Q. Where is the SUS Feature Pack for SMS 2003? (Updated September 30, 2004)
A.
Patch management is an integrated feature of SMS 2003. The Distribute Software Updates Wizard is now part of SMS 2003 and is installed by default. The Web Reporting tool is replaced by the new reporting feature of SMS 2003 and includes completely revised and updated Web reports for patch management. Inventory tools are still hosted on the Web and must be downloaded and installed from the SMS Web site.
Q. Do I need to allow my site server to access the internet for software update management to work? (Updated July 27, 2004)
A.
When you install the Security Update Inventory Tool, the site server must have access to the latest mssecure.cab file. If the site server has Internet access, then the setup program will automatically download mssecure.cab and proceed with the installation. If the site server does not have Internet access, you must manually download the .cab file. To download the latest .cab file, clickhere. In the File Download box, confirm that the file is called MSSecure_1033.CAB. Click Save and save the file to the installation folder of the Security Update Inventory tool. (The default folder is C:\Program Files\SecurityPatch\PkgSource\1033. You might be required to create this folder.) After you save the file to this directory, rename the file to mssecure.cab.
When you install the Office Update Inventory tool, the site server must have access to the latest inventory tool (invcm.exe) and the latest update catalog (invcif.exe). If the site server has Internet access, then the setup program will automatically download both required files and proceed with the installation. If the site server does not have Internet access, you must manually download the files. To download the latest inventory engine click here. In the File Download box, confirm that the file is called invcm.exe. Click Save and save the file to the installation directory of the Office Update Inventory tool. (The default folder is C:\Program Files\OfficePatch\PkgSource. You might be required to create this folder.) To download the latest update catalog, click here. In the File Download box, confirm that the file is called invcif.exe. Click Save and save the file to the installation directory of the Office Update Inventory tool. (The default folder is C:\Program Files\Office Update\PkgSource. You might be required to create this folder.)
During installation of either inventory tool, you designate one computer to act as the synchronization host. The synchronization host retrieves the latest update catalog from Microsoft. The Office Update synchronization host also automatically retrieves the latest invcm.exe. Only that synchronization host requires Internet access. That computer can be the administrator’s desktop or any other SMS client computer, but it does not have to be the site server. By default, the synchronization component that retrieves the updates only in attended mode only, but it can be configured for unattended operation.
For more information about configuring the synchronization component to run in attended or unattended mode, search for “Task 4: Deploy the Software Update Inventory Tools” in Chapter 6, “Managing Software Updates,” in the Microsoft Systems Management Server 2003 Operations Guide.
Q. We have a firewall that requires authentication. How will SMS Software Update work in this case?
A.
If you are using authenticated firewalls, configure the synchronization task to run in attended mode. If you are using attended mode, the synchronization component requires the following:
The logged-on user must have access to the Internet through the firewall. If authentication is required, an authenticated browser session must be open on the computer. If this is not the case, the synchronization task does not run.
HTTP 1.1 must be enabled for the registered browser.
The logged-on user must have read/write permission to the package source folder for the inventory component.
The logged-on user must have access to the package object (if the synchronization component will dynamically update the distribution points).
The attended mode has the following potential drawbacks:
You (or another administrator with the proper credentials) must be constantly logged on to the synchronization host for the synchronization component to work.
If you are logged off for an extended period of time (for example, on vacation) there could be a delay of software update compliance and a backlog of newly released software updates on your return.
Q. Do I need to uninstall my SMS 2.0 SUS Feature Pack before upgrading to SMS 2003?
A.
You need to uninstall only the Web Reporting tool and Add-in Reports for Software Updates. The SMS 2003 upgrade process will retain your current patch packages and settings. You must download and install the SMS 2003 versions of the inventory tools, which will automatically update your current inventory tool package. You do not need to uninstall your current inventory tool package before installing the SMS 2003 version.
Q. I want to upgrade my SMS 2.0 installation in stages. How will patch management solution work for me? Will I be using both the SMS 2003 and SUS Feature Packs in the interim?
A.
The SMS 2003 Administrator console can manage all SMS 2.0 sites. SMS 2003 versions of the inventory tools can run on SMS 2.0 clients. If you manage patches from a central site, upgrading that site to SMS 2003 preserves all your patch management investments and allows you to manage your mixed hierarchy from a single set of SMS 2003 tools.
