Rod and some others let us know about the ITMU webcast from the other day. If you missed it, it is available for download now.
The text questions and answers that were asked during the webcast won't be available for download, but I saved as many as I could before the message window filled up. There is some pretty important stuff in here, so read away.
Question: How about support for Exchange? Minimum version required?
Answer: Exchange 2000+ is supported for patching
Question: I hear there are issues with installing secondary site servers on domain controllers, in particular to IIS and bits. Is this true, and if so, do we have fixes?
Answer: I'm not aware of these issues. I've seen problems occasionally on Windows 2000 Servers with IIS metabase corruption which can require you remove and reinstall IIS, but nothing specific to Domain Controllers.
Question: I've noticed that IE patches (MS05-038) distributed thur SMS Software Update times out on the PC with a Failsafe timeout. The patch was successful on about 50% of our PC's. The others get the Failsafe Timeout. Is their a known issue?
Answer: Through ITMU or MBSA-based scanner? In MBSA-based scanner, you should check the command line for the update. It is IExpress package so it should be /q:a /r:n. ITMU deployment should handle that for you.
Question: Is there a preferred order for installing the prerequites? Should all the server side software be installed before upgrading the sms clients?
Answer: No preferred order, other than you should apply the updates prior to installing/using ITMU.
Question: Can a secondary site run on a NAS?
Answer: No
Question: Are these queries provided with ITMU
Answer: I don't know about these queries specifically, but guidance is provided in the pre-installation guide on how to check for the pre-requisites.
Question: Can we run a share Disstribution point on a NAS
Answer: No, this is not a supported platform.
Question: So, if we're one of those silly customers that customized the sp1 mof, and did not add the sp1 changes to our custom mof, is it enough to change it on the servers, or do we have to distribute it to all clients for local compile?
Answer: I believe you'd need to recompile on the clients.
Question: Is there any documentation/examples that can be referred to for deploying WSUS via SMS to non-englsih Operating Systems?
Answer: I'm not aware of anything that specifically addresses non-english OSes.
Question: Are there any additional bandwidth concerns we should be aware of when using ITMU?
Answer: Nothing different from core SMS software distribution considerations. If bandwidth is an issue, be sure to keep Software UPdates package sizes manageable, as distribution/replication of this could be quite expensive. For software updates - be careful when using Download and Execute option in advertisement properties, as it could grow quite large if you keep using the same package with new updates.
Question: why cant install kb901034 on german sms2003?
Answer: Make sure you are using the DEU version. ENU version will not install on German SMS Site Server.
Question: MOF Again... The confusing point for me, I didn't send out any mof to recompile when we moved to SP1. Through what mechanism does the sp1 client create classes?
Answer: Correct, you wouldn't have needed to, the initial install of the SP1 client would have done this.
Question: How do you check the XML version on each client workstation?
Answer: You could collect software inventory for the xml specific files and verify the version of them (such as msxml.dll, etc.)
Question: Is there a document describing how to remove obsolete entries from the Update Type selection drop-down in the Distribute Software Updates Wizard? For example, the February 2005 extended update tool left an entry even after upgrade/removal, and we still have "Security" listed from the really old update tool.
Answer: Update type is retrieved from the UpdatesSummary table and that data will get phased out as old patch data is not reported. 90 days I believe is the time.
Question: Does the Automatic Updates Service have to be enabled and started on workstations for this to work?
Answer: Yes, the service must be enabled - however, automatic updates do not have to be turned on through the control panel->Security Center.
Question: Since the Automatic Updates service is a requirement, is it OK to turn off Automatic Updates in Control panel but still have the AU service set to Auto and have it running? I don't want users to automatically pull down their own hotfixes from the Windows Update site.
Answer: Yes, exactly
Question: what is the minimum version of msxml required for the clients to run the scans?
Answer: MSXML 3
Question: is msxml 3.0 or later included in windows 2000 sp4 and greater?
