Re: SUM Question

From: Jack Wang [MSFT] (jackwa_at_online.microsoft.com)
Date: 04/30/04 

Date: Fri, 30 Apr 2004 14:43:54 GMT

Hi Terry,

I am not sure if you are using the SUS Feature Pack.

The Security Update tool must have successfully run once on the target
machines for the DSUW to install patches successfully.

1.
 In the SMS Administrator console create a collection called Systems
Capable of Scan and Installation.
The syntax for this collection is as follows and can be copied and pasted
into the Query Syntax Window.

select SMS_R_System.ResourceID,SMS_R_System.ResourceType,
SMS_R_System.Name,SMS_R_System.SMSUniqueIdentifier,
SMS_R_System.ResourceDomainORWorkgroup,SMS_R_System.Client from
SMS_R_System inner join SMS_G_System_OPERATING_SYSTEM on
SMS_G_System_OPERATING_SYSTEM.ResourceID = SMS_R_System.ResourceId inner
join SMS_G_System_SoftwareFile on
SMS_G_System_SoftwareFile.ResourceID = SMS_R_System.ResourceId where
(SMS_R_System.Client = 1 and SMS_R_System.SMSAssignedSites = "LAK¡±)
and ((SMS_R_System.OperatingSystemNameandVersion like "Microsoft Windows NT
%4.0%¡±and
SMS_G_System_OPERATING_SYSTEM.CSDVersion >= "%6a%¡±) or
SMS_R_System.OperatingSystemNameandVersion >= "%5%¡±) and
(SMS_G_System_SoftwareFile.FileDescription = "Internet Explorer¡±and
SMS_G_System_SoftwareFile.FileVersion >= "5%¡±)
 
2.
 Right-click the collection and select All Tasks and then Distribute
Software Updates. This will begin the wizard.
 
3.
 Click Next on the first wizard page.
 
4.
 On the Specify a Software Update Type page, click Select an update type,
select Security, and then click Next.
 
5.
 On the Create an SMS Package, or Modify Packages and Updates page, select
New and then click Next.

Note: If this is an update, then select the Security Patches and then click
Next.
 6.
 In the Name box, type Name of your choosing and then click Next.

Apply corporate branding to the end-user experience. You may customize the
IT organization name that will appear in the notification area windows and
the dialog box of the client agent. Create a Rich Text Formatted (RTF)
document using Microsoft WordPad or any other RTF-enabled application.
Documents may include graphics, icons, logos and text content. The Import
and Previewbuttons will allow you to verify the content appears as desired,
and make it available in the package folder.
 7.
 Custom Branding ¡ª Enhancing the End User Experience The DSUW (Distribute
Software Updates Wizard) allows for custom branding for the following:

Organization Name (Displayed in the window that appears that states "The
Organization has Security Updates that require your attention, please click
here to continue.¡±

Custom .RTF can be added through the wizard allowing users to view a custom
message or information by clicking More Info.
 
8.
 The Select an Inventory Scanning Program window appears and asks you to
specify the Inventory Scan Tool package,and the program name. You should
select the Security Scan Update Tool, and the program should be either the
Normal Scan or the Expedited scan. Note that the Expedited scan initiates
the hardware inventory process on a client and generates a MIF, so this can
cause flooding issues if Expedited is chosen in a large SMS hierarchy. The
reason this is here is to make sure that when the program runs on a system,
it makes a last minute check to verify that the security patch has not been
installed previously via the Windows Update Web site or been manually
installed since the last security scan. This prevents reinstalling the
patch. Click Next to continue.
 
9.
 Select an update from the list of updates using the check box provided.
Click Information to open the appropriate article describing the update or
the issue the update addresses.

Multiple items may be selected using either the check box or a combination
of the multiselect cursor and check box features.
 10.
 Configure Updates

Compare and research the patch number to the actual Microsoft TechNet
Article in an Excel Spread*** and update it as new patches are released.
Use these to select the Appropriate Security Patches listed in the Add
Remove Updates page. If you do not see a patch-referenced TechNet article,
it means that it has not been detected that it is needed in your
environment yet, or is at 100 percent compliance.

The authorizing of patches allows the IT department to select which patches
are needed in their environment based on security scan information that
notifies you of applicable and installed security patches. The SMS
Distribute Software Updates Wizard (DSUW) allows you to customize the
authorization date for each patch individually, thereby allowing you to add
more security patches at a later date and just add a new authorization date.

