Enterprise Software Update Management using Systems Management Server 2.0 Software Update Services Feature Pack

For more information about MSSecure.XML, go to http://www.microsoft.com.

If you do not have a computer with internet access that you can use to automatically download MSSecure.XML by using the Security Updates Sync tool, you can manually download the catalog from Microsoft Download Center.

For more information about the Microsoft Office Update Tool, see http://support.microsoft.com/default.aspx?scid=kb;en-us;312982&sd=tech.

If you do not have a computer with internet access that you can use to automatically download Invcm.exe by using the Office Updates Sync tool, you can manually download the tool from Microsoft Download Center.

For more information about the Microsoft Office Update Database, see http://support.microsoft.com/default.aspx?scid=kb;en-us;312982&sd=tech.

If you do not have a computer with internet access that you can use to automatically download Invcif.exe by using the Office Updates Sync tool, you can manually download the database from the Microsoft Download Center.

Turn off the site-wide countdown for assigned programs.

Turn off the notification for software distribution activity.

After you complete the setup process for the software update inventory tools, perform the following tasks:

Verify that the package and programs needed to deploy the tools are created. To do this, view the packages and programs in the SMS Administrator console.

Verify that the collections and advertisements necessary for the distribution of the tools are created. To do this, view the collections and advertisements in the SMS Administrator console.

Ensure the testing collection membership is adequate, and verify stable behavior. Test collection computers should be representative of all approved configurations for enterprise computers.

For example, if your enterprise uses Windows 2000, Windows XP, and Windows NT 4.0, you will need a minimum of one computer for each configuration.

In addition, you need computers that have other crucial line of business applications running on them (for example, accounting or sales tracking software).

When configuring a test collection, you should also account for variation in hardware within your enterprise (desktop vs. laptop computers) and hardware configurations (low memory vs. multi-processor servers).

To do this, add additional test computers to the collection rules by using the SMS Administrator console, and then run the software update inventory tools on each computer by using the software update advertisement.

After you are finished testing the tools, deploy them more broadly by removing the test-limited query from the main collection.

To do this, modify the Collection Properties dialog box for the main targeting collection membership rule as follows:

Expand the Collections node in the SMS Administrator console, right-click the collection you want to modify, and then click Properties. In the Collection Properties dialog box, click the Membership Rule tab. In the Query Rule Properties dialog box, change the selection from Limit to collection to Not collection limited. Save this setting by clicking OK. Before closing the Collection Properties dialog box, ensure that the collection is updated on an appropriate schedule.

Verify that client computers send results.

To do this, in the SMS Administrator console, go to the appropriate collection containing the test client computer, right-click the collection, select All Tasks, and then select Start Resource Explorer. In the Resource Explorer, expand the Hardware node, and then click the software updates item. View the list of all the inventoried software updates for that client computer.

Review the log file results to view any errors encountered during installation. The Installation Wizard automatically displays this log.

Ensure that the Software Update Sync tool tasks are properly configured on the server. These are the tasks that download the software update database or catalog from the Internet and make it available to the clients through SMS distribution points.

Verify that the SMSCliTokn& account on the site server computer has firewall authentication access and can download updated catalogs. To do this, grant the SMSCliTokn& account access to the package source directory.

Verify that the advertisement runs correctly to distribute the updated catalogs to the client computers. To do this, view the status messages for the advertisement and check the file dates on the package source folder files and distribution point folders.

Verify that the correct SMS distribution points are automatically updated to include the latest catalogs. To do this, view the status messages for the advertisement and check the file dates on the package source folder files and distribution point folders.

If the SMSCliTokn& account does not have WMI permissions to the package object, the distribution points require a separate, recurring, scheduled update for the latest catalogs, which you configure and add manually. If this is the case, use the /unattend option in the command-line interface for the Sync tool to verify the distribution points are not updated by the Sync tool since the scheduled update would be in effect.

After you complete the setup process for the Distribute Software Updates Wizard on a computer running the SMS Administrator console, run the wizard from the new Distribute Software Updates menu item in the console.

Use the Browse, Syntax, and Download buttons on the Software Update Properties page in the wizard to obtain software updates from the Web.

Ensure that silent, non-restart behavior is configured for software update installation. Configure this behavior on the Software Update Details page of the Distribute Software Updates Wizard by using the Parameters field and the Syntax button.

Ensure that the proper permissions are enforced. For example, SMS administrators who have no access to SMS or advertisements should not be able to create or modify packages or advertisements associated with software updates or the Feature Pack tools. For more information about the SMS object security model and delegation, see the SMS product documentation.

Ensure that the necessary objects or settings are created or updated as needed for the SMS packages, programs, and advertisements used to distribute the software updates. To do this, view the packages, programs, collections, and advertisements in the S MS Administrator console.

Verify that compartmentalization of package and advertisement tasks works. That is, verify that one person, with the proper permissions, can build the packages containing the updates and that another person, with the proper permissions, can advertise those packages without problems.

Observe that the package builder role should be separate from the advertisement builder role, with separate permissions to preserve a system of checks and balances for security purposes.

Firewall authentication can create problems for software update downloads. When firewall authentication is in use, verify that logged-on users are prompted as needed when they are downloading software updates into the package source folder.

Ensure that the client locale and the client language is reported for clients requesting updates.

Certain updates can be distributed and installed on clients regardless of language or locale. Verify which requested updates must be distributed as locale-specific and which updates are language-neutral, as appropriate by using the Microsoft Knowledge Base articles associated with the update.