Answer: Yes.
Question: " I'm not aware of anything that specifically addresses non-english OSes" Are you implying that the process and KBs that need installed are the same for non-english OSes?
Answer: There are language specific versions of the hotfixes, but the changes made to support ITMU are not language specific.
Question: I have French client. It there a big concern for agents updates^
Answer: Not sure you what you mean. French should work just fine.
Question: Is the ITMU the long awaited update to utilize mbsa 2.0 and the same patch catalog as WSUS server?
Answer: ITMU actually uses the Windows Update agent, not MBSA, but it does use the same catalog content as WSUS (offline).
Question: Will ITMU have multilanguage version?
Answer: There's not a multi-language version, but there will be versions for the core OS languages (English, German, Japanese), and it supports ICP clients (installed from sites with ICP1 or ICP2 installed).
Question: How will a pre-existing WSUS installation affect deployment of ITMU?
Answer: It shouldn't affect anything. However the systems will work independently to patch machines. When SMS is using AU, it will lock the agent and not allow any other calls. This would prevent WSUS from deploying at the same time.
Question: Do we have to get the command line parameters right still or does ITMU grab those for us now?
Answer: ITMU does that for you now.
Question: After running KB901034, I started having problem with my Deafault Web site not running. Some how it have entered a duplicate host header. Is this normal?
Answer: Mike, this is definitely not normal. I can't give you timely advice on this in this forum, so you may want to contact Microsoft Product Support Services.
Question: I've also noticed that IE patches (MS05-038) distributed thru SMS Software Update times out on the PC with a Failsafe timeout. The patch was successful on about 50% of our PC's. The others get the Failsafe Timeout. Is their a known issue? We used MBSA 2.x to scan. Manually executing the MS05-038 patch runs very quickly. I've noticed that IE patches (MS05-038) distributed thur SMS Software Update times out on the PC with a Failsafe timeout. The patch was successful on about 50% of our PC's. The others get the Failsafe Timeout. Is their a known issue?
Answer: SMS uses a special deployment package because MBSA would offer the patch on NT4 and it would fail. So SMS uses an SMS deployment wrapper which is IExpress which uses /q:a /r:n. That is most likely the issue. Please check your command line.
Question: are there any known issues with downloading the updates through the dsuw. dsuw keeps hanging on us and requires a reboot to continue downloading updates
Answer: Don't know of any issues around this. Check your connectivity and review the logs (located in ccm\logs directory) for possible errors.
Question: Is the test client nothing more then a member of a test collection?
Answer: yes
Question: Do Scanwarpper and SMSWusHandler reside in the same directory?
Answer: yes
Question: Do you have to enable the Automatic Updates service for this to work?
Answer: Yes, you must have the Automatic Updates service running for Scan/Update in ITMU to work.
Question: where can i find the DEU 901034 i only find ENU
Answer: Those may not be made available until the German version of ITMU is released.
Question: Why are Updates stored in a hardware inventory?
Answer: Hardware inventory and the corresponding WMI classes are used for patch management data.
Question: For us that need to get started, we need to deploy either the process of 901034 or the other two hotfixes on all existing clients? Wally presentation *assumes* this was done.
Answer: Yes, that's correct - the clients must be running the updated client.msi or the updates to the SP1 version of the advanced client.
Question: If you have to enable the Automatic Updates service then how do you keep updates from getting downloaded from MS automatically?
Answer: Turn off the option to automatically update in Control Panel->Security Center. THis can also be enforced via Group Policy.
Question: The wizard for deploying updates will that be resizable window?
Answer: No, it is still not resizable, sorry.
Question: If the Automatic Updates service must be running for Scan/Update in ITMU to work, is their a package/program that SMS can push to install/update this service setting? Question: where can i find the DEU 901034 i only find ENU
Answer: There's not a package/program available for this - you can use Group Policy in Windows to perform this.
