SMS and Security Updates (Full Version)

All Forums >> [Management Products] >> Microsoft Systems Management Server >> SMS 2003



Message

kandyman -> SMS and Security Updates (5/10/2008 5:16:06 PM)

Hi there,

I'm am not an SMS person, so apologies if this is a stupid question.

We're currently running SMS 2003 SP3 in our environment, and looking
to deploy some security updates throughout our infrastructure which
includes x64 and x86.  I've created update packages contained all
hotfixes required and advertised them to out test containers.  The
package installed successfully.  However, after rebooting the target
servers, I ran MBSA and Windows Update against these newly patched
servers and they show around 15 missing updates.  I'll looked into the
package to see if the updates are included, and they are, but it does
not seem to be installing ?  Any ideas why this could be ?  
Many thanks,



kpark -> RE: SMS and Security Updates (5/10/2008 5:23:11 PM)

Hi i am quite advanced when it comes to Security patching but like every thing else it's best if your put on the right page a learn it yourself.

you want to look for Invertory Tool for Microsoft Updates (ITMU)
http://technet.microsoft.com/en-us/sms/bb676783.aspx

basically this is a tool that will prepare you sms console up so you can deploy and set up correctly your client report back their status of patch compliance

microsoft release a cab file every 2nd Tuesday of everymonth and your client will compare their compliance against the cab file

let me know how you get on, i can help you further with a documented procedure, but you need to setup your infrastructure first



kandyman -> RE: SMS and Security Updates (5/12/2008 8:54:41 AM)

Hi,

Thanks for the response, the SMS infrastructure has already been setup, ITMU is installed and the current version is 2.5

I believe this is working, as when i go to create a new Software Update Distribution package, the wizard lists all the hotfixes/SP that have been requested by clients.

I've included the hotfixes requested at least once when create my new package, so they should be in the package.

I then created an advertisment for deploying this package, and it deployed to my test machinese successfully. However, when I run an MBSA 2.1 scan or Windows Update scan manually via web, it show approx 15 hotfixes missing, which are included in the package.  Any ideas why ?



phaustein -> RE: SMS and Security Updates (5/12/2008 9:24:41 AM)

What does the scanwrapper.log and patchinstall.log say? If the patches are applicable they should show in the logs with their status. Without knowing what is in the logs, I would lean toward the fact that the wsusscn2.cab hasn't been updated.  Do you and how often does the scan tool run on the clients?



kandyman -> RE: SMS and Security Updates (5/12/2008 4:17:22 PM)

phaustein,

I think you could be right in that the wssusscn2.cab is out of date. I've done an search on out SMS server and the file shows a modify date of 12/12/07.  Can you tell me how I can update these file properly ?  I have update this file for MBSA, but I've not used SMS before so any guidence would be much appreciated.



phaustein -> RE: SMS and Security Updates (5/12/2008 4:49:07 PM)

You should have a package called "Microsoft Updates Tool" and it should have a program called "Microsoft Updates Tool (expedited)"  You would want to advertise this to your systems.  This will update the wsusscn2.cab on each system, plus it will scan and report compliance of the system.

Here is some articles and a video that you can review that may help you along.
http://technet.microsoft.com/en-us/sms/bb676783.aspx
http://www.microsoft.com/technet/sms/2003/downloads/tools/ITMUvideo.mspx



kandyman -> RE: SMS and Security Updates (5/12/2008 8:04:57 PM)

I think i'm making progress...our environment was setup by a contractor who has left with little hand over. :(  I've looked into our configuration further, and it seem like the contractor had configured ITMU to download the cab file from D:\IMTU.  I guess this explains why some hotfixes we missing since, we kept downloading the same cab file from D:. Doh!.   Thanks for the help, and i;ll keep you posted on our progress...i need to let the agents run a few night so i get a decent capture of requested hotfix. 



mserafine -> RE: SMS and Security Updates (5/12/2008 8:12:57 PM)

Before the clients can receive the latest CAB file, it must be updated on the site server first. This can be automatically done by advertising the "Sync" program to the site server. Otherwise, you can manually download the latest CAB and copy it to the scan package yourself.

Then just update your distribution points with the updated scan tool package, and advertise the "expedited" program to your clients.

The clients' software update status is submitted to the site with hardware inventory, so if you don't advertise the "expedited" program (which forces a HINV cycle after the client is scanned), then you won't receive the updated patch status data until the client's next scheduled HINV cycle.



Page: [1]

Valid CSS!




Forum Software © ASPPlayground.NET Advanced Edition 2.4.5 ANSI
0.3125