System Center Web Log by Dan Conley

Patch Tuesday Status

All catalogs were released at 10am today! (Yes including the one for ITMU!) 

Here are some highlights for this month’s release:

·         9 new security bulletins

·         1 re-release (MS07-038) (detection logic only, no binary updates)

o    Customers that have already deployed this update will not be required to re-deploy it

·         All updates are covered by the supported scan tools.

Please review the bulletin details here: (http://www.microsoft.com/technet/security/bulletin/ms07-aug.mspx)

Other interesting Non Security Updates in the ITMU cab include:

·          SMS 2003 SP3 (For Admin Console Upgrades only)

There is also a known issue with Windows 2000 clients that are being scanned with ITMU. This issue and resolution are documented in:

KB941440: The scan process fails when the SMS 2003 Inventory Tool for Microsoft Updates tries to scan Microsoft Windows 2000-based SMS 2003 Client computers for compliance (http://support.microsoft.com/kb/941440)

Last month we ran a series of TechNet web chats on some of the features in ConfigMgr 2007. The transcripts to those chats have now been posted to TechNet. The best way to get to them is via the new ConfigMgr TechNet Tech Center's community page. The link is right at the top: http://technet.microsoft.com/en-us/configmgr/bb625749.aspx

I am happy to announce that as of last Friday evening, SMS 2003 SP3 is now offered to SMS 2003 Admin consoles via WSUS, Microsoft Update and Automatic Updates.

It will also be included in the MU offline catalog that ITMU consumes when the next version of the catalog releases in conjunction with patch Tuesday on 8/14.

Just like SMS 2003 SP2 on WSUS/MU/AU/ITMU this update will only be applicable to Admin Console installs only. It will not be offered to Primary or Secondary Site installations.

**Update****

I have received feedback that some folks are having problems with the below link. I will work with the connect folks to figure that out, in the meantime, I have attached the file directly to the blog. Hopefully, that will help.

 ********

When preparing to deploy SCCM 2007 in your lab or production environment there are a lot of things you need to do to help ensure that the server setup will run smoothly.

We developed something that we call the "Pre-Flight Checklist" as a way to help ensure that those tasks are complete before you even lauch setup.

It is in a format that enables it to be used the "good old fashioned" way, by printing it out, and phyiscally "checking off" each item once it is complete.

Please check it out and send us feedback on what you think works, doens't work or if anything you feel is missing.

https://connect.microsoft.com/content/content.aspx?ContentID=6028&SiteID=16

**Update****

I have received feedback that some folks are having problems with the above link. I will work with the connect folks to figure that out, in the meantime, I have attached the file directly to the blog. Hopefully, that will help.

Steve Pruitt has created a great blog post this topic. Check it out: http://myitforum.com/cs2/blogs/spruitt/archive/2007/07/19/patching-standards-or-objectives.aspx

RC1 of Configuration Manager 2007 has just been declared and is now available on Connect:  http://connect.microsoft.com.

Look under Available Connections for Systems Center Configuration Manager 2007.  Note you must be registered and signed in to Connect to see this Connection.

Spread the word.

Due to an internal issue with our web publishing system, the scan tool catalogs were delayed in thier release. They all finally went live about 2pm PST.

Patch Tuesday Status

Today is Patch Tuesday. Here are some highlights for this month’s release:

·         6 new security bulletins

·         1 re-release bulletin (MS06-078)

·         All of today’s bulletins are covered by SMS Patch Scan tools

·         The Detailed bulletins are posted here: http://www.microsoft.com/technet/security/bulletin/ms07-jul.mspx

Other info:

MS06-078 was re-released to address installation issues documented in KB923689. Customers that have already successfully installed this update will not need to re-deploy it.

Full details for this re-release are documented in the security bulletin.

Check out Wally's Webcast on SMS 2003 SP3:

http://msevents.microsoft.com/CUI/WebCastEventDetails.aspx?EventID=1032341248&EventCategory=5&culture=en-US&CountryCode=US 

Over the next few weeks the SCCM product team will be hosting a collection of TechNet web chats focusing on the following features:

·         Deployment

·         Operating Systems Deployment
Software Updates Management

·         Desired Configuration Monitoring

·         Internet Based Client Management and Native Mode

These web chats are a great way for you to interact directly with members of the product team in an informal “Q & A” online chat format.

We look forward to seeing you there!

For those of you that are using the SUIT with SMS 2.0 or SMS 2003.

From the newsgroup post:

MSSECURE.XML Data Version 2007.07.20.0 for use with MBSA 1.2.1 (SMS 2.0 or
2003 with Software Update Inventory Tool (SUIT)) was last modified today,
June 20, 2007, and is now available for all supported languages (English,
French, German and Japanese). Today's release Contains an update to the scan
logic of MS07-033 for which affected the accuracy of detection on Windows
2000 SP4 with Internet Explorer 5.01 SP4.

-Dan-

I recevied some feedback that I didn't include information about the ITCU when I did my post about the SMS 2003 scan tools.

 So, here you go:

Inventory Tool for Custom Updates (ITCU): This scan tool ships as one of the features of SMS 2003 R2. It operates similarly to the other scan tools in that it has a scan component and a catalog of metadata that is used to detect applicability, installation and "IsInstalled" rules. The big difference is that the catalog is not sync'd on a schedule and must be manually done via the Custom Updates Publishing Tool (CUPT).