Question: Does Microsoft have any "Best Practices" for creating Software Update packages? In other words, what if you wanted to rollup two months of updates into a single package ? Also, can you rollup Windows 2000 and XP Pro into one as well?
Answer: You can create large packages or smaller packages it is up to you. When determining how large a package to create, you need to consider bandwidth of your clients. Large pacakges with download and execute are downloaded in full to the client. If your clients are not mobile and have stable network connections, you should create large packages and run from distribution points. If many of your updates require reboots, it is better to chain them together to reduce reboots required on the target machine. If they do not require reboots and you want to take advantage of BITS and download/execute, then create smaller packages. It really depends.
Question: Is it possible for an attacker to falsify the patch compliance information stored in wmi?
Answer: Does the attacker have administrative rights to the box? If so, yes. If not, no. The namespace is ACL'ed such that only authorized principals can update.
Question: AU can be set to manual and still function properly, correct? Just can't be disabled AFAIK
Answer: I believe that's correct: it supports on demand start via com
Question: so do you remove the old software updates node when yu switch over to ITMU?
Answer: No, the ITMU updates appear in this node alongside other scan types.
Question: Will these Questions and Answers be available for review?
Answer: You
Question: Will applying the hotfixes individually on some clients and pushing out the new client to others result in the same client version?
Answer: No, if you apply the two individual hotfixes, they just update the components required for ITMU support, not the full client version. If you apply the new client, this updates the client version completely.
Question: As the wu agent controls installation of the hotfixes, does the tracing of the logs still load in the %windir% folder?(Whereas, if the patchinstall program failed with an irrecoverable error there were no logs unless you enabled voicewarmup.)
Answer: You will have patchinstall logs and wu logs. Windows Update will log its scan activity as well.
Question: when will you release the German ITMU
Answer: We are currently finishing up translating the final few documents for the tool. It should be released soon.
Question: Does ITMU simplified Language specific hotfixes distribution? I know that with SUS, we didn't have to worry about it and Software updates
with SMS 2003 appeared to make it a bit more difficult. My point is that I want to make patch distribution as transparent has possible for both languages.
Answer: Yes. ITMU automatically handles all language updates supported by a patch. It is much improved over previous tools.
Question: Can I set up a DP in a different Domain without a SMS site online (A share DP not a Standard SMS DP)?
Answer: Not sure I understand the Question, but the SMS Site server is required to update Distribution Points, share or system.
Question: Will the SP-2 installation be more simplified than the ITMU install process or will it be this current process plus other steps?
Answer: It will be more simplified as all the prerequisite hotfixes will be included in SP2 installation
Question: Will ITMU better handle versioning of Hotfixes? Rereleases like MS05-019 caused severe problems with the old feature pack.
Answer: The catalog used by ITMU should handle these kinds of issues more smoothly, and centralizes the updates so there's less confusion.
Question: It sounds like I could package updates for Office, XP SP1, XP SP2, IE, Exchange, etc..... all in one package?
Answer: Yes you could.
Question: Which requirement will require reboots on the client? Server?
Answer: The only restart requirement is for the Windows Installer (MSI) 3.1 pre-requisite. All SMS client and Server updates do not require a restart.
Question: When will the vulnerability class be used? I thought ITMU was going to use it, but I guess not.
Answer: Right, vulnerability is a different tool, TBD.
Question: Since ITMU creates a Win32_Patchstate_Extended WMI class, does it remove the old Win32_Patchstate class? If its still there, wouldn't it still be picked up in the HW Inv and therefore the old tool info would still be added to the DB with every HW Inv cycle?
Answer: The Win32_PatchState is not removed, and would continue to be reported.
Question: will the ITMU be part of SP2 by default
Answer: The tool will be available for installation as part of SP2 and all prereqs will be included in the SP2 installation.
Question: If SP-2 includes the hotfixes and the ITMU, why wouldn't I wait for it, rather than going thru this? How soon will SP2 beta go "prod"?
