Distributing and applying software updates (aka patches) to desktop machines and servers can be a headache. Microsoft recommends that large enterprises with sophisticated patch-management requirements use Microsoft Systems Management Server (SMS) 2003 to deal with patches. Although Microsoft Software Update Services (SUS) is ideal for small and some midsized organizations, it doesn't efficiently support processes that large organizations employ. Large enterprises need to inventory their environments, determine whether they need to apply a particular patch, then target that patch based on their specific requirements. Scheduling patch installation, controlling patch-installation behavior (i.e., silent installation and reboots), and reporting the progress of patch distribution are core patch-management requirements for large organizations. SMS 2003 meets these requirements.
SMS 2.0 uses a feature pack to distribute software updates, but Microsoft designed SMS 2003 especially for distributing Windows and Microsoft Office updates from the Windows Update (http://windowsupdate.microsoft.com) and Microsoft Office Update (http://officeupdate.microsoft.com) Web sites. In addition to retrieving and deploying updates from these sites, SMS 2003 collects baseline compliance statistics, as I explain later.
Installing the Software Update Scanning Tools
Before you can monitor SMS clients to ensure that they comply with your configuration baseline and package software updates for distribution, you must use the Software Update Scanning Tools to extend SMS 2003. You'll find the tools at http://www.microsoft .com/smserver/downloads/2003/default.asp. You can also obtain them by launching the SMS Administrator Console from the Systems Management Server program group, expanding Site Database, right-clicking Software Updates, and selecting All Tasks, Download Inventory Scanning Programs from the context-sensitive menu. On the download page, select the language you need from the drop-down list and click Go, which will prompt you to open or save the executable package. The package contains two scanning tools: the Security Update Inventory Tool and the Office Inventory Tool for Updates. You install and integrate the tools into SMS 2003 by running both installation packages.
The Security Update Inventory Tool is similar to Microsoft Baseline Security Analyzer (MBSA) 1.2, but in addition to scanning for missing security updates, creating reports, and identifying configuration options that present potential security vulnerabilities, the Security Update Inventory Tool distributes updates and configures computers. The Security Update Inventory Tool supports several platforms and server products, including Windows Server 2003, Windows XP, Windows 2000, Microsoft Exchange Server 2003, and Microsoft BizTalk Server 2000. (The SMS Software Update Services Feature Pack Web site—http://www.microsoft.com/smserver/downloads/20/feature packs/suspack—contains a full list of products that the Security Update Inventory Tool supports.)
The Office Inventory Tool for Updates uses the Office Update Database to determine whether Windows 2003, Win2K, and Microsoft Office 2003 installations are up-to-date. The resulting data is included in the SMS inventory. When you run the downloaded package, you're prompted for the folder in which to place the two scanning tools' installation packages and the accompanying documentation.
Because the Software Update Scanning Tools use the SMS software-distribution feature to scan and distribute patches, understanding how that feature works is important. Packages are the foundation of software distribution; each package contains three primary components: source files (in our case, packages), programs, and the associated distribution point. The distribution point is a server that will house the source files. After you configure a package, it needs a target, which in SMS terms is a collection. A collection contains user, group, and computer objects. To execute a program on the members of a collection, you have to create an advertisement, which defines the package and program that you want to distribute as well as which collections will receive the distribution.
The Security Update Inventory Tool installation program is a wizard. After you click Next on the welcome screen, accept the licensing agreement, and click Next, the wizard prompts you for a folder location. Accept the default location (%ProgramFiles%\SecurityUpdate) or enter a new location and click Next. The wizard prompts you to download the MSSecure.xml file in compressed cabinet (CAB) format. The inventory tool uses this file to check for missing software updates on SMS client systems.
After you download the file and click Next, the wizard prompts you to click Next again to install the tools, then guides you through entering distribution settings and creating the package that will scan the SMS clients. In a testing environment, you can safely accept the default settings and enter a package name, as Figure 1 shows, or you can modify the options for your environment.