Q. Do I need to create different patch packages for each product?
A.
Patch packages must uniquely correspond to a specific inventory tool. You cannot have a package that contains patches reported by different inventory tools. This means that, at a minimum, you must create one package for patches reported by the Security Update Inventory tool and another package for patches reported by the Microsoft Office Inventory Tool for Updates. However, within a package for a specific inventory tool, you can include patches for different operating systems or products. For example, a patch package for Security Updates can contain patches for Microsoft Internet Explorer (for different Internet Explorer versions and different operating systems) and Windows Media Player (for different Media Player versions and different operating systems). The Software Update Installation Agent will detect and apply the correct patch binary for each client. It might be desirable to organize patch packages on a per-operating system or per-product basis, but this is not technically required (beyond the separation by the inventory tool).
Q. Can I schedule patches for installation during hours when users are not logged in?
A.
Yes. When the Distribute Software Updates Wizard creates patch packages and programs, it does not set the Run property when a user is logged in by default. This means that patches can be installed even when users are not logged in. If necessary, you can do a completely unobtrusive and unattended patch installation by scheduling it at night when all user interfaces are turned off. Then, when users log in the next morning, they have a patched system ready to go.
For urgent patches that must become active even if users have unsaved changes in open documents, you must:
Ensure the software distribution account in use has administrative credentials to the computers.
On the Configure Software Update Client Agent page of the wizard, select Force client programs to close, and discard any unsaved data option.
Q. Will my current inventory tools work with the new localized security catalogs, and if so, how do I download them? (Added April 30, 2004)
A.
The SMS inventory tool will work with any localized version of the catalog. The inventory tool attempts to use the localized catalog matching the language of system being inventoried. The inventory tool defaults to English if matching language catalog is not available. No localized version of the tool is required to access the localized catalogs, but you must be running MBSA 1.2. Also, to take advantage of the localized catalogs, you must modify the Download.ini file to let the synchronization engine know the location from which to download the localized catalogs. For instructions to modify the Download.ini, see article 838403 in the Microsoft Knowledge Base.
MBSA Versions
Q. What version of the MBSA scan engine does SMS 2003 use? (Updated September 30, 2004)
A.
As of March 12, 2004, SMS uses the MBSA 1.2 scan engine. Versions of MBSA less than 1.2 will not scan for security updates until they are upgraded.
The Security Update Inventory Tool was updated with the release of SP1. You should download the new version of the Security Update Inventory Tool from the SMS Web site, even if you are still running SMS 2003 (no service pack.) The previous version of the Security Update Inventory Tool is no longer supported.
Q. Do I need to upgrade from MBSA 1.2 to 1.2.1? (Added August 31, 2004)
A.
No. Users who are using SMS to handle their security scanning do not need to upgrade to MBSA 1.2.1. There is no change to the security update scanning logic between MBSA 1.2 and MBSA 1.2.1. Some improvements were made to the Windows vulnerabilities checks performed by MBSA 1.2.1, but these checks are not used by SMS. The mssecure.xml file that MBSA uses to identify missing security updates supports both 1.2 and 1.2.1.
SMS with MBSA 1.2 is capable of accurately scanning Windows XP SP 2 systems.
Q. Does MBSA 1.2 scan for Windows XP SP2 updates using Systems Management Server? (Added August 31, 2004)
A.
Yes. SMS with MBSA 1.2 is capable of accurately scanning Windows XP SP 2 systems.
Q. I upgraded to the new Security Update Inventory Tool with MBSA 1.2 and now my reports are showing different data. Does MBSA 1.2 find more updates than MBSA 1.1.1? (Added March 31, 2004)
A.
MBSA 1.2 has improved detection capabilities over the previous version. Patches that were reported as Missing can now be found. For example, MS03-026 was superceded by MS03-039. MBSA 1.1.1 reported both MS03-026 and MS03-039 as missing. MBSA 1.2 will report only MS03-039 as missing. This can cause variations in your reporting data when you compare data based on MBSA 1.1.1 scans and data based on MBSA 1.2 scans. For more information about the detection differences between MBSA 1.2 and MBSA 1.1.1, see article 306460 in the Microsoft Knowledge Base.
Q. What version of Microsoft XML do I need for inventory tools to work? (Added June 30, 2004)
A.
