August 2005 - Posts

• Preparing for the ITMU – PatchStatus vs. PatchStatusEx – What’s all the fuss?

  If you (or someone in your environment) have created customized Queries, Collections, or Web Reports for security patch status, you may need to revise these customizations to obtain the data returned by the ITMU.   The following classes were added with SMS 2003 Service Pack 1: PatchStatusEx PatchStateEx ApplicableUpdatesSummaryEx  These views contain all data from their predecessor (e.g. PatchStatus -> PatchStatusEx), and also contain additional information to help uniquely identify updates.  The newer SMS scanning tools (i.e. Inventory Tool for Dell Updates, and Inventory Tool for Microsoft Updates) require these newer fields, and do not update information in their predecessor.  To clarify, if you have Web Reports, Queries, or Collections that depend on PatchStatus, PatchState, and/or ApplicableUpdatesSummary, all queries must refer to the new SQL/WQL fields to obtain data from the new scanners.   Take a look at EricHoltz’s blog for an article titled “Which views should you use for patch status reporting?”  for more detail on this issue.   When installing the ITMU, All “canned reports” installed by SMS should be automatically updated.  All customized reports, queries, and collections will need to be individually modified.   How do I locate and modify my custom Web Reports, Queries, and Collections? Good Question.  You could manually look at each one to determine if modifications are required.  I have also provided three VBScripts to help you: CkCollections.vbs CkQueries.vbs CkWebReports.vbs  Download the scripts now!   Each of these VBScripts checks for the use of PatchStatus, PatchState, and ApplicableUpdatesSummary, in WQL and SQL queries.  To make these scripts functional in your environment, edit each with notepad, and modify the following lines to refer to your SMS server and Site Code:   SMSServer = "SMSVPC" SMSSiteCode = "LAB"   After these lines have been modified and saved, open a command prompt, and change to the directory where the scripts are located, and execute using “cscript.exe” (e.g. “cscript.exe CkCollections.vbs”.)  Each script will display questionable Collections, Queries, or Web Reports.  Now that you have identified them, you can edit them and change them to the new class (e.g PatchStatus -> PatchStatusEx).   Also, when upgrading to SMS 2003 SP1, the SMS_DEF.MOF contains information for PatchStatusEx, which is used to retrieve the data from the client.  If you “tweaked” the SMS_DEF.MOF after upgrading to SMS 2003 SP1, make sure that PatchStatusEx is still included.     Greg   If you have any questions or comments, please send me email: ramseyg@hotmail.com Posted Aug 15 2005, 01:17 PM by Anonymous with no comments

• ITMU - New Web Reports

  While installing the ITMU, the following Web Reports are installed: List of computers that have not scanned with the latest synchronized catalog. The report provides a list of computers within a collection that have not scanned with the latest synchronized catalog. Compliance by Bulletin-ID and Qnumber The report allows you to get the software update compliance results based on Bulletin-ID and QNumber. The report provides a summary of the total number of systems for which the update is installed, missing, not required or outstanding etc. The report combines the compliance results if they were received from multiple scan tools for same Bulletin-ID and QNumber. All computers with a specific update advertisement state This report shows a list of computers which are in a specific state of an advertisement. This report also covers additional advertisement state available for software update advertisements. Software update advertisement Status by software update ID This report lists all software distribution advertisements for the selected update. For each advertisement it also shows the advertisement state and count of machines in that state. This report also covers additional advertisement states available for software update advertisements. Posted Aug 15 2005, 12:34 PM by Anonymous with no comments