Answer: I guess if you didn't need the features from ITMU right now, you could wait. SMS 2003 Service Pack 2 is anticipated early 2006.
Question: With WSUS, a simple domain policy enables us to report patch status on all domain workstations (many thousands of them). With ITMU, do we have to push the Advanced Client to all domain-connected systems in order to report patch status?
Answer: You would, yes.
Question: We have many clietns where the AU service is disabled and I saw no problems. Are you sure it has to be enabled?
Answer: If the actual AutomaticUpdates service in service manager is disabled, ITMU detection and deployment should not succeed. That is different than disabling automatic updates through the control panel.
Question: When does the patch status change to installed in the database? After the install, reboot, and hw inventory? Or does another scan/hw inventory have to run after the reboot?
Answer: After the install, reboot and status message, you should see the status change. You do not need a full h/w cycle
Question: I know we will see it shortly in the demo, but has the DSUW window size been increased. In particular, the screen where you select the updates is unmanageably small. If it hasn't been enlarged, what technically is preventing this from being fixed?
Answer: You will see shortly that it has not. There are no plans to change it in the current version of SMS.
Question: Can a standalone scan package or patch package be created with ITMU engine or is SMS required?
Answer: SMS is required. You could code your own offline wsusscan.cab scan tool as the Windows API's are there for such a thing. However, SMS is a great way to integrate the WUA scan and deployment technology for enterprise customers.
Question: Are you saying there are no plans to increase the DSUW window size even in SP2?
Answer: Correct.
Question: Does the old info in software updates get overwritten?
Answer: No, that data as well as the old scan tools can still be used along side ITMU.
Question: Does the windows update agent service have to be set to Automatic for ITMU scanning to work, or is Manual sufficient?
Answer: If it is manual, SMS agent will start it prior to scan.
Question: Is smswish@microsoft.com the place where we'd suggest improvements for SMS (like the DSUW window size thing)?
Answer: Absolutely.
Question: Does the ITMU have to scan machines before it will show patches?
Answer: No, you will see patches in DSUW before scans take place. This is if you need to deploy a patch quickly before scans have completed.
Question: Could you ask the devolpers to entertain the idea of making the DSUW window sizeable and/or enlarging it?
Answer: Yes.
Question: It must be one of the UNIX Admins type of things - "It's hard and we like it that way"?! Can we get the email address of the responsible programmer so we can send hate mail? Just kidding. Sort of. Well, not really. We REALLY hate it - it's like being back in the Windows 3.1 days. Must have been programmed in VB.Net 1955.
Answer: :-)
Question: i installed updates with this new tool and the machines rebooted... are you sure you need no switches?
Answer: If the patch absolutely requires a hard reboot before other patches are applied, reboot will take place. Very few patches have this requirement.
Question: The ITMU tool was installed about 2 months ago at my site. I like to update it with the latest version. Can I just run the latest version?
Answer: You should apply all the latest prerequisites and then upgrade the scan tool. I would suggest deploying the latest WUA separately as the dependent program history will have shown that it ran with your previous installation.
Question: For ITMU what shud be the security mode on server ..Advanced or Standard?
Answer: There's no requirement for either mode.
Question: is there anyway to get ITMU to show ONLY certain update (example, only W2K or WXP) and not others
Answer: You can filter in the DSUW wizard by product, kb, etc.
Question: Quick Question... can you rollup Windows 2000 Pro and XP Pro updates into a single package or is this not adviseable? I'm assuming ITMU will install the correct OS version?
Answer: There shouldn't be any problem with creating packages that span OS's. SMS will take care of things.
Question: Any SPs required for Windows 2003?
Answer: No. RTM is supported currently.
Question: ITMU has been installed on my lab on the Central Site Server. All ITMU hotfixes have been installed on Central and Primary Site Servers. When I run the Software Compliance report in the Primary site there is no data returned. If the same report is run from the Central Site data is returned. Is this by design?