Next, the wizard prompts you for the NetBIOS name of an SMS client, then creates on that client a scheduled task that will download the most recent MSSecure file. By default, the wizard displays the name of the SMS server, but you can change the name or delete it if you don't want to set up a scheduled task. The system you select requires Internet connectivity so that it can download the file, and the task will run successfully only after a suitably privileged user logs on. (Typically, administrator-level privileges are required, but you can also configure user accounts.) Alternatively, you can manually download the file and copy it to the folder in which you installed the Security Update Inventory Tool. (Place the file in the appropriate language subfolder—for example, subfolder 1033 for US English.) If you chose in an earlier step to create a package to scan clients, the wizard prompts you to enter the name of an SMS client to which you can distribute and test the inventory tools. For the installation to proceed, you must enter a system name that exists in the SMS database. Clicking Next twice begins installation and configuration of the package that you'll use to distribute the inventory tool to clients. This is the last step in the wizard.
By opening the SMS Administrator Console and looking under the Packages, Advertisements, and Collections nodes, you can make sure that the package you specified—and an advertisement and the collections to distribute it—has been created. The tool creates two collections: a preproduction collection that contains the name of the test system you specified during installation and a collection into which you can add other SMS clients and that you can use to distribute the inventory tools.
Installing the Office Inventory Tool for Updates is similar to installing the Security Update Inventory Tool. The only differences are that you install the Office inventory tool to %ProgramFiles%\OfficePatch, and you download the invcm.exe file, which SMS clients use to make sure that the applicable Office 2003 updates have been installed.
After you install the inventory tools, make sure that they're working by creating two new advertisements, one for each tool. To create the advertisements, open the SMS Administrator Console, right-click Advertisements, click New, then click Advertisement. Create an advertisement name; choose the package, program, and collection; then click OK. The advertisements should run the programs that are marked as expedited in the tools' packages and advertise the programs only to the tools' preproduction collections. The expedited programs run an inventory on the clients immediately after the scanning process completes, then send the inventory back to the SMS server. Advertising the expedited programs to large collections can affect your network performance, depending on how large the inventory is, how many clients report their inventories, and the bandwidth between the SMS clients and the SMS server. To verify that the test systems picked up advertisements, you can launch the Resource Explorer from the SMS Administrator Console for each test system, expand the Hardware node, and check the contents of the Software Updates node, as Web Figure 1 (http://www.windowsitpro.com/windowssecurity, InstantDoc ID 44067) shows. When the inventory tools run on an SMS client, they populate the Windows Management Instrumentation (WMI) Win32_Patchstate class, which is why Software Updates appears under the Hardware node.
Gathering Compliance Data
After you verify that the inventory tools are installed correctly and can be deployed to test systems in the preproduction collections, configure the production advertisements to collect compliance data. By default, the advertisements run every 7 days, as Web Figure 2 shows. For some organizations, this schedule might be acceptable, but many organizations will want to reduce the time between advertisements. To obtain accurate results, you must have the most recent MSSecure and Invcm files each time the advertisement runs. If you configured SMS client systems to automatically obtain these files, remember that users with suitable permissions need to log on to these systems and that the systems must have Internet access. I recommend that you manually obtain the files and install them, as I described earlier.
You also need to populate the corresponding production collections. The collection specifies all system resources in a particular Active Directory (AD) site that have the SMS client installed. After you've tailored the advertisement to your organization's needs, the clients have picked up the advertisement, the inventory tools have run, and the results have been returned to the SMS server, you can view update compliance across your organization by clicking the Software Updates node in the SMS Administrator Console. Figure 2 shows a report for a test environment that contains three partially up-to-date SMS clients (a Windows 2003 system and two XP systems). The Requested column shows the number of systems that require the update; the Compliant column shows how many systems have the update installed. You can mine the SMS site database for detailed compliance information. To mine the database, use the Software Updates Web reports, which you can access through the SMS Administrator Console by expanding the Reporting node, clicking Reports, and sorting by the Category column. You can view 13 reports that display compliance information by computer, software update, and product.
Packaging and Distributing Updates
Using the SMS 2003 inventory tools to determine whether your systems are compliant with your secure configuration baseline helps only so much. To make the best use of SMS and the inventory tools, you need to package updates and distribute them to clients. You can use the Distribute Software Updates Wizard to create update packages. To launch the wizard, right-click an eligible node, such as Software Updates, in the SMS Administrators Console and select All Tasks, Distribute Software Updates from the context-sensitive menu. Click Next to begin the distribution process.
