The SMS 2.0 SUS Feature Pack

Comprehensive update management at your fingertips

Sadmind and CodeRed exemplify a new breed of malicious code that indiscriminately probes and attacks Internet servers, methodically searching subnets for vulnerable machines. These worms and many like them have infected thousands of machines on the Internet. But the real wake-up call for the IT community was the realization that such worms exploited holes that Microsoft had officially released patches for months earlier. What the Internet community needed was effective and comprehensive patch management.

Effective patch management requires rigorous processes for inventorying, reporting, testing, and deploying crucial security patches. A patch-management program can employ a mixed framework of triage, testing, and deployment of software updates to help protect your organization from persistent attacks. Microsoft has released several tools that let organizations build a technical foundation for patch management. The latest and most robust weapon in the patch-management arsenal is the Microsoft Systems Management Server (SMS) 2.0 Software Update Services (SUS) Feature Pack. This free add-on (available at plugs a superset of features into an existing SMS installation to propel your organization toward the ideal patch-management solution*one that includes granular targeting, scheduling, and status reporting.

The SMS SUS Feature Pack builds a deployment and reporting framework around existing update-management tools. The Feature Pack uses the Microsoft Office Inventory Tool for Updates and the Security Update Inventory Tool, which the Microsoft Baseline Security Analyzer (MBSA) powers, to inventory the patch status of all SMS clients. SMS SUS includes a Distribute Software Updates Wizard to help you download updates and create the SMS packages, programs, and advertisements for applicable updates. The Feature Pack uses an enhanced version of the SMS Web Reports add-on to deliver robust reporting that includes information about installed and missing patches. Bolting these modules onto your SMS installation creates a comprehensive patch-management system.

An SMS Primer
Before you install SMS SUS, you must establish a stable and functioning SMS deployment. As with any new technology or application, I recommend setting up a simple test environment that's separate from any production machines. If you haven't worked with SMS, I suggest that you read about deployment considerations, recommendations, and best practices at the Microsoft Web site at

Let's walk through a basic SMS installation that consists of one server and a few clients. The server comprises the primary site server, the client access point (CAP), and the deployment server. To this basic SMS installation, we'll add the Feature Pack. For this test platform, we'll install an SMS Express Installation on a server with a fresh installation of Windows 2000 Service Pack 3 (SP3—SMS SUS requires Windows NT 4.0 SP6a or later). SMS uses a Microsoft SQL Server 7.0 or later database to store all its information. For the sake of simplicity, we'll let the SMS Installer load and configure SQL Server 2000. (If the SMS Installer doesn't find SQL Server on your server, it asks whether it should install it for you.) The client machines consist of several Windows XP workstations and a Win2K SP3 domain controller (DC). The clients are all within the same class C subnet ( and have Internet access.

First, set up a service account to use for the SMS installation. From the Active Directory Users and Computer Manager, create a new Domain Administrator account (e.g., test\svcSMS). Run the SMS Setup application (autorun.exe) to begin the setup process. Select Set Up SMS 2.0. The SMS Installer looks for an existing primary site server, a secondary site server, a CAP, a component server, or an SMS Administrator console. If it finds none of these, the SMS Installer asks whether you want to install a primary site. Choose Express Installation.

SMS prompts you for a three-character site code, a site name, and the site domain. Click Next, then enter the name and password of the domain service account (i.e., the service account you just created) that you want to use for SMS. When SMS prompts you, point the SMS Installer to the SQL Server setup files. The SMS Installer automatically installs SQL Server and configures the SMS databases. When this installation is finished, install the latest SMS service pack (currently SP4). The basic installation of SMS 2.0 is now finished.

Configuring a Base SMS Installation
Now, let's make SMS functional. Click Start, All Programs, Systems Management Server, then launch the SMS Administrator Console. Maneuver to Site Database, Site Hierarchy, right-click the Site Name, then click Properties to see the properties for the site. Click the Boundaries tab, and add new IP subnets that define your test network.