• Products currently supported (and not supported) with the ITMU

  Now that I have the ITMU installed, can I remove the SUIT, ESUIT, and OITU? Probably not the ESUIT, possibly the others.   Take a look at this post, and see what products you have that are not supported with the ITMU. **This information is accurate as of August 10th, 2005.  Frequently visit the ITMU page and www.myITforum.com for information on updates. First, to clarify scanning tools. Windows Server Update Services (WSUS) Microsoft Baseline Security Analyzer 2.0 (MBSA) Inventory Tool For Microsoft Updates (ITMU) All three of these use the same scanning engine.  The good news is that all three will report the same data.  So if WSUS finds an applicable patch for a system, both the ITMU and MBSA 2.0 should also identify the same applicable patch.   The ITMU (WSUS and MBSA 2.0 for that matter) currently supports the following products: Microsoft Windows 2000 Service Pack 4 Microsoft Windows XP Microsoft Windows Server 2003 All Windows components (such as MSXML, MDAC, and Microsoft Virtual Machine) Microsoft Windows XP Embedded Microsoft DirectX .NET Framework Microsoft Windows Messenger Microsoft FrontPage Server Extensions (Office XP and later) Microsoft Windows Media Player 10 Windows Script 5.1, 5.5, 5.6 Microsoft Outlook Express Microsoft SQL Server 2000 with Service Pack 4 (SP4) Microsoft Exchange 2000 with Service Pack 3 (SP3) 64-bit versions of Windows Server 2003 64-bit versions of Windows XP Office 2003 Microsoft Office XP SP3 You may notice a few products that can currently be detected with the Software Update Inventory Tool (SUIT) do not appear on the ITMU list.   Specifically: Microsoft SQL Server 7.0, 2000 SP3a (MS03-031) Microsoft Exchange 5.0 (MS05-012) and Microsoft Exchange 5.5 (MS05-012, MS05-029, MS03-046, MS03-047, MS04-026) Microsoft Host Integration Server 2000, 2004 and SNA Server 4.0 Microsoft BizTalk Server 2000, 2002 and 2004 Microsoft Commerce Server 2000 and 2002 Microsoft Content Management Server 2001 and 2002   If you have any of these products in your environment, and would like to be able to continue to detect applicable updates, you will need to continue to use the SUIT (at least for now).   What about Microsoft Office 2000 or Office XP? Office XP – If you have Office XP and are not on Service Pack 3, first consider upgrading to SP3.  If you are unable to upgrade to SP3, you will have to use the current Office Inventory Tool for Microsoft Updates (OITU). If you have Office 2000 installed, OITU is currently your only choice.   What about the Extended Software Update Inventory Tool (ESUIT)? Don’t uninstall the ESUIT just yet.  The ESUIT is currently your only method for detecting updates for the following products/vulnerabilities: ·        MSN Messenger (MS05-009, MS05-022) ·        Microsoft Visual Studio 2002 (MS04-028) ·        Microsoft Visual Studio 2003(MS04-028) ·        Producer for PowerPoint (MS04-028) ·        Microsoft ISA Server 2000 (MS05-034) ·        Microsoft Services for UNIX (MS05-033) ·        Microsoft Interactive Training (MS05-031) ·        Microsoft Word Viewer 2003 (MS05-023)   The articles referenced below are intended for MBSA 2.0.  Since the scanning engine for MBSA 2.0 and the ITMU are the same, supported products should also be the same.   MBSA 2.0 FAQ “Over time, all Microsoft products will be supported through Microsoft Update…”  Unfortunately, we’re not there quite yet.  If you have a Microsoft Technical Account Manager (TAM), be sure to let him/her know you're anxiously waiting for this to happen. KB 895660 Provides detail of products supported.   Questions/Comments:  ramseyg@hotmail.com Posted Aug 10 2005, 03:00 PM by Anonymous with 3 comment(s)

