Re: SUM Question

From: TerryM (nospam_at_hotmail.com)
Date: 04/30/04 

Date: Fri, 30 Apr 2004 11:58:44 -0400

SUM - Software Update Management is the SMS 2003 Patch management.

I really appreciate you taking the time to answer this question, however the
following will probably not sound like it, from frustration setting in.

It doesn't seem like people are really understanding what I am asking. Or
the situation.

I have read all books, help guides, white papers, etc... I don't need a
novice overview of how to send out patches or how the wizard works...

What I want is someone out there who has:
a.) sent out multiple patches that require reboots in one package

To tell me how to:
a.) Install all updates without reboots between them (/norestart switch on
each patch probably)
b.) At the end of installing all hotfixes give the user the choice to
postpone the reboots!! This is the biggest part. I have tried multiple
combinations of settings I just want at this point someone to tell me what
combination will pop up and the postpone button wont be grayed out and the
users will have the option of postponing reboots.

I don't need to know the steps to do a deployment besides those steps I need
to do to specifically get the postpone button not to be grayed out for
restarts.

Thanks,
Terry

"Jack Wang [MSFT]" <jackwa@online.microsoft.com> wrote in message
news:MaIvfGsLEHA.304@cpmsftngxa10.phx.gbl...
> Hi Terry,
>
> I am not sure if you are using the SUS Feature Pack.
>
> The Security Update tool must have successfully run once on the target
> machines for the DSUW to install patches successfully.
>
> 1.
> In the SMS Administrator console create a collection called Systems
> Capable of Scan and Installation.
> The syntax for this collection is as follows and can be copied and pasted
> into the Query Syntax Window.
>
> select SMS_R_System.ResourceID,SMS_R_System.ResourceType,
> SMS_R_System.Name,SMS_R_System.SMSUniqueIdentifier,
> SMS_R_System.ResourceDomainORWorkgroup,SMS_R_System.Client from
> SMS_R_System inner join SMS_G_System_OPERATING_SYSTEM on
> SMS_G_System_OPERATING_SYSTEM.ResourceID = SMS_R_System.ResourceId inner
> join SMS_G_System_SoftwareFile on
> SMS_G_System_SoftwareFile.ResourceID = SMS_R_System.ResourceId where
> (SMS_R_System.Client = 1 and SMS_R_System.SMSAssignedSites = "LAK¡±)
> and ((SMS_R_System.OperatingSystemNameandVersion like "Microsoft Windows
NT
> %4.0%¡±and
> SMS_G_System_OPERATING_SYSTEM.CSDVersion >= "%6a%¡±) or
> SMS_R_System.OperatingSystemNameandVersion >= "%5%¡±) and
> (SMS_G_System_SoftwareFile.FileDescription = "Internet Explorer¡±and
> SMS_G_System_SoftwareFile.FileVersion >= "5%¡±)
>
> 2.
> Right-click the collection and select All Tasks and then Distribute
> Software Updates. This will begin the wizard.
>
> 3.
> Click Next on the first wizard page.
>
> 4.
> On the Specify a Software Update Type page, click Select an update type,
> select Security, and then click Next.
>
> 5.
> On the Create an SMS Package, or Modify Packages and Updates page, select
> New and then click Next.
>
> Note: If this is an update, then select the Security Patches and then
click
> Next.
> 6.
> In the Name box, type Name of your choosing and then click Next.
>
> Apply corporate branding to the end-user experience. You may customize the
> IT organization name that will appear in the notification area windows and
> the dialog box of the client agent. Create a Rich Text Formatted (RTF)
> document using Microsoft WordPad or any other RTF-enabled application.
> Documents may include graphics, icons, logos and text content. The Import
> and Previewbuttons will allow you to verify the content appears as
desired,
> and make it available in the package folder.
> 7.
> Custom Branding ¡ª Enhancing the End User Experience The DSUW (Distribute
> Software Updates Wizard) allows for custom branding for the following:
>
> Organization Name (Displayed in the window that appears that states "The
> Organization has Security Updates that require your attention, please
click
> here to continue.¡±
>
> Custom .RTF can be added through the wizard allowing users to view a
custom
> message or information by clicking More Info.
>
> 8.
> The Select an Inventory Scanning Program window appears and asks you to
> specify the Inventory Scan Tool package,and the program name. You should
> select the Security Scan Update Tool, and the program should be either the
> Normal Scan or the Expedited scan. Note that the Expedited scan initiates
> the hardware inventory process on a client and generates a MIF, so this
can
> cause flooding issues if Expedited is chosen in a large SMS hierarchy. The
> reason this is here is to make sure that when the program runs on a
system,
> it makes a last minute check to verify that the security patch has not
been
> installed previously via the Windows Update Web site or been manually
> installed since the last security scan. This prevents reinstalling the
> patch. Click Next to continue.
>
> 9.
> Select an update from the list of updates using the check box provided.
> Click Information to open the appropriate article describing the update or
> the issue the update addresses.
>
>
> Multiple items may be selected using either the check box or a combination
> of the multiselect cursor and check box features.
> 10.
> Configure Updates
>
> Compare and research the patch number to the actual Microsoft TechNet
> Article in an Excel Spread*** and update it as new patches are released.
> Use these to select the Appropriate Security Patches listed in the Add
