Re: SUM Question

From: Seeker (anonymous_at_discussions.microsoft.com)
Date: 05/03/04 

Date: Mon, 3 May 2004 15:10:45 -0500

You need a scripting tool such as SMS installer or Wise Installmaster to
'wrap' your packages in, and then let the wrapper script take care of
rebooting. This is what I have been doing;

1. Use Wise to install the packages. I check for the file versions prior to
running the update command, as per the MS Q article, and use the command
line for /quiet /norestart.

2. I set a variable in Wise that gets set to '1' when a package needs
installation.

3. If the reboot variable is '1' at the end of the package, the Wise package
reboots the computer (see 4. below).

4. I use the 'shutdown.exe' utility from the W2k resource kit to reboot the
computer; this lets you set a countdown as well as provide a custom
message.

5. I advertise the package via SMS, and set the option 'package reboots
computer'. Of course, the package only reboots if it is necessary.

HTH

"TerryM" <nospam@hotmail.com> wrote in message
news:e%23vu5vsLEHA.1032@tk2msftngp13.phx.gbl...
> SUM - Software Update Management is the SMS 2003 Patch management.
>
> I really appreciate you taking the time to answer this question, however
the
> following will probably not sound like it, from frustration setting in.
>
> It doesn't seem like people are really understanding what I am asking. Or
> the situation.
>
> I have read all books, help guides, white papers, etc... I don't need a
> novice overview of how to send out patches or how the wizard works...
>
> What I want is someone out there who has:
> a.) sent out multiple patches that require reboots in one package
>
> To tell me how to:
> a.) Install all updates without reboots between them (/norestart switch on
> each patch probably)
> b.) At the end of installing all hotfixes give the user the choice to
> postpone the reboots!! This is the biggest part. I have tried multiple
> combinations of settings I just want at this point someone to tell me what
> combination will pop up and the postpone button wont be grayed out and the
> users will have the option of postponing reboots.
>
> I don't need to know the steps to do a deployment besides those steps I
need
> to do to specifically get the postpone button not to be grayed out for
> restarts.
>
> Thanks,
> Terry
>
>
> "Jack Wang [MSFT]" <jackwa@online.microsoft.com> wrote in message
> news:MaIvfGsLEHA.304@cpmsftngxa10.phx.gbl...
> > Hi Terry,
> >
> > I am not sure if you are using the SUS Feature Pack.
> >
> > The Security Update tool must have successfully run once on the target
> > machines for the DSUW to install patches successfully.
> >
> > 1.
> > In the SMS Administrator console create a collection called Systems
> > Capable of Scan and Installation.
> > The syntax for this collection is as follows and can be copied and
pasted
> > into the Query Syntax Window.
> >
> > select SMS_R_System.ResourceID,SMS_R_System.ResourceType,
> > SMS_R_System.Name,SMS_R_System.SMSUniqueIdentifier,
> > SMS_R_System.ResourceDomainORWorkgroup,SMS_R_System.Client from
> > SMS_R_System inner join SMS_G_System_OPERATING_SYSTEM on
> > SMS_G_System_OPERATING_SYSTEM.ResourceID = SMS_R_System.ResourceId inner
> > join SMS_G_System_SoftwareFile on
> > SMS_G_System_SoftwareFile.ResourceID = SMS_R_System.ResourceId where
> > (SMS_R_System.Client = 1 and SMS_R_System.SMSAssignedSites = "LAK¡±)
> > and ((SMS_R_System.OperatingSystemNameandVersion like "Microsoft Windows
> NT
> > %4.0%¡±and
> > SMS_G_System_OPERATING_SYSTEM.CSDVersion >= "%6a%¡±) or
> > SMS_R_System.OperatingSystemNameandVersion >= "%5%¡±) and
> > (SMS_G_System_SoftwareFile.FileDescription = "Internet Explorer¡±and
> > SMS_G_System_SoftwareFile.FileVersion >= "5%¡±)
> >
> > 2.
> > Right-click the collection and select All Tasks and then Distribute
> > Software Updates. This will begin the wizard.
> >
> > 3.
> > Click Next on the first wizard page.
> >
> > 4.
> > On the Specify a Software Update Type page, click Select an update
type,
> > select Security, and then click Next.
> >
> > 5.
> > On the Create an SMS Package, or Modify Packages and Updates page,
select
> > New and then click Next.
> >
> > Note: If this is an update, then select the Security Patches and then
> click
> > Next.
> > 6.
> > In the Name box, type Name of your choosing and then click Next.
> >
> > Apply corporate branding to the end-user experience. You may customize
the
> > IT organization name that will appear in the notification area windows
and
> > the dialog box of the client agent. Create a Rich Text Formatted (RTF)