Microsoft XML 3.0 SP2 is the minimum requirement. If scan tools do not detect Microsoft XML on the computer, or it finds an earlier version, they will attempt to install Microsoft XML 3.0 SP4. Inventory tools also support the /noxml switch that prevents this automatic upgrade behavior. Please note that if System File Protection (SFP) is enabled, this upgrade will fail. (The scanwrapper.log will indicate: "Unable to upgrade the existing MSXML3 component on the machine. Previous version is protected by the OS.") If this is the case, upgrade the client by using software distribution (using Admin rights) to install the MSSecure.MSI file.
Q. How can I verify that I am using MBSA version 1.2? (Added June 30, 2004)
A.
The full version number for Microsoft Baseline Security Analyzer (MBSA) 1.2 is “1.2.3316.1”. Check mbsacli.exe located in the scanpackage source folder to verify.
Q. How can I verify that a patch is applicable to a specific client? (Added June 30, 2004)
A.
Go to the systemroot\system32\VPCache\<pkgid for the scanpackage> folder, and open the Results.xml file. If the patch is listed, and the value for the Status node is Applicable, the patch is applicable, but not installed. If the value of the Status node is Installed, the patch is already installed on the machine. If the patch is not listed, the client is not eligible for that patch.
Office Update Inventory Tool
Q. What is the Office Update Inventory Tool 2.1? (Added July 27, 2004)
A.
The Office Update Inventory Tool version 2.1 enables administrators to check one or more computers in their organization for the status of Microsoft® Office 2000, Office XP, and Office 2003 updates. It is an update to the Office Inventory Tool 2.0 that was previously used with the SMS software updates feature.
Q. What do I do to install the new version of the Microsoft Office Inventory Tool for Updates? (Added July 27, 2004)
A.
If you designated a computer to act as the synchronization host when you installed the Office Update Inventory tool, you do not need to do anything. SMS will automatically download the new version of the Microsoft Office Inventory Tool for Updates (invcm.exe) when it completes its next scheduled synchronization.
If you do not use the synchronization host and you manually download the update catalogs as they become available, you must manually download the new version the next time you download the update catalog. To download the latest inventory engine click here. In the File Download box, confirm that the file is called invcm.exe. Click Save and save the file to the installation directory of the Office Update Inventory tool. To download the latest update catalog, click here. In the File Download box, confirm that the file is called invcif.exe. Click Save and save the file to the installation directory of the Office Update Inventory tool.
Q. Will the Office Update Inventory Tool 2.0 work with the new catalog? (Added July 27, 2004)
A.
No. You must upgrade both the scan tool and the catalog. If you attempt to use the new catalog with the older version of the inventory tool, the inventory program will fail.
Updates Not Detected by MBSA
Q. The Security Update Inventory Tool did not detect the updates just released by Microsoft. What should I do? (Added May 31, 2005)
A.
Some security updates cannot be detected by MBSA and thus cannot be detected by the Security Update Inventory Tool. Initially, Microsoft released stand-alone scan tools like the MS04-028 Update Scan Tool for each update that MBSA could not detect. In April of 2005, Microsoft began releasing the Extended Security Update Inventory Tool. This tool contains scan engines and multiple catalogs capable of scanning for all previous updates not detected by the MBSA. If a new update is released that cannot be detected by MBSA, you can upgrade your Extended Security Update Inventory Tool to a new version that will include the new update and all previous updates in one scan tool.
Each time there is an update that is not detected by the MBSA scan engine, Microsoft also releases a separate stand-alone tool called the Enterprise Update Scanning Tool. Unlike the Extended Security Update Inventory Tool, the Enterprise Update Scanning Tool is not cumulative; each update that is not detected by MBSA will have a separate scan tool and catalog.
Each security bulletin released by Microsoft will include information about whether or not the update can be detected by MBSA or requires an additional scan tool.
Q. Does the Extended Security Update Inventory Tool have a catalog and a synchronization host like the Security Update Inventory Tool and the Office Update Inventory Tool? (Added May 31, 2005)
A.
No. The Extended Security Update Inventory Tool contains all previously known updates that are not detected by MBSA. If a new update is released that is not detected by MBSA, you must manually download and install the new version of the Extended Security Update Inventory Tool. The Setup program will upgrade your existing version of the tool and allow you to add the new update to existing packages created for the previous version of the Extended Security Update Inventory Tool.