The wizard asks you to select the type of update you want to distribute, as Figure 3 shows. The MBSA and Microsoft Office options are available when you install the inventory tools. Select the type of update you want to distribute and click Next. The wizard asks you to select a package to which you want to add the update. If no appropriate packages exist, create a new package by selecting New from the list of packages, clicking Next, and entering a package name. Click Next again to customize the package by entering the name of the person responsible for the update policy and selecting a Rich Text Format (RTF) file that users can view after the package is installed to read any messages that you might want to give them about the update. The wizard then prompts you to select the inventory tool and program in the package that was created when you installed the tool and determines whether the client needs to apply the update. Unless you have a specific need, accept the default settings. From a list of updates such as that in Figure 4, the wizard asks you to select the updates that you want the package to apply. (I recommend that you don't mix software updates for different platforms.)
The next step lets you specify the package source directory in which you want to place updates before they're moved to distribution points, the package priority, and whether the updates should be automatically downloaded. You can usually automatically download updates to the SMS server, but on occasion you'll need to manually download them. If you need to manually download an update, the update's information section will provide a download location. If you choose to have the wizard automatically download the updates from the Microsoft Download Center to the SMS server, click Next to begin the download process.
After the download is finished, the wizard displays the list of updates and whether they're ready for distribution. Most updates won't be ready and will need to be configured. Typically, you can configure updates simply by specifying their command-line parameters. To view the update properties and specify parameters, select the update and click Properties to display the dialog box that Web Figure 3 shows. To get detailed information about parameters, click Syntax; to get details specific to the update, click Information and drill down through the bulletin. Office updates aren't as easy to distribute as platform software updates, and each platform uses different command-line parameters. Microsoft has committed to trying to move toward one update-installation program and ensuring that command-line options are consistent. If no command-line options are required, select Parameters and click OK to make an update ready without specifying parameters. Occasionally an update won't be ready for installation because it wasn't downloaded. In such cases, you can attempt to download the update again by clicking Download.
When all updates are marked as ready, click OK, then select distribution points for the updates. Selecting the distribution points and clicking Next will prompt you to configure the installation agent settings. You can elect to collect client inventory information after the update is applied and postpone restarts for Workstations, Servers, Both, or None. If you choose to restart the SMS client, you can select Close Running Programs and Discard Unsaved Data.
The next window contains further installation agent settings that determine whether the installation is unattended and how to handle restarts. The subsequent and sometimes final window contains a third page of installation agent settings, including whether to notify users about update activity, whether users can postpone updates, and what to do when the advertising interval is reached. If you didn't specify a time limit for the advertising interval, an additional window will help you create an advertisement for the package. You'll be prompted for the advertisement name and when you want to readvertise the package. If you did select a time limit, you need to create an advertisement for the package and specify the package and the collection to which it should be applied.
When you specify collections, make sure that updates are sent only to the correct systems (e.g., that XP Service Pack 1—SP1—updates are sent only to systems with XP SP1 installed, not to systems with XP SP2 installed). If you have several categories of systems, you might find it easier to create a collection for each system.
Monitoring and Troubleshooting Update Distribution
After you configure the advertisements for the software-update packages, make sure that the packages were distributed to the clients by clicking Software Updates in the SMS Administrators Console to see whether the updates' status has changed from requested to compliant. The packages won't be distributed immediately, and you might have to wait quite a while before they're applied. Before the console can register an update as being applied, the update must not only be applied, but a hardware inventory must be performed and the results from the Win32_Patchstate WMI container must be returned to the SMS server. Over time, more and more systems will appear in the Compliant column in the Software Updates node. However, depending on the size and complexity of your environment, you might never achieve 100 percent compliance for several reasons, such as that computers are replaced but aren't removed from the SMS database or that users are out of the office for extended periods of time.
If no systems become compliant, some simple steps can help you diagnose the problem. First, make sure that the package that contains the updates has been advertised and that the SMS clients have picked up the advertisement. Second, make sure that the inventory tool scans the same collections of SMS clients to which the advertisement advertises the package. Also make sure that the updates in the package are the correct updates for the target systems and that you specified the correct command-line parameters, if required. Finally, check the update and package settings; you might need to reboot SMS clients before the updates can be fully installed.
You can use SMS 2003's inventory tools to monitor your organization's systems for compliance with your secure configuration baseline. This article describes a simple SMS setup for one site that has one SMS server. SMS 2003 software updates work just as effectively in enterprises with multiple sites and multiple servers in each site. For more information about such configurations, read the documentation that comes with SMS or Microsoft Systems Management Server 2003 Administrator's Companion (Microsoft Press, 2004).