> Remove Updates page. If you do not see a patch-referenced TechNet article,
> it means that it has not been detected that it is needed in your
> environment yet, or is at 100 percent compliance.
>
> The authorizing of patches allows the IT department to select which
patches
> are needed in their environment based on security scan information that
> notifies you of applicable and installed security patches. The SMS
> Distribute Software Updates Wizard (DSUW) allows you to customize the
> authorization date for each patch individually, thereby allowing you to
add
> more security patches at a later date and just add a new authorization
date.
>
>
> The Authorized on box above allows you to select each security patch and
> set when the security patch was authorized, allowing you to enforce
> security patch installation by authorization date when sending multiple
> patches.
>
> 11.
> Click Next on the Add and Remove Updates page. Click Properties for the
> Software Updates Details page, obtain the update by clicking Download, if
> needed, and specify the appropriate command-line parameters. Indicate the
> date authorized.
>
> 12.
> Ensure that silent, non-restart behavior is configured for software
update
> installation. Configure this behavior on the Software Update Details page
> of the Distribute Software Updates Wizard by using the Parameters box and
> clicking Syntax. Typical updates for Windows and Windows components should
> use the /z /q /m parameters. Internet Explorer updates should typically
use
> the /q:a /r:n parameters. Clicking Syntax will take you to the most
> appropriate Microsoft Knowledgebase Article. A Warning message will appear
> if not entered, and if the switch is wrong, then reboot and patch rollup
> ability fails.
>
>
>
> 13.
> After it is complete, the Software Updates Status page should state Yes
in
> the Ready column for all security patches selected.
>
> 14.
> Configure Enforcement
>
> Specify a five-minute countdown, and Install updates as the default
action.
> This will allow five minutes for the user to participate in the process,
> but even if they do not, updates will be installed automatically. Be aware
> that users should save their work during this process, and the need for
> this to happen is encouraged by the client agent user interface.
>
> Specify that only required updates will be automatically installed using
> the Force installation of required updates only (not updates that can
still
> be postponed)option. This will cause installation of updates only for
those
> updates that have exceeded their enforcement period.
>
> Specify that the enforcement period will be based on the time the update
> was detected by selecting Time Detected in the From box. This will allow a
> reasonable enforcement period to be available to new clients, or users
> returning from time away. Otherwise users may encounter forced updates and
> system restarts within minutes of powering up and logging in after an
> extended vacation.
>
>
> To speed the process of gathering the inventory-based results of the
> updates that were installed, clear the Report inventory changes only when
> inventory is scheduled check box. This will start the inventory cycle
> running immediately after the update(s) are applied.
>
> To aid in detailed and timely reporting, individual status messages for
> each update can be generated, or just for error conditions. Select Include
> status messages for all updates being installed if you would like to view
> the success status for each update to confirm its state in relation to the
> inventory data.
>
> 15.
> Configure Status Reporting
>
> To speed the process of gathering the inventory-based results of the
> updates that were installed, clear the Report inventory changes only when
> inventory is scheduled check box. This will start the inventory cycle
> running immediately after the update(s) are applied.
>
> To aid in detailed and timely reporting, individual status messages for
> each update can be generated, or just for error conditions. Under Status
> Reports, select Include status messages for all updates being installed if
> you would like to view the success status for each update to confirm its
> state in relation to the inventory data.
>
> In the Detect and postpone system restarts for box, select Servers to
> ensure that any servers to not restart automatically. Typically, servers
> are scheduled to restart independently.
>
> 16.
> Configure Installation Agent Settings
>
> When you select the Report inventory changes only when inventory is
> scheduled check box, the Installation status is sent only when hardware
> inventory is run. Leaving this check box cleared causes a hardware
> inventory to be sent immediately after success of installing patches.
>
> Status Reports can include status messages for all updates, or just for
> updates not successfully installed.
>
> The Detect and Postpone system restarts for box allows you to install
> patches without rebooting for different Operating systems. It is best to
> not reboot servers and run another advertisement that corresponds to
> prescheduled outage periods for servers.
>
>
>
> 17.
> Advertisement Settings
>
> Advertise first to a test collection of systems in your controlled lab
> environment. When each system has been verified, you may proceed to a
> broader target group, such as a production pilot group.
>
> Set the recurrence feature to a value that will allow end-users to have
> several opportunities to become involved in the process, but not so often