Q. If I already installed a previous scan tool for MS04-028 or MS05-Feb, do I need to uninstall those? Do I need to uninstall the Security Update Inventory Tool and Office Update Inventory Tool? (Added May 31, 2005)
A.
You should uninstall the MS04-028 Update Scan Tool and the February 2005 Security Update Scan Tool from your entire hierarchy before installing the Extended Security Update Inventory Tool. The Setup for the Extended Security Update Inventory Tool will attempt to alert you to the MS04-028 and the February 2005 tools if it detects them, but it will not uninstall them for you. Failure to uninstall them will create contradictory reporting information.
You should not uninstall the Security Update Inventory Tool and Office Update Inventory Tool. The Extended Security Update Inventory Tool scans only for tools not detected by MBSA, but it will not detect Office updates or anything detected by the Security Update Inventory Tool.
Q. Where do I obtain the Extended Security Update Inventory Tool and the documentation? (Added May 31, 2005)
Q. I don’t see patch type Security in the Distribute Software Updates Wizard any more? Instead I see a new patch type called MBSA. What happened?
A.
In SMS 2003, Security was renamed to Microsoft Baseline Security Analyzer (MBSA) to more accurately convey the inventory tool being used. If you upgraded from SMS 2.0, Security will be retained, but if you have a fresh SMS 2003 installation, you will see the MBSA patch type. As all clients are inventoried and the inventory is sent up the hierarchy, you will see the MBSA patch type in both cases.
Q. I know Microsoft has just released a particular patch. Why don't I see it in the list of patches for approval in the Distribute Software Updates Wizard? (Updated August 31, 2004)
A.
There are certain latencies before a patch will show up in the approval list of the Wizard:
There could be a delay before a security update is included in the catalog (MSSecure.xml). The catalog is updated on a monthly schedule (usually on the second calendar Tuesday of every month) unless the criticality of the update calls for an out-of-schedule update.
There could be a delay before the updated catalog is downloaded by your system. The download is performed by the Sync tool, which was created when you installed the Security Update Inventory Tool or the Microsoft Office Inventory Tool for Updates. The default update cycle is seven days.
After the catalog has been downloaded and the distribution points updated, the clients must run a hardware inventory cycle. Unless you have set the hardware inventory cycle to run every day, there will be an additional delay before clients will detect they are missing the new patch.
When the update requirement is detected, there are system latencies before this inventory data can roll up to the site where you run the Distribute Software Updates Wizard.
Also, there is always a chance the new patch is not really applicable for any of your computers, or that it is applicable to computers that are not being inventoried.
Q. What if the Distribute Software Updates Wizard asks me to download and install inventory tools even though I already have?
A.
The Distribute Software Updates Wizard is inventory-data driven. Remember there is always a time lag between an inventory cycle on a client computer and the inventory date being written to the site server database. This can be hours to days depending on the inventory cycle set for your site server.
Q. I want to approve a newly released patch. Do I need to find a client computer that is missing that patch to populate the SMS inventory with all the patches? (Updated September 30, 2004)
A.
It depends. For SMS 2003 (no service pack), you need at least one client to report a patch as missing before you can deploy it. Because that Distribute Software Updates Wizard does not list a software update for approval until the update has been requested by at least one client computer, there might be some delay between the time a software update becomes available and the time it is approved for distribution. To minimize this delay, you can use a reference computer for expedited approval processing. This procedure bypasses the collection-wide software inventory process and adds the software update to the software updates authorization list based on the inventory of a single reference computer. This is useful when critical software updates must be distributed immediately.
For the procedure, search on “Use a Reference Computer for Expedited Approval Processing” in the SMS Help.
In SMS 2003 SP1, the synchronization host automatically loads patches from the last 30 days into the SMS database, allowing you to approve and include a recent patch without completing a scan and inventory of a reference computer.
Reporting
Q. I ran patch compliance report in SMS 2003 after I upgraded, and the numbers are very different from SMS 2.0. What happened?
A.
In SMS 2.0, if a patch was installed successfully and needed a restart, but the system was not restarted, the compliance report reported the patch as installed. If an inventory was run before the computer was restarted, the status reverted back to uninstalled. Although this implementation allowed patch installation to be reported more quickly, it caused numbers to change as inventory data was reported. SMS 2003 patch compliance is now strictly based on inventory data as reported by a scan of the system after patches are installed. This reporting is more reliable and stable.