Next, configure SMS to load the SMS Systems Management client on the test clients. Navigate to Site Database, Site Hierarchy, Site Name, Site Settings, then click Client Agents. In the right pane of the Microsoft Management Console (MMC), double-click the names of the agents you want to install. For this test environment, enable Hardware Inventory Client Agent, Software Inventory Client Agent, and Advertised Programs Client Agent. For each of the inventory agents, decrease the time to run the inventory to a time less than the default (e.g., 1 hour). Similarly, for the Advertised Programs Client Agent, increase the polling time to a more frequent interval (e.g., 5 minutes). These settings facilitate testing while increasing network and system load. Remember to restore these settings to default values when you deploy to your production environment.

Configure SMS to deploy the agents to your test systems. Navigate to Site Database, Site Hierarchy, Site Name, Site Settings, then click Client Installation Methods. In the right pane, double-click the Windows Networking Logon Client Installation. On the General tab, enable Windows Networking Logon Client Installation and add the name of your test domain (not a production domain) as a Logon Point. On the Logon Settings tab, select the Modify user logon scripts check box. Modify the Logon point update schedule to update every hour. Alternatively, you can run smsman.exe to manually install the SMS client on your client machines. (You must still define a Logon Point before performing a manual installation.)

After a few minutes, you should be able to navigate to the \\domaincontroller\NETLOGON share and see the new logon script smsls.bat and other SMS installation files. This script uses the SMS service account and automatically installs the SMS client on any machine that logs on to this test domain.

Finally, specify the user account to use to deploy the software. Navigate to Site Database, Site Hierarchy, Site Name, Site Settings, then click Component Configuration. In the right pane of MMC, double-click Software Distribution. Click Set (next to the NT client software installation account), enter the name of the service account you used to install SMS, then enter the password. (For your production environment, you'll want to create and use a separate account for installing the client software from the account used to run the SMS Services.) Click OK.

Testing the Installation
Reboot the test client machines and log on to the test domain. On a client machine, go to Control Panel. You should see a new Control Panel applet called Systems Management. Launch the Systems Management applet and confirm that it contains information about your newly installed site. Click the Components tab to verify that the components (i.e., Hardware Inventory Agent, Software Inventory Agent, and Available Programs Manager Win32) are installed.

Within the SMS Administrators Console, navigate to Site Database, Tools, Reports, Queries. Right-click All Systems by System Name, then click All Tasks, Schedule Report. On the Schedule tab, choose to run the report now. On the Accounts tab, set the logon username and password to that of the service account you used to install your test SMS system (e.g., test\svcSMS). Refresh the report and verify that it lists your newly added SMS machines.

The SMS SUS Feature Pack
After you establish a basic running SMS platform, you're ready to install the SMS SUS Feature Pack. Download smssusfp_enu.exe from Microsoft and run it to unpack the module components. The Feature Pack consists of five core add-on modules that you install independently to enhance SMS with software update management capabilities:

  • Office Inventory Tool for Updates (officepatch_enu.exe)
  • Security Update Inventory Tool (securitypatch_enu.exe)
  • Distribute Software Updates Wizard (patchwiz_enu.exe)
  • SMS Web Reporting (smswebreporting_enu.exe)
  • SMS Additional Web Reports (smsaddwebreports_enu.exe)

Installing the Office Inventory Tool for Updates
The Office Inventory Tool for Updates module is a Feature Pack add-on that runs weekly to check the update status for Office XP and Office 2000 on your SMS client machines. Both this module and the Security Update Inventory Tool module independently integrate available Microsoft utility tools for use within SMS. This integration provides a common interface and reporting mechanism for a variety of scanning tools. The Feature Pack saves time by scheduling when these tools run and collecting the results in the SMS database. You can then use SMS Web Reports to view the Office update status and create new update deployment packages that install only on machines that need specific updates.

To install the Office Inventory Tool for Updates, run the self-installing executable file, then specify a destination directory (e.g., C:\programfiles\officepatch). Click Next. Because the module relies on an existing tool for the scanning process, it prompts you to download the most recent version of the tool directly from the Microsoft Web site. Click Download to have invcm.exe and invcif.exe download to the directory you specify. (If your test server doesn't have direct Internet access, you must download these files separately and copy them to this machine.) Click Next to have the installation wizard extract and install the tools into your SMS installation.

