Bryan's Blog

SQL Reporting Services is Coming to Configuration Manager

bryanke — Wed, 07 May 2008 21:30:00 GMT

In Configuration Manager 2007 R2, SQL Reporting Services is an available option for providing ConfigMgr administrators the management and inventory data they need to do their jobs and run their businesses. This offering is a 'side-by-side' offering along with what we will soon be calling legacy or classic reports. For some time, Systems Management Server (now Configuration Manager) has developed and maintained its own set of ASP reports and rendering capabilities. The time has now come to bow to the powerful and capable enterprise reporting platform that is SQL Reporting Services (part of the SQL BI line of products). This really makes sense for the Configuration Manager product to head in this direction. The integration of Reporting Services in R2 brings all of the great benefits of Reporting Services to the table for SCCM admins: Report rendering (in multiple formats), subscription-based delivery, snapshots, history, customizations and extensibility, scalable enterprise reporting, authoring, and more. Looking forward to getting this in the hands of customers soon. Look for R2 RC release later this summer and enroll for the open beta.

Configuration Manager 2007 SP1 and R2

bryanke — Wed, 07 May 2008 21:09:00 GMT

Well folks, it has been a long while since I contributed to my blog. This is what two kids will do to a young father. I wanted to take the time to promote the work that my team and I have been involved with for over a year now. Coming later this summer is the release of Configuration Manager 2007 R2. Built on Service Pack 1, it provides a number of new and exciting value-added features to the Configuration Manager product. Namely improvements to Software Distribution, Operating System Deployment, Reporting, Client Health, and more. My specific feature team has been responsible for integrating Microsoft Application Virtualization 4.5 (the next version of the product formerly known as SoftGrid) with Configuration Manager. In R2, customers will have complete management and inventory of virtual applications much the same way that physical applications can be deployed and managed in Configuration Manager today. This includes packaging, deployment, and inventory. Customers create SCCM packages and import the virtual application data into Configuration Manager. They can advertise/target those packages to collections of users or machines. Once deployed, end-users run the virtual applications on their desktops. Administrators can then inventory what applications are deployed in their environment and where. Overall, a powerful feature set that brings scalable and flexible deployment of virtualized applications to the enterprise. Configuration Manager and Application Virtualization are truly 'better together' in R2. As R2 gets closer to shipping (planned for Q3 of this year), I will provide articles that hopefully will give you information that you need to be successful with the technology and supplement the documentation and other information that will be available to you.

If you want to learn a little bit more about what is coming in R2, or SP1 for that matter, feel free to check out some of the demonstrations recently posted on TechNet Edge.

New SMS 'Patch Tuesday' PM has a Blog

bryanke — Tue, 12 Jun 2007 22:38:00 GMT

Dan Conley has been running Patch Tuesday operations here on the Systems Management Server team for some time now and has a blog started to inform the customers of happenings in SMS patch. Check out his blog here: http://blogs.technet.com/dconley/

A New Version of the Inventory Tool for Microsoft Updates is Coming

bryanke — Thu, 12 Oct 2006 16:26:00 GMT

As outlined in knowledge base article 926464, a new version of the Inventory Tool for Microsoft Updates (ITMU) is being released in the November timeframe. This release will focus on making the necessary changes to accomodate the new Windows Update catalog format. The changes being introduced are small and targeted at resolving the issue mentioned in the above KB article. Customers are encouraged to migrate as soon as possible once it is released. Greg Ramsey, an SMS MVP, has put together an excellent write-up which can be found here:

http://myitforum.com/cs2/blogs/gramsey/archive/2006/10/12/ITMU-Update-_2D00_-November-2006.aspx

SMS Inventory Tool for Microsoft Updates and McAfee: Setting the record straight

bryanke — Fri, 21 Jul 2006 21:31:00 GMT

More and more companies that use SMS 2003 for software update management are starting to roll out the latest software update tool available: the Inventory Tool for Microsoft Updates (ITMU). As this happens, I am seeing a lot of misinformation floating around and being spread on the incompatibilities between McAfee Antivirus and ITMU. I want to set the record straight with a few simple points on the known issues between the two pieces of software.

