Windows Patch Management, SMS 2003 Overview

by Marcin Policht

For our final look at Microsoft's patch management solutions, we overview the latest iteration of SMS 2.0 SUS Feature Pack, as implemented in the recently released SMS 2003, and discuss what's next on the vendor's patch management road map.

In the previous article, we described the SMS 2.0 Software Update Services Feature Pack. Here, we review its latest incarnation, as implemented in the recently released SMS 2003. We will conclude this overview of Microsoft's solutions in this area with a discussion of its recent trends in patch management strategy.

SMS 2003 contains a number of improvements over SMS 2.0. The enhancements are geared primarily toward increasing performance, scalability, manageability, security, integration with Active Directory, and support for mobile clients. The most notable impact patch deployment functionality. They are the following:

  • SMS 2003 Advanced Client was made available for Windows 2000, Windows XP, and Windows 2003 platforms. The new client leverages the latest technologies to be more robust and efficient. The installation software is packaged in the Windows Installer (MSI) format, which offers self-repairing capabilities. Communication with SMS infrastructure is handled via HTTP with XML-based policy files, and distributed software can be cached locally, allowing for downloads over slow and unreliable network links. Downloads are further improved by implementing Background Intelligent Transfer Service (BITS), which communicates with Management and Distribution Points hosting IIS 6.0 components (requires Windows 2003 server).

  • New types of server roles operate better in the distributed environment for which SMS is intended. Roles include Server Locator Points (providing information about site structure to newly installed SMS clients), Management Points (serving as communication channels between Advanced Clients and Site Server, relaying status and inventory information in one direction and software installation instructions and agent configuration settings in the other — like Client Access Point servers for standard clients), and Reporting Points (IIS-based Web sites generating reports based on SMS resident inventory information). Like its predecessor, SMS 2003 includes Client Access Points and Distribution Points.

  • The capability to create Local and Remote Roaming Site Boundaries (for Advanced Clients only) indicates locations (in terms of IP subnets) outside of the SMS infrastructure and primary network locations. They therefore should be treated differently when performing operations requiring good connectivity, such as software distribution. Local Roaming Site Boundaries contain IP subnets connected via high-speed bandwidth. This not only allows for better handling of software distribution but also prevents the SMS Client from inadvertently changing its site membership. Note that full roaming capabilities require Active Directory schema extensions, which should be carefully considered and planned for, especially in the Windows 2000 environment (where they trigger full Global Catalog refresh).

  • A single SMS primary site can contain up to 100,000 Advanced Clients. The recommended maximum number of Advanced Clients for a single SMS secondary site is 1,000 — assuming proper design and the inclusion of such components as Network Load Balancing and replicas of SQL Server SMS database.

>> Feature Changes

Besides the changes outlined above, which impact software distribution (including software updates), several patch management specific features differ from the original release of SMS 2.0 SUS Feature Pack, such as:

  • Distribute Software Updates Wizard (which can be launched from a Software Updates node in the SMS Administrator Console) became an integral part of SMS 2003. In SMS 2.0, the update wizard was required to run a separate installer program (PatchWiz_ENU.exe) downloadable from the Microsoft Web site. In addition, since the underlying engine for Security Scan is based on Microsoft Baseline Security Analyzer, in fresh installations of SMS 2003, the Security scan tool displayed in the wizard is referred to as MBSA (for upgrades from SMS 2.0, MBSA entry is created along with the Security Tool scanning program entry). SMS 2003 Administrator Console also contains, by default, the Software Updates Installation Agent entry.

  • It is possible to specify arbitrarily selected reference computer when running Distribute Software Updates Wizard. This allows you to approve a patch update (and create a relevant package) even if SMS client inventory does not need it. Within the wizard, you can specify the time periods that installations can be performed. This helps prevent reboots of workstations or servers outside of a scheduled maintenance window. With another feature, called dynamic package configuration, it is possible to create multiple programs for a single package and set criteria based on which each program will be applied to a different collection (with different settings).

  • Web Reports for patch management have been integrated into SMS Management Console under the Reports node. Note that if you are upgrading from SMS 2.0 to SMS 2003, you should uninstall the Web Reporting tool and Add-in Reports for Software Upgrades (upgrade will not, however, affect existing patch packages and patch settings).

  • The method of reporting patch installation status has been modified to reflect the state of SMS clients more accurately. This applies, for example, to computers where a patch has been installed but a required reboot has not yet taken place. In SMS 2.0, this was reported as installed; in SMS 2003, the range of states of patch installation has been considerably extended to include success, restart pending, retrying, postponed, failed, and uninstalled.

  • While scan tools are still provided as separate downloads that must be installed on the Site Server, their location is different from their SMS 2.0 SUS Feature Pack equivalents. The Security Update Scan Tool and the Microsoft Office Inventory Tool for Updates are available from http://www.microsoft.com/smserver/downloads/2003/featurepacks/suspack/default.asp.

  • Proxy authentication for unattended Sync host operations can be configured with PatchDownloader.exe tool (located in the SMS\bin\i386\00000409 folder on the SMS server), using the following syntax:

    PatchDownloader.exe /s:ProxyServer:Port /u:UserName

    You will then be prompted for the password, which will be stored, along with the UserName, in encrypted format in a registry key on the Sync host computer. This step must be taken, along with the configuration options described in the previous article of our series: modifying the command line of the program for the Sync tool package to make it run in unattended manner, configuring the update of distribution points on schedule, setting proxy configuration on a per-machine basis (rather than a per-user basis, as is the case with group policy), and creating a Scan tool package source folder local on the Sync host computer. Note that in unattended mode (i.e., with no user logged on), Sync tool executes in the security context of the Local System account if the Sync host is installed on an SMS 2003 Advanced client (for this purpose, standard clients use SMSCliToknAcct& account).

  • SMS Advanced Client includes persistent notification feature, which provides a visual indication about the patch update status of the local computer in the form of a system tray icon (this is independent of the software update advertisement present on standard and Advanced SMS clients).

For more information on SMS 2003 Patch Management functionality (or any other related topic) refer to the SMS 2003 Concept, Planning, and Deployment Guide and the SMS 2003 Operations Guide.

Thus far, all of the information presented in this series has been intended to provide a good understanding of the three main patch management solutions offered by Microsoft: Windows Update, Software Update Services (soon to be replaced by Windows Update Services), and Systems Management Server Software Updates.

In addition to understanding these patch management options, organizations should also be aware of the recent announcements from Microsoft concerning its near-future plans. While Microsoft remains committed to its three main offerings, additional improvements are expected in (same behavior for installation and rollback, common switches and registry tags, use of MSI 3.0), efficiency (reduced patch size with binary delta compression), and manageability (in the form of fewer required reboots). There is also a tendency (visible, for example, in SQL 2005) to offer users the ability to patch installation programs (integrate patches directly into product binaries, so installation and patching take place in a single step).

This article was originally published on Wednesday Jun 16th 2004
Mobile Site | Full Site