Obtaining Updates
Q. How can I speed up the download of the catalog?
A.
You can manually download the catalog and update the MSSecure.xml file in the Security Update Inventory Tool Package Source folder with the new version. Remember to refresh the distribution points after updating the Package Source folder.
Q. How frequently is MSSecure.xml updated and when? (Updated January 21, 2004)
A.
Microsoft releases security patches on a monthly schedule. The security catalog mssecure.xml is updated at the same time security bulletins are released. Microsoft will make an exception to the monthly release schedule if we determine that customers are at immediate risk from viruses, worms, attacks, or other malicious activities. In such situations, Microsoft can release security patches as soon as possible to help protect customers.
You can sign up for the free Microsoft Security Notification Service at the Microsoft Profile Center.
Q. How frequently is the Office Update Inventory Tool catalog updated and when? (Added October 29, 2004)
A.
Invcif.exe (the Office Update Inventory Tool catalog) is updated when new Office patches are released on the Office Update detection Web Site or when an emergency software update has to be made in the catalog. You can sign up for the Product Updates Alert newsletter at Microsoft Office Online to receive notifications when new Office patches are released.
Q. How can I be sure the version of the MSSecure.xml file I have is the latest? (Updated June 30, 2004)
Q. What if I don't see a Software Updates node in the Resource Explorer for a particular client computer?What if I don't see a Software Updates node in the Resource Explorer for a particular client computer?
A.
Ensure that the specific client meets all these requirements:
It is member of the collection to which the Security Update Inventory Tool has been advertised.
An inventory scan cycle has run successfully on this client computer.
Hardware inventory has been collected and rolled up to the site server.
Q. There are often multiple patch binaries (for different versions, languages, or service pack levels) for a single issue. Do we need to authorize all of these, or can they be included in the same patch package?
A.
The Distribute Software Updates Wizard lists each specific patch binary for the same issue for authorization. You should approve all of them, and can include them in the same package. The Software Update Installation Agent detects and applies the correct patch binary for each client.
Q. The SMS Software Update feature reports that my computer is fully patched, but when I run Windows Update, it shows some patches missing. What's wrong? (Updated February 27, 2004)
A.
Because the scan technology (MBSA) and catalog used by SMS 2003 Software Update feature and the Windows Update/MSUS 1.0 are not the same, there are some inconsistencies. In general, Windows Update has more updates in its catalog than are contained in MSSecure.xml, which is limited to critical security updates. Conversely, MSSecure.xml includes patches for Windows NT® 4.0 and some older versions of Internet Explorer that are not included in Windows Update.
For more information products that are detected by MBSA and specific patches for those products that are not detected, see article 306460, “Microsoft Baseline Security Analyzer (MBSA) returns note messages for some updates,” in the Microsoft Knowledge Base.
Troubleshooting
Q. How do I deploy a patch by using SMS if the patch can’t be detected by SMS and MBSA? (Updated July 30, 2004)
A.
Occasionally an update will be released that cannot be detected by the MBSA scanning engine currently used by SMS. This incompatibility is often caused by differing technologies used to create these updates. For a list of these updates, see article 306460 in the Microsoft Knowledge Base. If MBSA cannot detect the patch, SMS cannot leverage its patch management functionality to automate the authorization, detection, and deployment of a patch. Instead, the administrator can deploy the patch by using SMS Software Distribution. For the steps to deploy a patch by using Software Distribution, see the article “Deploying Software Updates Using the SMS Software Distribution Feature” on the Microsoft TechNet site or see article 867832 in the Microsoft Knowledge Base.
Q. Which log files are available for troubleshooting? (Updated September 30, 2004)
A.
Table 2 displays the principal log files that are useful for troubleshooting issues with the SMS 2003 software update management tool. This table is more current than the table in Chapter 6, “Managing Software Updates,” in the Microsoft Systems Management Server 2003 Operations Guide.
Table 2 Log Files for Troubleshooting the Software Update Management Tools
Component
Log file
Location
Description
Security Update Sync Tool
(SyncXml.exe)
SecuritySyncXml.log
PatchDownloader.log
SMS Client Log folder
\%temp%
Log file for the synchronization component; used for troubleshooting firewall and authentication issues.