Answer: The software compliance reports are updated to look at additional tables/data, you'd need it installed at the Primary Site to see them there.
Question: Can these queries be distributed?
Answer: I don't know of any plans to provide them after the WebCast, if that's what you are asking. Question: Where can I download the neccessary files to pre-stage the installation from local source?
Answer: Sorry, to pre-stage the installation of what (I'm missing context here, most likely :))
Question: Does ITMU only have to be installed at the central site? That is how MBSA 2.0 is installed in my environment now.
Answer: This will work, yes. Keep in mind that reporting will not work at child sites, however.
Question: if i install 901034 900257 and 900401will that change any reports before installing imtu?
Answer: No, it will not.
Question: Are there any special instructions for installing the new SMS Client on the SMS site server? We have a 2003 server that will not upgrade the client as the SMS Client Host service is busy and will not exit.
Answer: There's no special instructions beyond what's provided in the Pre-Installation guide - this sounds like a problem that you should work with our Product SUpport Services on.
Question: I just verified that the AU service must be set to at least manual. This should be listed as a requirement! We will not be able to go forward using ITMU as our company policy calls for this service to be disabled.
Answer: Please check out the readme which discusses this. There are many group policies that will lock down all Windows update features on the desktop, but still allow the AutomaticUpdates service to be enabled. Please review the readme and reconsider.
Question: My environment has about 5,000 clients on SMS SP1. I would like to lower my software and hardware inventory cycles to 12 hours. Is this ok and what could be average size of the inventory data deltas?
Answer: The Answer to this really depends on what your environment (network/server hardware, etc.) is like. I can't give you a yes/no Answer. In general, make small changes to schedules and monitor closely.
Question: We have had issues with WMI repository corruption on some workstations, won't this cause MBSA or ITMU scans to fail? Any ideas on what causes this corruption?
Answer: This could certainly cause problems, as we use WMI to store scan data. No specific ideas on what the problems could be, sorry.
Question: How will sms SP2 affect users that have ITMU installed now? will it just overwrite the current ITMU install or ?
Answer: SMS 2003 SP2 will include the pre-requisite SMS hotfixes, but will not overwrite ITMU. The plan currently is to provide ITMU with Sp2, but not force an install. If you did install a later version of ITMU, it would upgrade the current version, retaining your settings/config.
Question: Where can I look for information that may help me estimate my inventory (hw/sw) deltas so I can estimate what traffic to expect on my network based on decreasing/increasing my inventory schedules?
Answer: Check out the SMS 2003 Capacity Planner: http://www.microsoft.com/downloads/details.aspx?familyid=009e0c30-bded-4b95-a8f9-06037de85c57&displaylang=en
Question: Looks like we can recur patch distributions. Is it best practice and recommended that we recur distributions of patches? I am concerned with network traffic.
Answer: Yes, you can do this - how often is up to you.
Question: if the ITMU tools are installed at the Central Site, could I push out the patches from a Primary Site server?
Answer: You'd need to install ITMU on that Primary Site.
Question: if i need to isntall the ITMU tool on the Primary site server to push out patches and view updated reports, why would i install the ITMU tool on the Central site server?
Answer: To view reports and push out from the Central site server as well.
Question: How long should we keep the recurring monthly patches active? Couple of weeks, month, ??? If we keep these all active and recurring, clients will start getting hammered with advertisements over time. At what point do you go to a 'cleanup' mode of operation?
Answer: Best practice would be to consolidate so you don't have a bunch of advertised software updates out there. When you switch to a new advert/package would depend on how long it takes to get compliance on each set. You could do every 3 months, for example, with a 2 month overlap between updates.
Question: we have 9 Primary sites including 1 central site and 41 secondary sites - do all sites need to be updated with all patches and the ITMU or just the central site?
Answer: ITMU would need to be installed on the Central Site, the SMS hotfixes / advanced client update needs to happen everywhere as well as anywhere with an MP installed.