Windows Patch Management, SUS Feature Pack (Architectural Review)

by Marcin Policht

Microsoft's SUS Feature Pack aims to meet a broad spectrum of enterprise needs, including asset inventory, software deployment, and license monitoring. We dissect the key improvements and components in the latest release.

Thus far, our Windows Patch Management series has limited its scope to patch management solutions. While this approach is valid in some cases, many organizations seek products that provide more comprehensive capabilities, including asset inventory, software deployment, license monitoring, and remote control functionality. To accommodate these needs, Microsoft developed the Software Update Services Feature Pack, which installs as an add-on to its popular class management solution — Systems Management Server 2.0 (SMS 2.0). It also incorporated its functionality directly into Systems Management Server 2003.

This article focuses on the Software Update Services Feature Pack.

Systems Management Server 2.0's features cover a wide administrative spectrum, including hardware and software inventory, software distribution and metering, remote and network diagnostic tools, and reporting. Robust and customizable software distribution mechanisms include flexible scheduling, targeting based on characteristics derived from Active Directory or hardware/software inventory, and detailed status information. Highly scalable architecture, which functions well in practically any Windows environment, regardless of size, is based on a hierarchy consisting of groups (called sites, typically designated areas sharing fast network links) of SMS servers functioning in various roles (such as providing inventory database store and processing power, communicating with clients, monitoring license usage, and storing and replicating software installation packages) and collections of client computers running SMS agents.

Even though deploying Windows updates via traditional SMS 2.0 software distribution methods is possible, the process is time consuming and error prone. Microsoft decided to leverage existing functionality and create a group of add-ins to automate patch deployment. The software was released in November 2002 with the name "Software Update Services Feature Pack for SMS 2.0" (SUS Feature Pack). the similar naming, the SUS Feature Pack is not based the same technology as the Software Update Services described in the previous two articles. It also offers a number of significant advantages over the SUS solution. Its successor, the forthcoming upcoming Windows Update Services, will aim to narrow this gap.

SUS Feature Pack includes the following improvements:

  • Deployment of software updates to all client SMS-2.0-supported operating system (SUS 1.x covers only Windows 2000, 2003, and XP), including MS Office updates
  • Selective targeting of automatically populated collections of clients sharing common, arbitrarily selected criteria, such as type of system (server vs. workstation), location (based on IP subnet), operating system, and service pack level
  • Powerful centralized administration, with flexible scheduling capabilities
  • Detailed status reporting and inventory capabilities
  • The ability to perform testing and pilot multistaged rollouts and rollbacks

While SUS Feature Pack leverages the entire SMS infrastructure, its primary operations take place in three specific areas — SMS Site server (the first one installed in any SMS site and serving as a focal point for control and communication with other SMS servers in the same site), SMS clients, and a designated computer (or group of computers) with an Internet connection responsible for communicating with the Microsoft Windows Update Web site. SUS Feature Pack is available free of charge (beyond the cost of SMS 2.0) as a self-extracting executable SMSSUSFP_enu.exe from the SMS 2.0 portion of the Microsoft Web site.

>> Components

It contains the following components:

  • Security Update Inventory Installer (SecurityPatch_ENU.exe), which is responsible for determining the level of Windows security patches on SMS clients. It consists of the following subcomponents:

    1. Security Update Inventory Installer: Software invoked on the SMS site server one time, during the initial installation. It creates default packages, collections, and advertisements, which are then used to deploy the remaining subcomponents and security patches.

    2. Security Update Inventory Tool: SMS client software based on Microsoft Baseline Security Analyzer, which regularly scans SMS client computers to determine the number of installed updates. The results are converted to an appropriate format, included in the SMS hardware inventory, and uploaded to the SMS server inventory database using standard SMS client-server communication (along with other inventory data). Later, other components will use this information to determine the current patch level (for status reports) and updates applicable to specific clients (for patch deployment).

    3. Security Update Sync Tool: Software running periodically (weekly by default) on a designated computer with an Internet connection, downloading the latest security bulletins (in the form of MSSecure.cab file) from the Microsoft Windows Update servers. Its purpose is to ensure Software Update Inventory Tool scan results conducted are up to date. SMS clients are checked to ensure the most recent patches are present. Their absence is reported back to the SMS Site server. This triggers the inclusion of patches in advertisements created by Distribute Software Updates Wizard and subsequent installations. The Sync Tool adds the most recent version of MSSecure.cab file to the package containing Software Update Inventory Tool and replicates it to SMS distribution servers serving as source of downloads to SMS clients.