• ITMU and the Windows Update Agent

  Per the Release Notes for the Inventory Tool for Microsoft Updates (ITMU), the "Automatic Updates" Service (Windows Update Agent) must be set to Automatic or Manual to function properly, and must be at least version 5.8.x.  *None of the operating systems or latest service packs (even Server 2003 SP1) have the minimum version required, so there's a good chance your systems will need upgraded. When you install the ITMU, you are presented with an option to automatically create a package and program for the Windows Update Agent installation.  Allowing this to be created will also create a program dependency ("run another program first") on the ITMU scanner to install the correct version of Windows Update Agent.  This is great, and will take care of most issues you may encounter with the Windows update Agent. You may however run into one more issue that needs your attention.  If the "Automatic Updates" (AU) service is set to disabled, the ITMU scanner will not function properly.  Why would the AU service be disabled?  Well, if you have used SMS scanning tools for a long time, you may have disabled the AU service on your systems because it was only needed for obtaining updates via the Windows Update site.  This download contains two files: REPORT_SystemsWithAUDisabled.MOF  - Web report to identify systems where Automatic Updates is Disabled Coll_SystemsWithAUDisabled.MOF - Collection to identify systems where Automatic Updates is Disabled Download here:  http://myitforum.com/inc/upload/10942SystemsWithAUDisabled.zip If you choose to not create the program dependency on the ITMU Scanner, use this download to create a collection of systems that need to have Windows Update Agent upgraded. Download here:  http://myitforum.com/inc/upload/10943WindowsUpdateAgentVersionCheck.zip UPDATE:  8/10/2005 Todd Hemsell noticed that the collection I posted previously would not show systems that do not have the Windows Update Agent installed at all.  Here is a better WQL query to create a collection of “Systems that don't have Windows Update Agent >= 5.8.0.2469”   select SMS_R_System.ResourceID,SMS_R_System.ResourceType,SMS_R_System.Name,SMS_R_System.SMSUniqueIdentifier,SMS_R_System.ResourceDomainORWorkgroup,SMS_R_System.Client from SMS_R_System inner join SMS_G_System_SYSTEM on SMS_G_System_SYSTEM.ResourceID = SMS_R_System.ResourceId where SMS_G_System_SYSTEM.Name not in (select SMS_G_System_SYSTEM.Name from  SMS_R_System inner join SMS_G_System_SoftwareFile on SMS_G_System_SoftwareFile.ResourceID = SMS_R_System.ResourceId inner join SMS_G_System_SYSTEM on SMS_G_System_SYSTEM.ResourceID = SMS_R_System.ResourceId where SMS_G_System_SoftwareFile.FileName = "wuauclt.exe" and SMS_G_System_SoftwareFile.FileVersion >= "5.8.0.2469" and SMS_G_System_SoftwareFile.FilePath like "%system32\\%")   This query is based off of Software Inventory, “wuauclt.exe” – The documented method from Microsoft states to use “WUAUENG.DLL”.  In my experience, with 5.8.0.2469 both files have the same version.   Download the .MOF to import the collection here:  http://myitforum.com/inc/upload/10944COLL_WindowsUpdateAgentCheck.MOF     If you have a better query, please send me email, or post a comment!  ramseyg@hotmail.com   Greg   Posted Aug 09 2005, 10:52 AM by Anonymous with 1 comment(s)

• SMS 2003 Inventory Tool for Microsoft Updates (ITMU)

  This post contains links to help you get the ITMU installed properly.  Check back over the next few days -- I plan to update this post with links to more information that I post and/or locate relating to the ITMU. ITMU Pre-Installation: Microsoft Systems Management Server 2003 Inventory Tool for Microsoft Updates Pre-Installation Guide (added 8/8/2005) Obtaining Required Components for SMS 2003 Inventory Tool for Microsoft Updates (added 8/8/2005) ITMU Pre-Installation Process Flow Chart  (added 8/8/2005) Preparing for the Inventory Tool for Microsoft Updates (ITMU) – Updating Windows Installer  (added 8/8/2005) Windows Installer Requirement and the SMS 2003 Inventory Tool for Microsoft Updates by Bryan Keller (added 8/15/2005) Products currently supported (and not supported) with the ITMU  (added 8/10/2005) ITMU Installation: SMS 2003 Inventory Tool for Microsoft Updates (added 8/8/2005) ITMU and the Windows Update Agent (added 8/10/2005) ITMU Post-Installation: Products currently supported (and not supported) with the ITMU (added 8/10/2005) ITMU - New Web Reports  (added 8/15/2005) Preparing for the ITMU – PatchStatus vs. PatchStatusEx – What’s all the fuss? (added 8/15/2005) ITMU and Administrative Installation Points for Office Products (added 12/6/2005) Do you use administrative installation points for Office Proucts? If you do, the ITMU may not detect applicable updates. Tim Minter created an ITMU Category on his Blog (added 8/30/2005) Brian Tucker created a document on myITforum.com SMS 2003 ITMU: Notes from the Field , and he also has a few blog articles related to ITMU. (added 9/27/2005) Microsoft published a video: Using the SMS 2003 Inventory Tool for Microsoft Updates (added 9/27/2005) Greg If you have any questions or comments, send me email:  ramseyg@hotmail.com Posted Aug 08 2005, 10:35 PM by Anonymous with 2 comment(s)

• TechNet Webcast: Modifying the SMS_DEF.MOF for Advanced Clients (Level 300)

