SMS 2003 Patch Management and ITMU Best Practices
I have been receiving several requests for best practices
for ITMU and Patch Management with SMS 2003 so here are the responses to one of
the emails that covers most of the questions that I have been receiving. These
are best practices based on what I have experienced with a large enterprise environment
and do not reflect Microsoft’s recommendations but they are close.
****************************************
I Saw your presentation about SMS 2003 and patch management,
on the web, And I have some questions about the best practice
to deploy security fixes:
- How many fixes is recommended
to include in one SMS package? In our organization we build for each
security fix a package and advertisement/
See ITMU Best Practices below
- If I Advertised the package
for example to all my xp workstation, Is the ITMU Scan will
recognize only the fixes that are needed and approved and
install them?
See ITMU Best Practices below
- After I installed same fixes
I still see in the resource explorer from the sms console that the fix is
in applicable status, in this situation that I scheduled the advertisement
once in a week ,would the fix will be installed again and
again until the status will be change to installed?
You need to run the expedited patch setting. The reason you
are not seeing anything change is because you are probably only scanning once a
week and not following it with a hardware scan to retrieve the results.
- What is the best way to build
the collection for the security fixes, smart collection with SQL query
that defined for example only xp system with MSxx-xx and status
applicable? Or flat collection that includes all xp systems?
We use a tiered approach in
reverse:
So we start with the smallest
group and work our way up to everybody: This is done so that when we get to the
top collection all machine are in the pot.
(Top Collection)Collection of all agency systems
---->;Collection
of test group b
Ex: (Small group of 100 or so
machines across all areas of agencies)
--->Collection of test
machines A
Ex: (test group of 10 machines on
IT staff)
- What should I do if I want to
deploy old security fixes ( 03/07) and after I deployed a new cab
file I see only the newer?
ITMU is suppose to be smart enough to not install patches
that have been removed from circulation either because they where bad or
because a new patch was put out that trumps it.
ITMU Best
Practices
- Do a
Daily ITMU Scan
- Should
be run at 12pm so that you reach the most systems and have the least
affect on your end users work
- 2
methods to deploy patches
- Monthly
update package
- A
monthly package will only contain the latest months patches
- A
monthly ITMU package should be set to download before execution
- The
package should be small (under 50 Megs in most cases)
- By
downloading the patches you insure that the newest patches make it to
the system in the event of a network outage during the distribution
- Set
package to reoccur
- Yearly
Update package
- A
yearly package should be created to contain all patches that where
released for that year
- A
yearly ITMU package should be set to execute from the DP
- By executing from the DP you insure that only the patches
that are needed by the system are installed this will allow you to save
space on the system.