Microsoft Office Inventory Sync Tool for Updates
(SyncXml.exe)
OfficeSyncXml.log
PatchDownloader.log
SMS Client Log folder
\%temp%
Log file for the synchronization component; used for troubleshooting firewall and authentication issues.
Security Update Inventory Tool
(Scanwrapper.exe)
Scanwrapper.log
SMS Client Log folder
Log file maintained by inventory component on SMS client computer.
Security Update Inventory Tool
(Scanwrapper.exe)
Results.xml
%windir%\system32\VPCACHE\<PackageID> folder on the SMS client computer
File maintained by scan component on SMS client computer that includes output of MBSA scan, including reasons why MBSA scan detected an update as applicable.
Microsoft Office Inventory Tool for Updates
(Scanwrapper.exe)
Scanwrapper.log
SMS Client Log folder
Log file maintained by inventory component on SMS client computer.
Individual Software Update log files
<qnumber>.log
%windir% folder on SMS client computer
Installation log maintained by software update installers. Contains information about actual software update installation.
Software Update Installation Agent
(Patchinstall.exe)
PatchInstall.log
SMS 2003 (no service pack): System Temp folder of the SMS client computer
SMS 2003 SP1: SMS Client Log folder
Package installation log file maintained by the Software Update Installation Agent on the SMS client computer.
User Notification
PatchUIMonitor.log
SMS Client Log folder
Log file contains information regarding the patch installation scheduling queue.
User Notification
SMSCliUI.log
SMS Client Log folder
Log file contains information about user interaction with the SMS Update icon in the System Tray.
<p>
<br />For more information about software update logging, see Chapter 6, “Managing Software Updates,” in the <a runat="server" href="https://go.microsoft.com/fwlink/?linkid=19628">Microsoft Systems Management Server 2003 Operations Guide</a>.</p>
</td>
Q. Is there a quick way to see if a particular patch has been authorized?
A.
Yes. In the PatchAuthorize.xml file in the Patch Package Source folder, you can search for a particular patch by its Microsoft Knowledge Base article number or title. This file contains information about all patches that have been authorized and includes other pertinent details, such as command-line options, that will be used for patch installation.
Q. How do I install or remove a hotfix, and where can I find command-line options for a patch installer?
A.
To remove a patch or hotfix, create a collection rule for clients based on the appropriate inventory properties for the patch, then target the uninstall program using traditional software distribution. To locate command line options for uninstall and other needed actions, see the following articles:
Microsoft Windows NT 4.0: How to Install and Remove Hotfixes with HOTFIX.EXE
Microsoft Windows 2000 or later: Hotfix.exe Program Description and Command-Line Switches
Internet Explorer: Common Command-line Switches for Self-Installing Update Files
Microsoft Exchange Server: XGEN: Exchange 2000 Server Post-Service Pack 3 Hotfix Command-Line Switches
Microsoft SQL Server: INF: SQL Server Hotfix Installer
Microsoft Office: Installing Client Update Files with OHotFix
Microsoft Knowledge Base article 810232 also contains a summary of command line options
Q. I have confirmed that my clients are scanning with the latest catalog. Why are my clients not detecting a patch, even though it is listed in the latest security catalog (mssecure.xml)? (Updated February 27, 2004)
A.
The security patch catalog (mssecure.xml) includes all security patches released by Microsoft. SMS uses MBSA tool for patch detection. This tool has certain limitations that cause specific products or certain patches to be not detected even though it may be listed in the catalog.
For more information about products that are detected by MBSA and specific patches for those products that are not detected, see article 306460, “Microsoft Baseline Security Analyzer (MBSA) returns note messages for some updates,” in the Microsoft Knowledge Base.
Q. The DSUW automatically downloads English security updates. Why doesn’t it download the international security updates automatically? (Updated April 30, 2004)
A.
At this time, the software update catalog is available in German, French, Japanese, and English. Automatic download might occasionally fail for these languages also. WORKAROUND: Using the Download button in the Distribute Software Updates Wizard property page, navigate to the download page in the browser, select the appropriate language for the software update, and then download it to the appropriate location.
Planning and Deployment.gif "Top of page"){kind=icon}
Top of page