2 and the Office Update scan tool. Below is a list of products supported by the SMS Software Update Scanning Tools that are not currently covered by the Microsoft Update Catalog:
BizTalk Server 2000, 2002, and 2004
Content Management Server 2001 and 2002
Office Web Components 2000
Host Integration Server 2000, 2004 and SNA Server 4.0
Windows 2000 Advanced Server < SP3
Windows Data Center Server < SP3
Windows 2000 Server < SP3
Windows Media Services 4.0, 4.1
Learn more about the SMS 2003 Software update Scanning Tools.
A. No. SMS 2003 can provide the same basic services that WSUS can, in addition to the advanced controls for update management, so you will not need WSUS if you have SMS 2003.
A. SMS 2003 provides a number of capabilities in the areas of advanced administrator control and awareness that WSUS does not include. In particular, SMS users can create collections based on inventory characteristics of machines, which enables administrators to better target their updates and perform functions such as:
Deploy updates based on service windows (advertisement)
Better manage the user experience by displaying a customizable user interface and maintain fine-grained control over enforcement settings such as restart and install.
Fully understand compliance of their environment through inventory information and get detailed status about the system state with respect to an update.
A. The software updates support in MBSA is using a deprecated scanning technology. Customers may need to continue to use MBSA within SMS and standalone to scan for updates on legacy products.
A. No. SMS Inventory Tool for Microsoft Updates does not directly integrate with MBSA 2.0. However, SMS uses the Windows Update agent and the Windows Update Catalog for scanning which is the same underlying technology that MBSA 2.0 uses for update compliance.
A. The SMS Enterprise Update Scan Tool was designed to provide additional support for vulnerabilities not detectable by MBSA 1.2. ITMU obsoletes the need for the SMS Extended Update Inventory Tool and corresponding scan agent for products supported by Microsoft Update. Customers may still need to use the Enterprise Update Scan Tool in some cases for products not supported by Microsoft Update. Read the MSRC bulletin to keep current on updates supported by the Enterprise Update Scan Tool.