> > document using Microsoft WordPad or any other RTF-enabled application.
> > Documents may include graphics, icons, logos and text content. The
Import
> > and Previewbuttons will allow you to verify the content appears as
> desired,
> > and make it available in the package folder.
> > 7.
> > Custom Branding ¡ª Enhancing the End User Experience The DSUW
(Distribute
> > Software Updates Wizard) allows for custom branding for the following:
> >
> > Organization Name (Displayed in the window that appears that states "The
> > Organization has Security Updates that require your attention, please
> click
> > here to continue.¡±
> >
> > Custom .RTF can be added through the wizard allowing users to view a
> custom
> > message or information by clicking More Info.
> >
> > 8.
> > The Select an Inventory Scanning Program window appears and asks you to
> > specify the Inventory Scan Tool package,and the program name. You should
> > select the Security Scan Update Tool, and the program should be either
the
> > Normal Scan or the Expedited scan. Note that the Expedited scan
initiates
> > the hardware inventory process on a client and generates a MIF, so this
> can
> > cause flooding issues if Expedited is chosen in a large SMS hierarchy.
The
> > reason this is here is to make sure that when the program runs on a
> system,
> > it makes a last minute check to verify that the security patch has not
> been
> > installed previously via the Windows Update Web site or been manually
> > installed since the last security scan. This prevents reinstalling the
> > patch. Click Next to continue.
> >
> > 9.
> > Select an update from the list of updates using the check box provided.
> > Click Information to open the appropriate article describing the update
or
> > the issue the update addresses.
> >
> >
> > Multiple items may be selected using either the check box or a
combination
> > of the multiselect cursor and check box features.
> > 10.
> > Configure Updates
> >
> > Compare and research the patch number to the actual Microsoft TechNet
> > Article in an Excel Spread*** and update it as new patches are
released.
> > Use these to select the Appropriate Security Patches listed in the Add
> > Remove Updates page. If you do not see a patch-referenced TechNet
article,
> > it means that it has not been detected that it is needed in your
> > environment yet, or is at 100 percent compliance.
> >
> > The authorizing of patches allows the IT department to select which
> patches
> > are needed in their environment based on security scan information that
> > notifies you of applicable and installed security patches. The SMS
> > Distribute Software Updates Wizard (DSUW) allows you to customize the
> > authorization date for each patch individually, thereby allowing you to
> add
> > more security patches at a later date and just add a new authorization
> date.
> >
> >
> > The Authorized on box above allows you to select each security patch and
> > set when the security patch was authorized, allowing you to enforce
> > security patch installation by authorization date when sending multiple
> > patches.
> >
> > 11.
> > Click Next on the Add and Remove Updates page. Click Properties for the
> > Software Updates Details page, obtain the update by clicking Download,
if
> > needed, and specify the appropriate command-line parameters. Indicate
the
> > date authorized.
> >
> > 12.
> > Ensure that silent, non-restart behavior is configured for software
> update
> > installation. Configure this behavior on the Software Update Details
page
> > of the Distribute Software Updates Wizard by using the Parameters box
and
> > clicking Syntax. Typical updates for Windows and Windows components
should
> > use the /z /q /m parameters. Internet Explorer updates should typically
> use
> > the /q:a /r:n parameters. Clicking Syntax will take you to the most
> > appropriate Microsoft Knowledgebase Article. A Warning message will
appear
> > if not entered, and if the switch is wrong, then reboot and patch rollup
> > ability fails.
> >
> >
> >
> > 13.
> > After it is complete, the Software Updates Status page should state Yes
> in
> > the Ready column for all security patches selected.
> >
> > 14.
> > Configure Enforcement
> >
> > Specify a five-minute countdown, and Install updates as the default
> action.
> > This will allow five minutes for the user to participate in the process,
> > but even if they do not, updates will be installed automatically. Be
aware
> > that users should save their work during this process, and the need for
> > this to happen is encouraged by the client agent user interface.
> >