The publishing tool is where the real magic and power of this feature come into play as it enables customers, ISV's, OEM's, etc. to generate thier own catalogs for LOB or 3rd party updates. There are already a few ISV's that have created catalogs, you can find them here: http://www.microsoft.com/smserver/partners/itcucat.mspx

System Center Updates Publisher (SCUP): This is the next generation of the publishing tool, and primarily designed for use with System Center Configuration Manager and System Center Essentials. You can find more information about SCUP in Jason Lewis's blog here:

http://blogs.technet.com/jasonlewis/default.aspx

Here is a quick way to trouble shoot ITMU detection issues on a client.

Review this MSDN article: (http://msdn2.microsoft.com/en-us/library/aa387290.aspx) and save the VB
script locally and name it something (i.e. scantest.vbs), and the updated catalog
file to a machine you think is suspect.

Make sure you update the line in the script that reference the path and the
name of the cab. (by default, it’s the old cab name)

Run the script and pipe the output to a text file. (i.e. scantest.vbs >
results.txt)

If whatever update you are looking for shows up in the results
file, but not in SMS, then start troubleshooting SMS.

(I would start with the client log files, client WMI (Win32_PatchStateEx class), then follow the flow up the hierarchy.)

If the update doesn't show up in your results list, then it may be an issue
with the catalog itself, and you would need to open a case with CSS to help
investigate.

Today is Patch Tuesday for June, 2007.

All of the SMS scan tool catalogs are now live, and available to sync.

 I strongly encourage you to to review the security bulletins located at (http://www.microsoft.com/technet/security/bulletin/ms07-jun.mspx )

I also encourage everyone to register for and attend the TechNet Webcast about this month's security updates. (http://msevents.microsoft.com/CUI/WebCastEventDetails.aspx?EventID=1032327013&EventCategory=4&culture=en-US&CountryCode=US)

This webcast provides detailed info about each bulletin and allows you to ask questions, to be answered by a panel of experts including yours truly. :-)

SMS Scan Tool Support:

·         ITMU – All updates

·         SUIT (MBSA 1.2 Based) – 4/5 of the Windows Updates

·         EST – For OE Update

·         ODT – For Visio and CMS re-release.

One final note: In the past, you may have received info like the above via Bryan Keller's Blog (http://blogs.msdn.com/bryanke)

Bryan is still with us, but has moved on to other projects and I have taken over the "Patch Tuesday" process for the SMS team.

Hello everyone! My name is Dan Conley and I am a Program Manager on the SMS/SCCM Sustained Engineering team. One of the many areas I am responsible for is the monthly "Patch Tuesday" processes for the SMS team. This means that my team tests and validates that all of the SMS Patch tools can successfully detect and deploy that months security updates prior to thier release. 

As the inagural post of this blog, I thought I would answer a question that I get a lot: "What are all of the Patch Scan tools that SMS 2003 supports, and when should I use one vs. the other"?

SMS 2003 supports the following software update (a.k.a. patch) scan tools:

Security Update Inventory Tool (SUIT) - This was the first "generation" of the SMS scan tools and is based on the MBSA 1.2.1 scan engine.

Office Inventory Tool for Updates - (ODT) This scan tool is based on the Office Updates Dectection Tool (ODT) from the Office Deplopyment Resource kit. This is also the same technology that the stand alone version of MBSA 1.2.1 uses for its Office update detection.

Both of the above scan tools are bundled together and are collectivley called the "Systems Management Server 2003 Service Pack 1 Scan Tools" Don't be confused by the name, as both of these tools work just fine on SMS 2003 SP2 and SMS 2003 SP3.

Entended Security Update Inventory Tool (ESUIT) - this scan tool is based on the stand alone Enterprise Scan Tool (EST). The MBSA 1.2.1 scan engine has a hard coded list of products it can support. Therefore we were forced to create a tool to "fill the gaps" so to speak. The ESUIT is fills that gap. Unlike the SUIT or ODT which will automatically (in the default configuration) "sync" a new catalog every month, the ESUIT must be downloaded and installed on the site servers in order to ensure you are scanning with the latest catalog.

The combination of the SUIT, ODT and ESUIT will provide SMS 2003 customers with complete Microsoft Security Update detection and deployment coverage for all but the latest products.

This is important: Due to the limited archtiecture of these legacy scan tools, most new products are not supported. For example, Windows Vista, Internet Explorer 7, SQL Server 2005, Exchange 2007, etc. Check out the MBSA home page for the latest product list and information.

Intventory Tool for Microsoft Updates (ITMU) -  This is the latest generation of security update scan tools for SMS 2003. It is based on the Microsoft Update offline catalog, and contains security udpates, update rollups, and service packs for all products supported by WSUS. ITMU was designed to replace the need for the original 3 separate scan tools, and allow SMS admins to only have to manage one scan tool.

If all of the prodcuts in your environment are currenlty supported by WSUS, then you can (and should) only use ITMU as your security update tool for SMS 2003.

The most common caveot that I see is that some customers still need to support Office 2000 in thier environment, and ITMU does not support Office 2000 updates. In these cases, you have a few options, but all of the scan tools can coexist, therefore it is possible to run ITMU for everything, and just use the ODT for the machines that are still running Office 2000.

Thanks,

-Dan-