Although no technology solution can automate a patch
management process completely, a well-rounded patch management
infrastructure can certainly help the patch management team by
automating many of the routine tasks. SMS 2003 is an extremely flexible
tool, and you can easily integrate it into patch management processes,
including the Microsoft-recommended four-phase patch management process
described earlier in this chapter. SMS 2003 was designed to be
extensible to accommodate the changing patch management and software
update needs of organizations.
1. Extending SMS 2003 Functionality for Software Updates
In response to customers’ patch management
needs, Microsoft released the Software Update Services (SUS) feature
pack for SMS 2.0. Much of the functionality of the feature pack has been
updated and incorporated into SMS 2003, and new features have been
added. You can download the Software Update Scanning Tools for SMS 2003
from Microsoft’s SMS Web site (http://www.microsoft.com/smserver/downloads/2003/default.asp)
to extend the product’s functionality. You can also start the SMS
Administrator Console, right-click the Software Updates node, select All
Tasks, and then select the Download Inventory Scanning Programs option.
Currently, two tools exist: the Security Update Inventory Tool, to scan
for missing system software updates, and the Microsoft Office Inventory
Tool for Updates, to scan for missing Microsoft Office software
updates. Microsoft might add more, and ISVs can extend the functionality
of SMS 2003 by writing their own. Once they’re installed and
configured, you can use these tools with SMS 2003 to help automate parts
of a patch management process.
Installing the Update Inventory Tools
Installing the Systems Management Server 2003
Software Update Scanning Tools is relatively simple. Once downloaded and
unpacked, there should be two installation executables, called
OfficePatch_XXX.exe and SecurityPatch_XXX.exe, where XXX
is the language identifier for the executable. Each should be run in
turn to install the extensions to SMS 2003. During installation the user
will be asked to accept a license agreement; select an installation
folder (by default, C:\Program Files\OfficePatch and C:\Program
Files\SecurityPatch for the Microsoft Office Inventory Tool for Updates
and the Security Update Inventory Tool, respectively); download and
install the latest database or catalog of updates from Microsoft’s Web
site; and create the collections, packages, and advertisements necessary
for clients to distribute and run the inventory tools. You’re required
to enter the name used to identify the package in a dialog box during
installation, as shown in Figure 1.
You’re asked whether you wish to retrieve new
versions of the database (Office or Security) of software updates
automatically. If the answer is yes, you can enter the name of system on
which to run the retrieval task. By default, the name is the local
server’s name. A system that fetches database updates automatically must
have Internet connectivity and will fetch updates only when a user with
the correct permissions is logged on. As an alternative, you can
periodically download and install the Security Patch Bulletin Catalog in
MSSecure.XML for Security Updates and Microsoft Office Update Database
in Invcif.exe for Office Updates and manually place them into the
installation folders for the Security Update Inventory Tool and the
Microsoft Office Inventory Tool for Updates, respectively.
Lastly,
you’re asked for the name of an existing SMS client onto which the
inventory tools can be installed and tested. Although a name must be
supplied before installation can proceed, any name can be entered,
including one for a system that doesn’t exist yet (this is useful when
you’re building out an environment or when you’re unsure which system to
use).
As part of the installation process, the
inventory tools extend SMS 2003 by creating collections, packages, and
advertisements. By default, both the Microsoft Office Inventory Tool for
Updates and the Security Update Inventory Tool add three collections, a
package with three programs, and two advertisements each. The three
collections added are used to specify the IT assets in the production
environment that will receive advertisements of the packages containing
the inventory tools; to specify the IT assets in a preproduction
environment that can be used for testing updates (this is the collection
into which the SMS client computer named during installation of the
update tools is placed); and to specify the host system, called a sync
host, that will be responsible for collecting the catalogs of updates
and other information from Microsoft’s Web site. Figure 2
shows collections added with the prefix MS Office Updates and MS
Security Updates, as these were the names specified when prompted for a
package name during installation of the inventory tools.
The package created by each of the inventory tools installation programs contains three programs (as shown in Figure 3).
The first two programs are used to deploy the update scanning tools to
SMS clients. As the name suggests, the program marked Expedited is used
to run the program in such a fashion that information from the client is
made accessible to the SMS site server in an expedited manner. It’s not
recommended that this be used on production systems for performance
reasons, and its use should be limited to test environments. The third
program is used to synchronize the database of available Security or
Office software updates from Microsoft’s Web site with the local copy by
downloading the latest revision of the database. Perhaps confusingly,
the command executed by both the Office Update Inventory Tool’s Sync
program and the Security Update Inventory Tool’s Sync program is called
SyncXML.exe, but these are different programs and each can be found in
the respective installation folder for each tool.
Lastly, the inventory tools installation programs create two advertisements each (as shown in Figure 4).
One advertisement is used to inform clients of the program’s
availability to run the update inventory tools in the corresponding
package, and the other is used to kick off the synchronization of the
database of updates. The advertisements are installed with a default
schedule that should be tuned to the organization’s needs.
Testing the Update Inventory Tools
Once
the inventory tools have been successfully installed onto the SMS site
server, you should test them. You can do this in several ways. The
simplest is to create a new advertisement for the expedited scan program
in the Security or Office inventory package you wish to test, as shown
in Figure 5.
When
selecting a collection to advertise the inventory tools package to,
select the preproduction environment as it should be prepopulated with
the name of the SMS client you specified during installation of the
inventory tool you’re testing. If you specified a system that doesn’t
exist during installation, if it has since been removed, or if you want
to test the tools across more than one client, you can add systems
manually to the collection for testing purposes and then remove them
later. Do not specify a production collection in this dialog box, as the
expedited program setting can cause problems when run on large numbers
of hosts.
To check that a client picked up the
advertisement and that the scan tools have run, you can use the Resource
Explorer to check the Software Updates node under the Hardware node for
an SMS client in the collection that that advertisement was made
available to, as shown in Figure 6.
Software Updates listed under the Hardware node, which are the results
of the scan performed by the Update Inventory Tools, are stored as
instances of a Windows Management Instrumentation (WMI) class called
Win32_Patchstate. Instances of this class are collected and propagated
to the SMS site server using the Hardware Inventory Client Agent, where
they’re collated and processed to give site-level views of the
information.