> > Specify that only required updates will be automatically installed using
> > the Force installation of required updates only (not updates that can
> still
> > be postponed)option. This will cause installation of updates only for
> those
> > updates that have exceeded their enforcement period.
> >
> > Specify that the enforcement period will be based on the time the update
> > was detected by selecting Time Detected in the From box. This will allow
a
> > reasonable enforcement period to be available to new clients, or users
> > returning from time away. Otherwise users may encounter forced updates
and
> > system restarts within minutes of powering up and logging in after an
> > extended vacation.
> >
> >
> > To speed the process of gathering the inventory-based results of the
> > updates that were installed, clear the Report inventory changes only
when
> > inventory is scheduled check box. This will start the inventory cycle
> > running immediately after the update(s) are applied.
> >
> > To aid in detailed and timely reporting, individual status messages for
> > each update can be generated, or just for error conditions. Select
Include
> > status messages for all updates being installed if you would like to
view
> > the success status for each update to confirm its state in relation to
the
> > inventory data.
> >
> > 15.
> > Configure Status Reporting
> >
> > To speed the process of gathering the inventory-based results of the
> > updates that were installed, clear the Report inventory changes only
when
> > inventory is scheduled check box. This will start the inventory cycle
> > running immediately after the update(s) are applied.
> >
> > To aid in detailed and timely reporting, individual status messages for
> > each update can be generated, or just for error conditions. Under Status
> > Reports, select Include status messages for all updates being installed
if
> > you would like to view the success status for each update to confirm its
> > state in relation to the inventory data.
> >
> > In the Detect and postpone system restarts for box, select Servers to
> > ensure that any servers to not restart automatically. Typically, servers
> > are scheduled to restart independently.
> >
> > 16.
> > Configure Installation Agent Settings
> >
> > When you select the Report inventory changes only when inventory is
> > scheduled check box, the Installation status is sent only when hardware
> > inventory is run. Leaving this check box cleared causes a hardware
> > inventory to be sent immediately after success of installing patches.
> >
> > Status Reports can include status messages for all updates, or just for
> > updates not successfully installed.
> >
> > The Detect and Postpone system restarts for box allows you to install
> > patches without rebooting for different Operating systems. It is best to
> > not reboot servers and run another advertisement that corresponds to
> > prescheduled outage periods for servers.
> >
> >
> >
> > 17.
> > Advertisement Settings
> >
> > Advertise first to a test collection of systems in your controlled lab
> > environment. When each system has been verified, you may proceed to a
> > broader target group, such as a production pilot group.
> >
> > Set the recurrence feature to a value that will allow end-users to have
> > several opportunities to become involved in the process, but not so
often
> > as to be annoying to them or cause undue disruption.
> >
> > Consider the enforcement period when setting this recurrence value. For
> the
> > example of a seven-day enforcement period, and six-hour recurrence, end
> > users will have 24 hours per day/6 hours = 4 recurrences per day. With a
> > seven-day enforcement period, users will have 24 opportunities to
postpone
> > the installation of updates (typically only 12 during the hours they are
> > using their computer during the business day). For better scheduling
clear
> > the advertisement and schedule it manually to fit your needs.
> >
> > 18.
> > Click Finish to complete the DSUW process for security patches.
> >
> > For more information, please refer to the following resource:
> >
> > SUS Feature Pack Deployment Guide:
> >
> >
>
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechn
> > ol/sms/s
> > ms2/deploy/confeat/smsfpdep.asp
> >
> > SUS Feature Pack FAQ:
> > http://www.microsoft.com/smserver/support/susfaq.asp
> >
> > SUS Feature Pack WebCasts:
> > http://support.microsoft.com/default.aspx?kbid=326697
> > http://www.microsoft.com/usa/webcasts/ondemand/1600.asp
> >
> > Hope this helps!
> >
> > Sincerely,
> > Jack Wang, MCSE 2000, MCSA, MCDBA, MCSD
> > Microsoft Partner Support
