The hairline shows how long I've been in IT
I've seen several postings recently from people just getting into SMS patching that don't know where to start. This article is intended to help them understand the basics of the process, and link to various web pages that either provide greater documentation or are used in normal operations. This is based on SMS 2003 with ITMU.
Patch Management PrinciplesThese articles explain the overall concepts and principles involved:
Getting StartedFirst, install ITMU on your Central Site Server. You may also need the Extended Security Update Inventory Tool, which supports products that ITMU does not support. That can always be installed later if needed. Then go through a small test of the normal monthly cycle, described below. That will help you understand what all the articles are talking about. Then you're ready to begin reviewing the peculiar needs of your business, and design a patching strategy that fits. Ask questions in the mssms mailing list when you need help.
Monthly CycleMicrosoft gives a heads-up of what they expect to release on the Thursday before Patch Tuesday at their Security Bulletin Advance Notification web page. Patches are normally released on the second Tuesday of each month. Their Current Security Bulletins web page links to the current month summary, which in turn links to a detail page for each individual bulletin. That's usually available beginning about noon Pacific time, but that's not guaranteed. It takes a while for all of Microsoft's web servers to be updated, so you'll often find that some links don't work until later in the day. When you are getting started, you should study the bulletin summaries for a couple of recent months, and the pages for each individual bulletin, in detail. Each type of page has sections with a + in front of a header line. Click on that to expand the section. When getting started, you should expand and read every section of every page for the previous couple of months. At the end of that time you'll have some idea of what information is available where.
You should also read the current month Detection and Deployment Guidance article. The articles for each month are linked from KB910723. These tell you which updates for which products can be detected and patched through ITMU, and which require the Extended Security Update Inventory Tool (ESUIT) or other means.
Sometime during the evening of Patch Tuesday you should run the ITMU Synch program. This downloads the latest updates to your server. Schedule the ITMU scanner to run on machines later that night, so you'll know which updates are needed in your environment. There are two scanner programs. The expedited version runs hardware inventory after the scanner completes. That sends the scanner results to your server for review, and causes some amount of network traffic and server activity. If you have a reasonably large network, you might use the expedited scanner on your pilot test machines and the regular scanner on the others. That way you'll have pretty good information available first thing Wednesday morning, and better counts by the end of the day. If the ESUIT scanner is needed for your environment, the latest version is downloaded manually from the ESUIT download page. That's installed on your server, and the scanner runs just like the ITMU scanner.
On Wednesday, you review the new updates that apply to your computers. This is shown in the Security Updates section of the SMS console. Sort by the bulletin number column to make it easy to find the latest updates. Then decide how to deploy them. This allows for the risks the updates protect you from and the risks inherent in the updates. You should always test all updates on a set of pilot test computers before the general deployment, to see if they conflict with any business-critical applications. Read my Patch Testing article for more details. You can also get valuable information from the Microsoft Security Response Center Blog and the Patch Management mailing list. Remember that reports there won't always mean problems in your network, but they will give you advance warning of possible issues. Some reports in that mailing list are over-reactions, just as some of your users will blame any problem on the patches.
Then you'll create one or more patch deployment packages using the Distribute Software Updates Wizard in the SMS console, and run them on test machines. I always included my own PC as one of the first test machines. If everything looks good, run them on all machines.
The other articles in my blog explain concepts for setting up your deployment and testing strategy. They'll make the most sense to you after studying the updates from the last few months at Microsoft's web site, and working out how you'd deploy them through SMS.
Again, ask questions in the mssms mailing list when you need help. Patching is not simple, and it's an area where it's critical to be careful. Remember, when you are updating every computer in your company, there's no such thing as a small mistake. Any error can affect the security of your company or the degree of disruption you cause your users.
I have been looking everywhere for some basics on ITMU. Great post.