With regards to McAfee and ITMU, there are potentially two issues you can run into:

Wsusscan.cab archive file scanning – the wsusscan.cab is an archived archive file. The middle archive file has about 20,000 small data definition XML files that define over 6000 Microsoft updates. McAfee does a very thorough job of unpacking and scanning every file whenever the wsusscan.cab file is copied to or around on a client machine. This can cause considerable processing and disruption to the ITMU scan process as the cab is first copied from the distribution point, then to the VPCache folder and ultimately to the Windows Update Agent (WUA) cache for unpackaging and scanning by WUA. We have consulted with antivirus experts around the world who have advised two safe and secure methods of avoiding the processing. Option 1 is to exclude the wsusscan.cab file itself from scanning. I’m not sure if McAfee offers this as an option, but remember you would have to wildcard exclude it because it is copied to non-predictable directory paths in temp locations and VPCache directories. So just excluding a single full file path will not solve the issue. Remember that excluding wsusscan.cab from scanning is not a potential security risk, as the only process that would attempt to extract it is WUA, which will always check for the MS digital cert prior to processing and fail otherwise. Option 2 is to exclude scanning all archives. Contrary to urban legend, this does not pose a security risk and most A/V software has a configuration item for this. Having a virus or malware packaged in a cab is not an issue until someone or something attempts to unpack and then execute it. This action would always be caught by real time scanning, so the risk is very low of excluding archived files from A/V scans. You can read more about that here: http://support.microsoft.com/default.aspx?kbid=900638
The second issue is that McAfee puts a file lock on the WUA client cache edb in the %Windir%\SoftwareDistribution folder on clients. This prevents WUA from accessing it and prevents scanning from happening. You can read more about that here: http://support.microsoft.com/?kbid=922358

As I mentioned earlier, there is a lot of misinformation floating around the various newsgroups and discussion aliases with regards to McAfee and ITMU compatibility. Please know that there are viable and secure workarounds available to get everything in working order when using these two products side-by-side. If you have any questions or concerns, please work with your MS or McAfee contacts to learn more.

Thanks,

Bryan

SMS 2003 R2 Brings Custom Application Updating to Systems Management Server

bryanke — Thu, 13 Jul 2006 00:06:00 GMT

I am very pleased to announce the release of Systems Management Server 2003 R2. It has been a real thrill to work on a new set of features for the SMS 2003 product. In my opinion, R2 includes one of the most exiting new innovations in systems management, namely, custom update management. Custom update management refers to the ability for any commercial software vendor to develop software update catalogs for the applications they produce. These catalogs are then made available to customers for downloading in their environment. In addition, organizational teams who manage updating in-house line of business applications can create software update catalogs to enable patch management, not just for commercially available software applications, but any software application where updates apply. This new and exciting technology has made it possible for Microsoft partners like Adobe, Citrix, and 1E to develop and release software update catalogs for the applications that they produce. Technology adoption partners and other customers have been able to develop catalogs for servicing in-house applications as well. This ultimately enables customers to detect and deploy security updates and critical hotfixes to non-Microsoft applications, keeping their environments more secure than ever. I am very pleased to have such strong partners building catalogs so early in the emergence of this new software update functionality.

One of the most compelling aspects of the custom updating technology is the schema that is used to define the updates. This schema, known as corporate publishing XML, is rich with metadata that can be used to define almost any software update. Schema elements include title, description, and other properties. Applicability and installed rules include File, Registry, MSI, and WMI checks in any combination. Installation properties are defined by filename, download URL, command-line parameters and more. This schema is not just envisioned to support custom update management in R2, but many new management products at Microsoft, including Systems Center Configuration Manager 2007 when it releases.

Tools that ship with R2 make it easy to discover, download, and create custom update catalogs that synchronize directly with the SMS 2003 software update management infrastructure.

The SMS 2003 R2 evaluation copy can be obtained here. R2 is available to active Software Assurance (SA) customers at no charge and will be part of the August volume licensing kit. Non-SA customers can purchase R2 licenses.

Please take the opportunity to send me comments/feedback on your experiences with SMS 2003 R2. I am more than happy to post articles on advanced custom update authoring topics, as well as provide samples through this blog.