The Authorized on box above allows you to select each security patch and
set when the security patch was authorized, allowing you to enforce
security patch installation by authorization date when sending multiple
patches.
 
11.
 Click Next on the Add and Remove Updates page. Click Properties for the
Software Updates Details page, obtain the update by clicking Download, if
needed, and specify the appropriate command-line parameters. Indicate the
date authorized.
 
12.
 Ensure that silent, non-restart behavior is configured for software update
installation. Configure this behavior on the Software Update Details page
of the Distribute Software Updates Wizard by using the Parameters box and
clicking Syntax. Typical updates for Windows and Windows components should
use the /z /q /m parameters. Internet Explorer updates should typically use
the /q:a /r:n parameters. Clicking Syntax will take you to the most
appropriate Microsoft Knowledgebase Article. A Warning message will appear
if not entered, and if the switch is wrong, then reboot and patch rollup
ability fails.

 
13.
 After it is complete, the Software Updates Status page should state Yes in
the Ready column for all security patches selected.
 
14.
 Configure Enforcement

Specify a five-minute countdown, and Install updates as the default action.
This will allow five minutes for the user to participate in the process,
but even if they do not, updates will be installed automatically. Be aware
that users should save their work during this process, and the need for
this to happen is encouraged by the client agent user interface.

Specify that only required updates will be automatically installed using
the Force installation of required updates only (not updates that can still
be postponed)option. This will cause installation of updates only for those
updates that have exceeded their enforcement period.

Specify that the enforcement period will be based on the time the update
was detected by selecting Time Detected in the From box. This will allow a
reasonable enforcement period to be available to new clients, or users
returning from time away. Otherwise users may encounter forced updates and
system restarts within minutes of powering up and logging in after an
extended vacation.

To speed the process of gathering the inventory-based results of the
updates that were installed, clear the Report inventory changes only when
inventory is scheduled check box. This will start the inventory cycle
running immediately after the update(s) are applied.

To aid in detailed and timely reporting, individual status messages for
each update can be generated, or just for error conditions. Select Include
status messages for all updates being installed if you would like to view
the success status for each update to confirm its state in relation to the
inventory data.
 
15.
 Configure Status Reporting

To speed the process of gathering the inventory-based results of the
updates that were installed, clear the Report inventory changes only when
inventory is scheduled check box. This will start the inventory cycle
running immediately after the update(s) are applied.

To aid in detailed and timely reporting, individual status messages for
each update can be generated, or just for error conditions. Under Status
Reports, select Include status messages for all updates being installed if
you would like to view the success status for each update to confirm its
state in relation to the inventory data.

In the Detect and postpone system restarts for box, select Servers to
ensure that any servers to not restart automatically. Typically, servers
are scheduled to restart independently.
 
16.
 Configure Installation Agent Settings

When you select the Report inventory changes only when inventory is
scheduled check box, the Installation status is sent only when hardware
inventory is run. Leaving this check box cleared causes a hardware
inventory to be sent immediately after success of installing patches.

Status Reports can include status messages for all updates, or just for
updates not successfully installed.

The Detect and Postpone system restarts for box allows you to install
patches without rebooting for different Operating systems. It is best to
not reboot servers and run another advertisement that corresponds to
prescheduled outage periods for servers.

 
17.
 Advertisement Settings

Advertise first to a test collection of systems in your controlled lab
environment. When each system has been verified, you may proceed to a
broader target group, such as a production pilot group.

Set the recurrence feature to a value that will allow end-users to have
several opportunities to become involved in the process, but not so often
as to be annoying to them or cause undue disruption.

Consider the enforcement period when setting this recurrence value. For the
example of a seven-day enforcement period, and six-hour recurrence, end
users will have 24 hours per day/6 hours = 4 recurrences per day. With a
seven-day enforcement period, users will have 24 opportunities to postpone
the installation of updates (typically only 12 during the hours they are
using their computer during the business day). For better scheduling clear
the advertisement and schedule it manually to fit your needs.
 