  Thursday, August 11th, 2005 2:30 pm EST. Register here: Summary:  Do you already have your Microsoft Systems Management Server Advanced Clients installed, but now need to make changes to your hardware inventory collection process? Do you also want to make sure that newly installed Advanced Clients implement the new configuration? In this webcast, we discuss how to properly configure hardware inventory to add new providers, classes and attributes to your Microsoft Systems Management Server 2003 environment. Presenter: Wally Mead, Program Manager, SMS, Microsoft Corporation Posted Aug 08 2005, 09:40 AM by Anonymous with 2 comment(s)

• OSUG Meeting Aug 4 2005 Agenda

  Agenda: 10:00—10:30am Registration and Coffee Social 10:30—10:40 Welcome 10:40—11:50 ITMU—Are you Ready?  — Greg Ramsey 11:50—12:00 Break 12:00—12:30 SMS Alliance/Web Reporting — Scott Stephen 12:30—1:30 Lunch 1:30—2:20 OSUG Karaoke! 2:20—2:30 Break 2:30—3:30 Open Forum 3:30—Prizes!   SMS Inventory Tool for Microsoft Updates (ITMU) — Are you ready?  Greg Ramsey of Grange Insurance has been working with the ITMU Beta since May.  We will discuss the Pro/Cons, and the process required to get the ITMU installed in your environment. SMS Alliance/Web Reporting — Scott Stephen of Intrinsic Technologies, and SMS Web Reporting Extraordinaire, provides a brief overview of the SMS Alliance (www.sms-alliance.com) and tips to help you excel in SMS Web Reporting OSUG Karaoke! — Yes that’s right, Karaoke has even made its way into OSUG (hopefully this is as far as it goes).  This is your opportunity to “take the mike”, and share experiences (preferably related to SMS) with the rest of the group.  Do you have a quick tip about writing queries?  How about deploying a crazy piece of software?  Give the group a brief on how to make their jobs easier!  Carpe Diem! See the full agenda here! Questions?  osug@columbus.rr.com   Greg Posted Aug 03 2005, 04:53 PM by Anonymous with no comments

• Preparing for the Inventory Tool for Microsoft Updates (ITMU) – Updating Windows Installer