  • Office Update Inventory Tool (OfficePatch_ENU.exe), which is equivalent to the Security Update Inventory Installer but deals with patches specific to MS Office. It consists of three subcomponents equivalent to the Windows security counterparts described above.

    1. Office Update Inventory Installer: Software invoked on the SMS site server only during the initial installation. It creates default packages, collections, and advertisements, which are then used to deploy other subcomponents and MS Office patches.

    2. Office Update Inventory Tool: SMS client software based on the Network Office Update Tool (Invcm.exe) and Office Update Database (Invcif.exe), which regularly scans SMS client computers to determine the number of installed updates. As with the Software Update Inventory Tool, results are stored in the SMS hardware inventory and pushed to the server for reporting and deployment purposes.

    3. Office Update Sync Tool: Software running periodically (weekly by default) on a designated computer (typically the same one selected for Security Update Sync Tool), downloading the latest version of the Office Update Tool and Office Update Database from the Microsoft Windows Update Web servers. As with Security Update Sync Tool, updated tools are added to the package source, replicated to SMS distribution servers, and eventually pulled down by SMS clients agents.

  • Distribute Software Updates Wizard Installer (PatchWiz_ENU.exe) installs the Distribute Software Updates Wizard on the SMS Site server. The wizard compares the most recent list of patches from Microsoft (collected by a designated computer running Security Update Sync Tool and Office Update Sync Tool) against the inventory information collected from SMS clients (resulting from running Security Update Inventory Tool and Office Update Inventory Tool). It then downloads those that are applicable (based on this comparison) and SMS-administrator-approved, and automatically creates software packages and advertisements (an advertisement is the scheduled deployment of a package to a collection of client computers). It also distributes to SMS clients the Software Updates Installation Agent, which is responsible for enhancing package installation (e.g., ensuring unnecessary patches are not installed), and makes sure the agent is launched as part of each package.

  • Web Reporting Tool for Software Updates (SMSAddWebReports_ENU.exe) is installed on SMS site server. It incorporates software updates information into SMS Web Reporting Tool (part of the SMS 2.0 Administrative Pack downloadable from http://www.microsoft.com/smserver/downloads/20/featurepacks/adminpack/).

>> Managing Patch Deployment

Managing Patch Deployment

To manage patch deployment with SUS Feature Pack, first install its four main components on the SMS Site server. This results in the automatic creation of collections, packages, and advertisements necessary to initiate deployment process.

  • Collections for pre-production, full deployment, and Sync host for Windows security and Office patches (a total of six collections), to which you can add SMS client computers intended to serve each of these roles.
  • Two packages (for Security Update and Office Update Inventory Tools) with three programs each (a program is defined within a package by its installation characteristics, so every package can have multiple programs, depending, for example, on command line options used). The first one is the standard installation, the second is the expedited installation (intended for testing only, since it places additional load on SMS client's processor utilization), and the third one is the Sync program, to be run periodically on the computer connected to the Internet and downloading patch information from the Microsoft Windows Update servers.
  • Three pairs of advertisements (advertisement is a program that targets a collection) for Security Updates and Office Updates tools packages, respectively, for a total of six advertisements.

The installation will then prompt for the name of a computer to run Sync tools. This computer will be automatically added to both Sync host collections. You should also select a number of SMS client computers for testing, add them to pre-production collections, and add all remaining clients to the production collections (for both Security and Office updates).

Sync tools get installed as the result of advertisements targeting Sync host collection. Once installed, both tools download the latest security and office catalogs from the Microsoft Web Site, include them in packages for Security and Office Update Inventory Tools, and replicate them to SMS distribution points. Both Update Inventory Tools are advertised to and installed on all SMS clients that belong to Security and Office Update Tool collections. After the tools run on each client, scan results are recorded as SMS hardware inventory and reported to SMS Site server. At that point, the SMS administrator can launch the Distribute Software Updates wizard from the SMS Administrator console. The wizard evaluates which software updates are applicable to SMS clients (based on the most recent inventory results), prompts it to approve the selected updates, downloads them from the Microsoft Windows Updates Web site, and automatically creates all necessary packages and advertisements. Packages are then replicated to SMS servers functioning as distribution points using the standard SMS mechanism. SMS clients use another standard SMS mechanism to download packages from distribution servers and execute associated with them advertisements.

This concludes our architectural review of SMS 2.0 SUS Feature Pack. The next article, will look into its implementation details.

This article was originally published on Friday May 7th 2004
Mobile Site | Full Site