Skip to main content

Patch Management In The Enterprise, Part II

Packages, Collections And Advertisements

Using SMS2003 is a different experience than many other patch management solutions that are available. It has its own language and nuances that the user will need to grow accustomed to. There are three key components to the deployment of a security patch with SMS2003: the package, the collection and the advertisement. The package consists of the patches that will be bundled together and deployed via an advertisement. During the creation of this package - via a wizard - the SMS server will pull the required patches from Microsoft's website. The collection is the group of computers that will receive the package (if deemed applicable by MBSA or the Office Inventory Tool). For example, a default SMS2003 collection could be "All Windows XP Systems".

An SMS Advertisement for August 05's security patches.

Another key improvement with SMS2003 is its ability to leverage the Background Intelligent Transfer Service (BITS) for the patching of remote clients. If a client is connecting via VPN or a remote dial-up service and there is a pending patch installation, SMS2003 will not immediately consume all available bandwidth. If the client disconnects while a package is being delivered to his or her workstation, it will save its current progress and resume the download the next time the workstation connects.

Deployment statistics for the August 05 security patches.

Reporting is a key component of any patch management solution, and it is greatly improved in SMS2003. Over 150 web-based reports are available out of the box, including the ability to check on critical patch deployments.

One of the major drawbacks often cited about SMS 2003 is that its Patch Management module is specific only to Microsoft security patches. This means it will be unable to detect and patch vulnerabilities in the software of other vendors, and it won't be any help for alternative operating systems. Given that the vast majority of worm infections are directed at Microsoft operating systems, this may not be an issue for your organization.