18.
 Click Finish to complete the DSUW process for security patches.
 
For more information, please refer to the following resource:

SUS Feature Pack Deployment Guide:
 
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechn
ol/sms/s
ms2/deploy/confeat/smsfpdep.asp

 SUS Feature Pack FAQ:
 http://www.microsoft.com/smserver/support/susfaq.asp

 SUS Feature Pack WebCasts:
 http://support.microsoft.com/default.aspx?kbid=326697
 http://www.microsoft.com/usa/webcasts/ondemand/1600.asp

Hope this helps!

Sincerely,
Jack Wang, MCSE 2000, MCSA, MCDBA, MCSD
Microsoft Partner Support

Get Secure! - www.microsoft.com/security

=====================================================
When responding to posts, please "Reply to Group" via
your newsreader so that others may learn and benefit
from your issue.
=====================================================

This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
| From: "TerryM" <nospam@hotmail.com>
| References: <uAY2EfiLEHA.2976@TK2MSFTNGP10.phx.gbl>
<#I2#TRjLEHA.1144@TK2MSFTNGP12.phx.gbl>
| Subject: Re: SUM Question
| Date: Thu, 29 Apr 2004 20:52:28 -0400
| Lines: 72
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Outlook Express 6.00.2800.1409
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1409
| Message-ID: <#YyJf1kLEHA.2976@TK2MSFTNGP10.phx.gbl>
| Newsgroups: microsoft.public.sms.admin
| NNTP-Posting-Host: 12.168.81.91
| Path:
cpmsftngxa10.phx.gbl!TK2MSFTNGXA05.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP10
phx.gbl
| Xref: cpmsftngxa10.phx.gbl microsoft.public.sms.admin:52040
| X-Tomcat-NG: microsoft.public.sms.admin
|
| Actually we've tried that.
|
| Here's the problems.
|
| First we don't want the system rebooting multiple times. It freaks the
| users out. If you do not put the /norestart for the cmdlines then each of
| the patches reboots the system each time instead of just once after both
are
| installed.
|
| Also even when we are having problems getting the postpone button to be
| active for the users. I want the users to be able to postpone the
restarts
| if they want.
|
| So I've tried all sorts of combinations of the various areas I outlined
and
| am having issues finding the right combo. So if someone has a package
with
| a couple patches in it that force reboots, if they could post that for me
it
| would be great.
|
| The areas I was inquiring about again are:
| a.) in the command line (I'm assuming /quiet /norestart) in the wizard in
| the postpone reboots,
| b.) Postpone Restarts for drop down (None)
| c.) Perform Unattended install settings (uncheck unattended, choose
install
| patches after countdown??)
| d.) Notify users about activity section (Check the box to notify, select
12
| hours they can postpone for)
| e.) In the program for after running (No action taken)
| f.) Any place else.
|
| And the desired outcome again is:
| Multiple patches installed with no restarts
| After all are installed the postpone button is active for the users to
| choose
|
| Thanks
| Terry
|
| <Karl> wrote in message news:%23I2%23TRjLEHA.1144@TK2MSFTNGP12.phx.gbl...
| > It's not so bad.
| >
| > yes, SMS and the patches both have ways to surpress the reboot and you
can
| > have issues with the settings overriding each other. (FOr example, a
patch
| > that reboots but SMS supresses it)
| >
| > If you want to be sure that you are going to properly allow the user to
| > reboot, have the patch NOT reboot the system but have SMS reboot it
with a
| 5
| > minute or however long you need timer to allow the user(s) to save thier
| > work. Just make sure you choose the correct option to have 'SMS
restarts
| > the computer', else you may not have the PC get rebooted
| >
| > Once the patches are installed, SMS will then finish the advertisement
and
| > then start the reboot sequence. I generally prefer to allow SMS to
| control
| > the reboot since you have more control on the clients not losing any
work.
| > Alo, if the clients are not there and have unsaved work, be careful!
| > Forcing the system to restart w/o an user input is a BAD thing as they
can
| > lose their work and get quite mad at YOU! :)
| >
| > Once done, check that there were no issues with the advertisment
failing.
| > Next, verify that the systems have been indeed rebooted. Make a query
to
| > look at the last restart times of the systems and verify they indeed
| > restarted. Then check to make sure the patches have been installed
| > properly.
| >
| > There is a lot of micro-managing software deployment and many issues can
| > arise as a result. Check thru all the SMS Console staus reports for any
| > issues as well :)
| >
| >
|
|
|