After installing the tool, the setup wizard walks you through the configuration. Confirm that the Create Collection, Create Advertisement, and Assign Package to all Distribution Points check boxes are selected. SMS then creates the programs, packages, and advertisements for the Office Inventory Tool for Updates.

To review the Office Inventory Tool for Updates module's settings, open the SMS Administrator Console, then click Site Database, Packages. You should see three new programs: Office Update Tool, Office Update Tool (expedited), and Office Update Tool Sync. Additionally, two advertisements appear in your site. (For a definition of advertisements and other SMS terminology, see the Web sidebar "SMS Conventions,", InstantDoc ID 27548.) The Office Update Tool advertisement starts the program of the same name once a week to scan your SMS client computers for installed Office components and updates. The Office Update Tool Sync advertisement downloads new update information from Microsoft each week.

Installing the Security Update Inventory Tool
The Security Update Inventory Tool module checks for crucial OS security updates by scanning a machine for installed updates and comparing the results against a Microsoft database of updates ( The Feature Pack integrates this tool into SMS and schedules it to run weekly to collect security update data from your SMS clients. As with the Office Inventory Tool for Updates module, you will be able to use the SMS Web Reports module to view the data the module collects. Using the Distribute Software Updates Wizard, you can also create and deploy packages of updates that install on machines that need the update. SMS schedules and manages the application of the module.

Installing the Security Update Inventory Tool is similar to installing the Office Inventory Tool for Updates. After you run the wizard, specify a destination directory for the tools (e.g., C:\Program Files\SecurityPatch). The tool then prompts you to download the latest version of the security patch bulletin catalog file (, an .xml file. Review and specify the Distribution settings, Database Updates, and a test computer. Then, install the module. In the SMS Administrators Console, you'll notice new programs, packages, and advertisements associated with the Security Update Inventory Tool.

Installing the Distribute Software Updates Wizard
Next, install the Distribute Software Updates Wizard. This module analyzes data that the Office Inventory Tool for Updates and the Security Update Inventory Tool modules collect and recommends patches to install. This wizard pulls a list of applicable updates identified during a previous run of either the Office Inventory Tool for Updates or the Security Update Inventory Tool and walks you through the process of downloading the updates and configuring them for deployment through SMS. Although SMS package creation can be challenging, the Distribute Software Updates Wizard eases the challenge a bit by setting the package parameters and configuring the SMS programs, packages, and advertisements for you.

Run the self-extracting installer (patchwiz_enu.exe) to install this tool into SMS. Next, open the SMS Administrator Console, right-click Site Database, expand All Tasks, and select Distribute Software Updates. On the wizard screen that appears, click Next, then select the update type, as Figure 1 shows. (For this example, select Security.) The wizard notifies you that you must create a new package; in subsequent runs, the wizard lets you edit an existing package. Name your package (e.g., Security Update), and enter the name of your organization. Next, specify the Inventory Scan Tool package and the Program name. For this example, select Security Update Tool (site code) for both.

The next wizard screen displays applicable security updates. The wizard generates this list by comparing the available Microsoft security updates against the results of previous security update inventory scans. Select the updates you want to include in this package. Click Next, then specify the source directory in which the update files will reside. SMS can download the updates for you and copy them to a folder. If a download fails, you can download an update separately. Also, SMS SUS can't download some updates (or sometimes points to incorrect or broken links to updates), so you should become familiar with the process of downloading updates and pointing the wizard to them. SMS SUS sometimes stumbles as it tries to reconcile and automate the many different update formats that Microsoft offers. If the wizard fails to identify the update executable file, you must manually open the Microsoft Security Bulletin Web site, search for and download the correct version of the specific update, and copy it manually to a location that the SMS Distribute Software Updates Wizard specifies.

By default, the status of each update is not ready. To make an update ready, you must specify the command-line parameters the update will use when it runs. Select an update and click Properties to see details about the update. By default, the Parameters field might be blank, as Figure 2 shows. You must specify parameters to suppress reboots and limit user interaction (i.e., silent or quiet install). Unfortunately, Microsoft employs multiple engines to deploy its updates, and each uses its own command-line variants. When in doubt, click Syntax to display command-line switch information about a specific update's engine.

Click Information to visit an update's TechNet Web page. These pages give you quick and detailed information about specific updates. Next, specify the distribution points that will push the package to clients, then click Next to configure the Installation Agent settings.