  From the ITMU Pre-Installation Guide, the “current version” of Windows Installer is required for proper functionality for the ITMU.  From the Pre-Installation guide, “Windows Installer is required for MSI updates which have a MSP file extension. Currently, only Microsoft Office uses this format for updates in the Windows Update Catalog, but it may be adopted by other Microsoft products in the future.”   Query for Systems that need Windows Installer 3.1 These are example queries – Please test in your environment to ensure accurate information.  **Note:  These queries will only give you accurate information for the “current” version of Windows Installer as of 8/3/2005.  It is possible that a few months from now, a new version of Windows Installer will be available which will require the values in these queries to be modified.   Download the queries here: http://www.myitforum.com/inc/upload/10937WinInstallerCheck.zip   Create a Query-Based collection (based on Software Inventory information) As the heading states, SMS Software Inventory must be enabled, collecting inventory for .exe.  This query is based on Software Inventory, for %windir%\system32\msiexec.exe file version < 3.1.4000.1823   select SMS_R_System.ResourceID,SMS_R_System.ResourceType,SMS_R_System.Name,SMS_R_System.SMSUniqueIdentifier,SMS_R_System.ResourceDomainORWorkgroup,SMS_R_System.Client from SMS_R_System inner join SMS_G_System_SYSTEM on SMS_G_System_SYSTEM.ResourceID = SMS_R_System.ResourceId where SMS_G_System_SYSTEM.Name not in (select SMS_G_System_SYSTEM.Name from  SMS_R_System inner join SMS_G_System_SoftwareFile on SMS_G_System_SoftwareFile.ResourceID = SMS_R_System.ResourceId inner join SMS_G_System_SYSTEM on SMS_G_System_SYSTEM.ResourceID = SMS_R_System.ResourceId where SMS_G_System_SoftwareFile.FileName = "msiexec.exe" and SMS_G_System_SoftwareFile.FilePath like "%system32\\" and SMS_G_System_SoftwareFile.FileVersion >= "3.1.4000.1823")   Create a Query-Based Collection (based on Hardware Inventory information) This query may help get you up and running with “current” Windows Installer, installed as KB893803v2 in Add-Remove Programs.   select SMS_R_System.ResourceID,SMS_R_System.ResourceType,SMS_R_System.Name,SMS_R_System.SMSUniqueIdentifier,SMS_R_System.ResourceDomainORWorkgroup,SMS_R_System.Client from SMS_R_System where ResourceId not in (select   SMS_R_System.ResourceID from SMS_R_System inner join   SMS_G_System_ADD_REMOVE_PROGRAMS on   SMS_G_System_ADD_REMOVE_PROGRAMS.ResourceID =   SMS_R_System.ResourceId where   SMS_G_System_ADD_REMOVE_PROGRAMS.ProdID = "KB893803v2")   Web Report Based on Software Inventory Chris Stauffer created the following SQL query for creating a web report based on Software Inventory:   SELECT DISTINCT SYS.Netbios_Name0, SF.FileName, SF.FileDescription, SF.FileVersion, SF.FileSize, SF.FileModifiedDate   FROM v_GS_SoftwareFile SF INNER JOIN             v_R_System SYS ON SYS.ResourceID = SF.ResourceID WHERE     (SF.FileName = 'msiexec.exe') AND (SF.FileVersion LIKE '3.1%') AND (SF.FilePath LIKE '%\system32\')   ORDER BY SYS.Netbios_Name0   Download the queries here: http://www.myitforum.com/inc/upload/10937WinInstallerCheck.zip   Download Windows Installer 3.1   Deploy Windows Installer 3.1 Via SMS This is a simple update to deploy.  Be sure to test in your environment before global deployment!  **This installation requires a reboot on completion.  Here are a couple example command lines:   WindowsInstaller-KB893803-v2-x86.exe /quiet /norestart  -- Since “norestart” is used, be sure to set the SMS Program property to “SMS Restarts Computer”.   WindowsInstaller-KB893803-v2-x86.exe /quiet /forcerestart  -- By using “forcerestart”, the system will be rebooted immediately after completion.     Greg   If you have any questions or comments, please send me email:  ramseyg@hotmail.com Posted Aug 03 2005, 03:26 PM by Anonymous with 2 comment(s)

• ITMU Pre-Installation Process Flow Chart

  Download the flowchart (.doc) from here:  http://myitforum.com/inc/upload/10936Pre-installFlow.doc Below is a flow chart of the pre-installation process of installing the ITMU, based on the ITMU Pre-Installation Guide.  This flow chart will help you "visualize" the process of preparing your SMS environment for the ITMU. It's obvious from the flow chart that more is involved in preparing for the ITMU than just a point-and-click.  Careful planning will help make your installation a success!  As stated on download site for the ITMU  Pre-Installation Guide, not all knowledge base articles will be available before the release of the ITMU.  But hopefully the Pre-Installation Guide and this flow chart will help you prepare for the release of the ITMU. What can I do between now and when the ITMU is released? Read the Pre-Installation Guide Review this flow chart Re-Read the Pre-Installation Guide Test and deploy the latest version of Windows Installer (3.1 at the time of this post). Determine which route will be best for your environment:  a) Test and deploy the new SMS Advanced Client contained in KB 901034 or  b) Test and deploy KB 899512 and KB 892044 Plan downtime required for deploying the hotfixes required to your SMS Sites (which will require MP restarts, and SMS services stopped/restarted). Build SMS Collections and reports based on the Pre-Installation Guide to verify minimum SMS client version and Windows Installer version (currently 3.1) Convince Management that you need a little time before deploying all of this to your production environment.  This is my humble opinion here --  I would highly recommend using the current SMS patch technologies (Software Updates Scanner, ESUIT, and Office Scanner) to get through at least the month of August before relying completely on the ITMU.  Each SMS Advanced client will need to receive multiple updates before completing its first ITMU Scan. Keep an eye on this blog and myITforum.com -- I intended to add several items to help you succeed with the ITMU over the next couple of weeks. Download the flowchart (.doc) from here:  http://myitforum.com/inc/upload/10936Pre-installFlow.doc Greg If you have any questions or comments, please send me email:  ramseyg@hotmail.com Here's the Flow!     Posted Aug 02 2005, 03:57 PM by Anonymous with 3 comment(s)