> as to be annoying to them or cause undue disruption.
>
> Consider the enforcement period when setting this recurrence value. For
the
> example of a seven-day enforcement period, and six-hour recurrence, end
> users will have 24 hours per day/6 hours = 4 recurrences per day. With a
> seven-day enforcement period, users will have 24 opportunities to postpone
> the installation of updates (typically only 12 during the hours they are
> using their computer during the business day). For better scheduling clear
> the advertisement and schedule it manually to fit your needs.
>
> 18.
> Click Finish to complete the DSUW process for security patches.
>
> For more information, please refer to the following resource:
>
> SUS Feature Pack Deployment Guide:
>
>
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechn
> ol/sms/s
> ms2/deploy/confeat/smsfpdep.asp
>
> SUS Feature Pack FAQ:
> http://www.microsoft.com/smserver/support/susfaq.asp
>
> SUS Feature Pack WebCasts:
> http://support.microsoft.com/default.aspx?kbid=326697
> http://www.microsoft.com/usa/webcasts/ondemand/1600.asp
>
> Hope this helps!
>
> Sincerely,
> Jack Wang, MCSE 2000, MCSA, MCDBA, MCSD
> Microsoft Partner Support
>
> Get Secure! - www.microsoft.com/security
>
> =====================================================
> When responding to posts, please "Reply to Group" via
> your newsreader so that others may learn and benefit
> from your issue.
> =====================================================
>
> This posting is provided "AS IS" with no warranties, and confers no
rights.
> --------------------
> | From: "TerryM" <nospam@hotmail.com>
> | References: <uAY2EfiLEHA.2976@TK2MSFTNGP10.phx.gbl>
> <#I2#TRjLEHA.1144@TK2MSFTNGP12.phx.gbl>
> | Subject: Re: SUM Question
> | Date: Thu, 29 Apr 2004 20:52:28 -0400
> | Lines: 72
> | X-Priority: 3
> | X-MSMail-Priority: Normal
> | X-Newsreader: Microsoft Outlook Express 6.00.2800.1409
> | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1409
> | Message-ID: <#YyJf1kLEHA.2976@TK2MSFTNGP10.phx.gbl>
> | Newsgroups: microsoft.public.sms.admin
> | NNTP-Posting-Host: 12.168.81.91
> | Path:
>
cpmsftngxa10.phx.gbl!TK2MSFTNGXA05.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP10
> phx.gbl
> | Xref: cpmsftngxa10.phx.gbl microsoft.public.sms.admin:52040
> | X-Tomcat-NG: microsoft.public.sms.admin
> |
> | Actually we've tried that.
> |
> | Here's the problems.
> |
> | First we don't want the system rebooting multiple times. It freaks the
> | users out. If you do not put the /norestart for the cmdlines then each
of
> | the patches reboots the system each time instead of just once after both
> are
> | installed.
> |
> | Also even when we are having problems getting the postpone button to be
> | active for the users. I want the users to be able to postpone the
> restarts
> | if they want.
> |
> | So I've tried all sorts of combinations of the various areas I outlined
> and
> | am having issues finding the right combo. So if someone has a package
> with
> | a couple patches in it that force reboots, if they could post that for
me
> it
> | would be great.
> |
> | The areas I was inquiring about again are:
> | a.) in the command line (I'm assuming /quiet /norestart) in the wizard
in
> | the postpone reboots,
> | b.) Postpone Restarts for drop down (None)
> | c.) Perform Unattended install settings (uncheck unattended, choose
> install
> | patches after countdown??)
> | d.) Notify users about activity section (Check the box to notify, select
> 12
> | hours they can postpone for)
> | e.) In the program for after running (No action taken)
> | f.) Any place else.
> |
> | And the desired outcome again is:
> | Multiple patches installed with no restarts
> | After all are installed the postpone button is active for the users to
> | choose
> |
> | Thanks
> | Terry
> |
> | <Karl> wrote in message
news:%23I2%23TRjLEHA.1144@TK2MSFTNGP12.phx.gbl...
> | > It's not so bad.
> | >
> | > yes, SMS and the patches both have ways to surpress the reboot and you
> can
> | > have issues with the settings overriding each other. (FOr example, a
> patch
> | > that reboots but SMS supresses it)
> | >
> | > If you want to be sure that you are going to properly allow the user
to
> | > reboot, have the patch NOT reboot the system but have SMS reboot it
> with a
> | 5
> | > minute or however long you need timer to allow the user(s) to save
thier
> | > work. Just make sure you choose the correct option to have 'SMS
> restarts
> | > the computer', else you may not have the PC get rebooted
> | >
> | > Once the patches are installed, SMS will then finish the advertisement
> and
> | > then start the reboot sequence. I generally prefer to allow SMS to
> | control
> | > the reboot since you have more control on the clients not losing any
> work.
> | > Alo, if the clients are not there and have unsaved work, be careful!
> | > Forcing the system to restart w/o an user input is a BAD thing as they
> can
> | > lose their work and get quite mad at YOU! :)
> | >
> | > Once done, check that there were no issues with the advertisment
> failing.
> | > Next, verify that the systems have been indeed rebooted. Make a query
> to
> | > look at the last restart times of the systems and verify they indeed
> | > restarted. Then check to make sure the patches have been installed
> | > properly.
> | >
> | > There is a lot of micro-managing software deployment and many issues
can
> | > arise as a result. Check thru all the SMS Console staus reports for
any
> | > issues as well :)
> | >
> | >
> |
> |
> |
>