To do this, use the Information button, available on the Software Updates Status Page in the Distribute Software Updates Wizard to access the Microsoft Knowledge Base articles that provide specifics about any international update variations that are available.

Become familiar with the command-line options that are supported by the Software Update Installation Agent. These options control how the updates install, and each option has an equivalent setting that you can use in the Distribute Software Updates Wizard, on the Software Update Details page by using the Parameters field and the Syntax button.

If your client computers are running Windows 2000 or later, verify that the notifications (balloons) that indicate software update installation processes, function as expected. Note that computers running Windows NT 4.0 operating systems do not display notification balloons, but rather, display a notification icon in the system tray and display dialog boxes.

Verify that the grace period for software update installation is enforced.

To do this, set a grace period for update installation by using the Installation Agent Enforcement Settings page in the Distribute Software Updates Wizard or the command-line interface for the Agent. Allow the grace period to expire, and then verify that the update installs automatically.

For packages with multiple updates, verify that grace period enforcement is based on the time the oldest applicable update in the package was authorized.

To do this, create a package containing multiple updates with different authorization dates (you can configure the authorization date for an update using the Software Update Properties page in the Distribute Software Updates Wizard). Set the grace period for the entire package. Verify that the grace-period expiration time is correct, based upon the oldest authorization date.

Verify that the per-update grace period enforcement leaves unexpired patches in an optional state.

To do this, create a package containing multiple updates, and configure per-update grace period enforcement by using the Installation Agent Enforcement Settings page in the Distribute Software Updates Wizard. Allow the grace period to expire, and then verify that the only updates that have mandatory installation status are those whose grace period has expired.

The non-expired updates should be available for installation, but not mandatory; they are installed only if the user clicks Install Now. If the countdown timer reaches zero and the Agent initiates the installation process, the updates for which the installation grace period has not expired are not be installed automatically.

Ensure the specified failsafe timeout, installation countdown, postponement and default installation actions occur properly if no user interaction is provided.

To configure these settings, use the Distribute Software Updates Wizard or the Installation Agent command-line syntax.

Both SMS and the Feature Pack tools support notification and countdown features for assigned programs. When using the Feature Pack tools to deploy software updates, it is recommended that you disable the SMS versions of the countdown and notification features to prevent confusion. If the SMS versions of these features remain active, end-users see two sets of countdowns and two sets of notifications for each assigned program.

To test whether your branding is appearing properly, create a file, named summary.htm, in the package source folder, and place some branded content in it. Then, verify that your client computer properly displays the branding. Note that embedded objects such as graphics do not appear on computers running Windows NT 4.0.

Branding is specific to each package, so when you configure branding for a package all updates in the package share the branding. Different packages can have different branding, for example, Critical Updates in one package, and Office Updates in another package, each with different branding.

Test the failsafe timeout behavior by using the Parameters field and the Syntax button on the Software Update Properties page in the Distribute Software Updates Wizard to configure an update that does not suppress user input (that is, it requires user input to install) and then verify that the update is terminated after the timeout has been reached.

Also, after that update terminates, verify that the Installation Agent attempts to install the remaining updates in the package.

Verify whether the status data for updates is accurate by checking to see if the TimeApplied value is correct for all installed updates processed by the Installation Agent. This information can be viewed in the inventory schema found within the SQL View: v_GS_PATCHSTATE, from the SMS Resource Explorer, or from the sample reports included with the Reporting add-in.

You can configure system restart behavior using the Installation Agent Status Settings page in the Distribute Software Updates Wizard, or the Installation Agent command-line interface.

You can configure different post-installation system restart behavior for workstations and servers in your enterprise. Based on the settings you configured, ensure that restart detection will function as you expect for each computer role. To do this, configure different system restart settings for different updates, and then monitor the behavior of the system installing the update.

When a system restart is required, the closure of active applications can be configured with a countdown to restart. This provides users with the opportunity to save their work. Alternatively, applications can be closed and the system can be restarted without a grace period. Verify that application closure during post-installation system restart will function as you expect.

Install the SMS Web Reporting tool (SMSWebReporting_i386.exe) and then install the Web Reports Add-In for Software Updates (SMSAddReports_i386.exe).

Ensure that the software update reports function properly by viewing the reports and ensuring that useful data, with no errors, appears.

Ensure that the software update reports contain accurate information. To do this, compare the reported information about installed updates to the information about installed updates provided in Add or Remove Programs for a test client computer.

Verify that the Feature Pack tools are providing accurate inventory results and are in agreement with the underlying technology.

Do this by comparing the inventory results with the local client log files or by comparing directly with Microsoft Network Security Hotfix Checker or Microsoft Office Update Tool results.

Become familiar with sample reports included with the Web Reports Add-In for Software Updates.

Ensure that an adequate number of the correct types of reports are being created. Send feedback about reports that should be automatically included to: mswish@microsoft.com and smsvpfd@microsoft.

You can view the software update reports provided by the Web Reports Add-In for Software Updates in the list under the Software Updates node in the Web Reports tool.

Verify that the inventory accurately indicates when each instance of an update was present or applicable on the client computer.

To do this, verify that each instance of an update in Win32_PatchState and in v_gs_patchstate reflects an appropriate TimeDetected value and TimeApplied value. You can find this information in the log file generated for the update, or by running a query of the WMI class for the update.

You can create custom software update inventory reports using SQL Server views and the inventory schema.