> >
> > Get Secure! - www.microsoft.com/security
> >
> > =====================================================
> > When responding to posts, please "Reply to Group" via
> > your newsreader so that others may learn and benefit
> > from your issue.
> > =====================================================
> >
> > This posting is provided "AS IS" with no warranties, and confers no
> rights.
> > --------------------
> > | From: "TerryM" <nospam@hotmail.com>
> > | References: <uAY2EfiLEHA.2976@TK2MSFTNGP10.phx.gbl>
> > <#I2#TRjLEHA.1144@TK2MSFTNGP12.phx.gbl>
> > | Subject: Re: SUM Question
> > | Date: Thu, 29 Apr 2004 20:52:28 -0400
> > | Lines: 72
> > | X-Priority: 3
> > | X-MSMail-Priority: Normal
> > | X-Newsreader: Microsoft Outlook Express 6.00.2800.1409
> > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1409
> > | Message-ID: <#YyJf1kLEHA.2976@TK2MSFTNGP10.phx.gbl>
> > | Newsgroups: microsoft.public.sms.admin
> > | NNTP-Posting-Host: 12.168.81.91
> > | Path:
> >
>
cpmsftngxa10.phx.gbl!TK2MSFTNGXA05.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP10
> > phx.gbl
> > | Xref: cpmsftngxa10.phx.gbl microsoft.public.sms.admin:52040
> > | X-Tomcat-NG: microsoft.public.sms.admin
> > |
> > | Actually we've tried that.
> > |
> > | Here's the problems.
> > |
> > | First we don't want the system rebooting multiple times. It freaks
the
> > | users out. If you do not put the /norestart for the cmdlines then
each
> of
> > | the patches reboots the system each time instead of just once after
both
> > are
> > | installed.
> > |
> > | Also even when we are having problems getting the postpone button to
be
> > | active for the users. I want the users to be able to postpone the
> > restarts
> > | if they want.
> > |
> > | So I've tried all sorts of combinations of the various areas I
outlined
> > and
> > | am having issues finding the right combo. So if someone has a package
> > with
> > | a couple patches in it that force reboots, if they could post that for
> me
> > it
> > | would be great.
> > |
> > | The areas I was inquiring about again are:
> > | a.) in the command line (I'm assuming /quiet /norestart) in the wizard
> in
> > | the postpone reboots,
> > | b.) Postpone Restarts for drop down (None)
> > | c.) Perform Unattended install settings (uncheck unattended, choose
> > install
> > | patches after countdown??)
> > | d.) Notify users about activity section (Check the box to notify,
select
> > 12
> > | hours they can postpone for)
> > | e.) In the program for after running (No action taken)
> > | f.) Any place else.
> > |
> > | And the desired outcome again is:
> > | Multiple patches installed with no restarts
> > | After all are installed the postpone button is active for the users to
> > | choose
> > |
> > | Thanks
> > | Terry
> > |
> > | <Karl> wrote in message
> news:%23I2%23TRjLEHA.1144@TK2MSFTNGP12.phx.gbl...
> > | > It's not so bad.
> > | >
> > | > yes, SMS and the patches both have ways to surpress the reboot and
you
> > can
> > | > have issues with the settings overriding each other. (FOr example, a
> > patch
> > | > that reboots but SMS supresses it)
> > | >
> > | > If you want to be sure that you are going to properly allow the user
> to
> > | > reboot, have the patch NOT reboot the system but have SMS reboot it
> > with a
> > | 5
> > | > minute or however long you need timer to allow the user(s) to save
> thier
> > | > work. Just make sure you choose the correct option to have 'SMS
> > restarts
> > | > the computer', else you may not have the PC get rebooted
> > | >
> > | > Once the patches are installed, SMS will then finish the
advertisement
> > and
> > | > then start the reboot sequence. I generally prefer to allow SMS to
> > | control
> > | > the reboot since you have more control on the clients not losing any
> > work.
> > | > Alo, if the clients are not there and have unsaved work, be careful!
> > | > Forcing the system to restart w/o an user input is a BAD thing as
they
> > can
> > | > lose their work and get quite mad at YOU! :)
> > | >
> > | > Once done, check that there were no issues with the advertisment
> > failing.
> > | > Next, verify that the systems have been indeed rebooted. Make a
query
> > to
> > | > look at the last restart times of the systems and verify they indeed
> > | > restarted. Then check to make sure the patches have been installed
> > | > properly.
> > | >
> > | > There is a lot of micro-managing software deployment and many issues
> can
> > | > arise as a result. Check thru all the SMS Console staus reports for
> any
> > | > issues as well :)
> > | >
> > | >
> > |
> > |
> > |
> >
>
>