The Software Updates Installation Agent runs on a client machine during the update package installation to ensure that you don't install redundant or unnecessary updates. This agent provides granular control over the deployment process for a set of updates. For example, you can specify the number of minutes that the process should wait for a user to accept an update before installing it automatically as Figure 3 shows. This agent can also monitor for update installations that hang or fail and cancel the installation.

As Figure 3 shows, you can let users install updates at their convenience. For example, users can choose to wait 14 days before having the update install automatically. Users like to be able to specify when to install updates, and you can rest assured that the updates will deploy. Additionally, you can configure the Installation Agent to report successful and failed installations and elect to postpone system restarts for servers and workstations. This feature is handy when you're deploying a package to a mixed group of servers and workstations and you want to reboot the workstations immediately after installing an update but delay rebooting servers until you take them offline for maintenance. Finally, instruct the Distribute Software Updates Wizard to create the advertisement and specify the collection to which it applies.

Review the new update package, then open the SMS Administrator Console and click Site Database, Packages. Notice that the wizard has created one package that includes all the multiple updates you selected and configured. For security updates, this feature is useful because the package deployment executable file uses QChain to link multiple updates together and minimizes the number of system restarts required. After you advertise your update package, the package is deployed to the collection of SMS clients you specified. Users who are logged on see a series of informational dialog boxes notifying them about the updates. Users learn that the Security Update advertisement is ready to run. When the advertisement runs, a scan occurs to determine which updates within the package are required.

Next, the Installation Agent displays a dialog box notifying the user which patches it will install. The user can then choose to install the updates immediately or, if you configured the Installation Agent accordingly, postpone the installation.

Run the update and check that the patches have installed successfully. (You can run the HFNetChk tool from a command line on the test machine to verify that the appropriate updates applied successfully.) If you encounter problems, examine your client machine's \temp directory (e.g., \%windir%\temp) for the patchinstall.log file. This file lists all the applicable updates for that client and which updates are authorized in that package. This step can help you determine why a particular update or package isn't installing correctly.

SMS Web Reporting
Installing the SMS SUS Web Reporting module, which requires Microsoft Internet Information Services (IIS) 5.0 or later, is a two-step process. (Note that you can install this module on any machine; you don't have to install it on your SMS machine.) First, run the SMS SUS smswebreporting_enu.exe module. After asking several questions about your SMS environment, the Web Reporting Installation Wizard creates a new Web site and extends the SMS database schema to include views of new types of update-related data. The wizard uses the systems administrator account to create the new objects and creates a new user called smsschm_user, which the Web application runs under. You can limit who can see the reports by specifying a local group name that will be used to restrict access to the SMS Web Reports Web site. Second, install Additional Web Reports by running the smsaddwebreports_enu.exe module installation program. Access the SMS Web Reports home page (by default, http://iisservername/ sitedb_sms_sitecode) to view any data collected since the update tools were installed and the inventory was most recently run.

Manually Refreshing the Reports
To manually refresh report data—for example, after installing updates on a machine—you must specify a new time for the Security Update Inventory Tool and the Office Inventory Tool for Updates advertisement to run. When these programs finish running, you must run a hardware inventory on the client machine. On the client system, run the Systems Management applet. Click the Components tab, select the Hardware Inventory Agent, and click Start Component. This process will cull the update information from the client machine and post it to the SMS database, thereby updating the SMS Software Update reports.

Standard reports include Hardware Inventory, Software Inventory, details on the SMS Site, and Status Message Reports. Patch status reports include drilldown-capable reports that show patch by machine, all patches, or patch by product. Microsoft includes many different reports and lets you easily survey your organization's overall patch landscape or dive down into details about an individual patch or machine's deployment status.

Here Comes the Cavalry
For SMS 2.0 users, the Feature Pack is a must-have. The Feature Pack's modules do a good job linking your SMS infrastructure with Microsoft's newest security and update tools. Moreover, the combination of reports, inventory tools, and targeted patch distribution that SMS SUS offers might be compelling enough to lure non-SMS converts into the fold. Properly deployed, the Feature Pack becomes a powerful foundation for patch management.

TAGS: Security
Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.