A. SMS 2003 can determine the patch status of its clients and can deploy missing fixes. To take advantage of this functionality, you must download the client-side scanning tools from Microsoft. The tools aren't part of SMS because Microsoft periodically updates the tools to take advantage of new patch-listing formats and features, so you need to check back on a monthly basis for new versions of the tools. Your SMS configuration will automatically connect to Microsoft periodically to check for new patch listings so that it can confirm that systems are current with the latest updates and deploy the fixes when required. The SMS software update feature tracks not only the core OS patch status but also Microsoft Office, Microsoft Exchange Server, Microsoft SQL Server, Microsoft IIS, and other similar applications.

Unlike Microsoft Software Update Services (SUS), SMS lets you download only fixes that are missing from your clients; you can't download all available fixes. Therefore, if you want to create a package with all available fixes, you need to build a reference machine that has no fixes installed. Then allow SMS to capture the machine's patch status. Afterward, you can download all fixes available for that OS to the SMS Server for client distribution purposes.

To deploy software updates via the SMS OS Deployment Feature Pack, perform the following steps:

  1. Download the client-side scanning tools here.
  2. Double-click the downloaded file to extract it to a specified folder (e.g., C:\temp\scantools).
  3. Open the extraction folder and double-click SecurityPatch_enu.exe to open the welcome screen of the Security Update Inventory Tool Installation. Click Next.
  4. Accept the license agreement and click Next.
  5. Accept the location for the installation (or modify the location, if required) and click Next.
  6. Click Download to download the latest version of the scanning-tool XML database. If you don't have Internet connectivity on the SMS server, manually download the mssecure.cab file here from a machine that does have Internet connectivity. Save the file in the C:\program files\securitypatch\pkgsource\1033 folder (if you accepted the default location for the program installation), and make sure the file is named mssecure.cab (not mssecure_1033.cab). You might need to create the 1033 subfolder. Click Next.
  7. Click Next at the installation dialog box.
  8. The tool asks whether you want the installation to automatically create a collection and advertisement. Select both check boxes. You can also opt to assign the package to all distribution points. Enter a package name (e.g., Software Scanning Tools) and click Next, as the figure shows.
  9. Enter the name of the server that you'll use to periodically check for new versions of the update database. By default, this will be the SMS server, assuming that it has Internet connectivity. Click Next.
  10. Enter the name of a test computer--an SMS-known machine, which can't be the SMS server--and click Next. If you don't want to use this option, then you should have cleared the Create Collection check box in step 8.
  11. Click Next.
  12. Click Finish to complete the installation.

In your SMS infrastructure, you'll now notice three additional collections: Software Scanning Tools and the two new advertisements, Software Scanning Tools Sync and Software Scanning Tools. The Software Scanning Tools Sync advertisement is responsible for obtaining the current update database, so you should leave it alone. However, you can modify the Software Scanning Tools advertisement or create your own advertisement to push the scanning tool to other systems. By default, the advertisement services only the Software Scanning Tools collection, which contains your test machine. You can change this setting to point to, for example, All Systems. If you look at the advertisement in detail, you can see that it runs once a week at a specific time. By default, this is the same time that the Software Scanning Tools Sync advertisement runs, which isn't ideal because you want to download the new patch file before advertising it to clients. I usually modify the Software Scanning Tools advertisement to start a few hours after the Sync advertisement runs. You should test the updates first, so it's a good idea to leave this default test machine available for patch package deployment testing.

Now repeat the entire update-deployment process for the Office Patch (officepatch_enu.exe). If you don't have connectivity, download the files here and here and save to the C:\program files\officepatch\pkgsource folder (invcm.exe and invcif.exe). Name the package Office Scanning Tools.

On client machines, you can force discovery of the software-scanning advertisement by manually initiating the Machine Policy Retrieval & Evaluation Cycle. After a few minutes, open Windows Task Manager to check whether scanwrapper.exe and mbsacli.exe execute, and you can check the scanwrapper.log file in the C:\windows\system32\ccm\logs folder for execution confirmation. Then you can force a hardware inventory cycle to report back to the SMS server the client's patch status.