Thanks,
Bryan

WSUSScan.cab and MSSecure.cab Delayed for Patch Tuesday

bryanke — Wed, 12 Jul 2006 00:16:00 GMT

There is currently an issue with the release process for the metadata catalogs for MSRC Patch Tuesday. Resolving the issue is a top priority and we do not anticipate it taking much longer. I will update this posting as I am able to share further information.

Thank you for your patience.

UPDATE (7/11/2006 2:44:18 PM): MSSecure.cab has been released. Wsusscan.cab is still pending.

UPDATE (7/11/2006 5:47:32 PM): Wsusscan.cab is released.

Issue for SMS customers deploying MS06-007 who have AU and ITMU running

bryanke — Wed, 15 Feb 2006 20:49:00 GMT

After the release of MS06-007 on Tuesday 14 February 2006, Microsoft became aware of an issue affecting the installation of MS06-007.

Microsoft quickly investigated the issue and determined that customers who attempted to install the MS06-007 security updates through Automatic Updates, Windows Update, Windows Server Update Services and Systems Management Server 2003 when using the Inventory Tool for Microsoft Updates (ITMU) were affected. The issue did not affect customers who installed the updates through Software Update Services or through Systems Management Server when not using ITMU, or manually installed the Security Update from the Microsoft Download Center

Our investigation has concluded that issue was an installation issue where MS06-007 was not successfully installing when users attempted to install it through affected distribution channels. The issue does not affect the security update MS06-007 itself. When successfully installed, MS06-007 fully protects against the Internet Group Management Protocol (IGMP) vulnerability. Also, the installation issue only affects MS06-007; no other security updates were affected by this issue.

Microsoft has updated these distribution channels to correct these issues. Customers who encountered this issue should take the following actions:

Automatic Updates (AU) - AU customers need take no action: the new updates will automatically download.
Windows Server Update Services (WSUS) - WSUS Administrators who had synchronized their WSUS Server to obtain the updates released on Tuesday 14 February, before 8:30PM PST that evening should manually synchronize their WSUS Servers and approve the new updates.
Systems Management Server 2003 with the Inventory Tool for Microsoft Updates (ITMU) - SMS Administrators should who had synchronized their servers to obtain the updates released on Tuesday 14 February, before 8:30PM PST that evening should re-synchronize their servers for the latest updates.
Microsoft Update (MU) and Windows Update - Customers who visited MU and WU before 8:30 PM on Tuesday February 14th, should revisit MU or WU and accept the downloads being offered to them.

Our investigation has determined there was an issue in the distribution infrastructure in handling this particular update which has been identified and resolved. Microsoft is taking steps to prevent similar issues from occurring in the future.

From an SMS ITMU perspective, this only affects customers who run both SMS ITMU and AU in their environment, becaues this issue only affected the binary delta version of the update and not the full file version (the one that ITMU always uses by default). If AU downloads the binaries before ITMU does, when ITMU tries to copy the files, it will recognize that the WUA cache already contains the updates and attempt to execute the installer package, which due to the above issue, will fail. If an SMS customer is in this situation, they simply need to just let their advertisements for ITMU re-run. When AU runs again it will detect that the binary delta update has been removed, and clear it from the cache. Then SMS ITMU will download and successfully install the update.

Article Describing Windows Update Content Release

bryanke — Wed, 09 Nov 2005 21:30:00 GMT

This is a good, running KB article for discovering changes in Windows Update content and what might currently be included in the WSUSScan.cab used by SMS Inventory Tool for Microsoft Updates. It is also a good resource for discovering why a new CAB might have been released and what new content is available:

http://support.microsoft.com/default.aspx?scid=kb;en-us;894199

WSUSScan.cab Release Info - Nov. 11, 2005

bryanke — Tue, 08 Nov 2005 18:42:00 GMT

This is a general release information article relating to the availability of the WSUSScan.cab file, a subset of the Windows Update and Microsoft Update patch data that includes information about security updates, update rollups and service packs for Microsoft products. The WSUSScan.cab and its uses are described here:

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/wua_sdk/wua/using_wua_to_scan_for_updates_offline.asp

From a Systems Management Server, the data contained within the WSUSScan.cab is used by the SMS Inventory Tool for Microsoft Updates in order to provide scanning and deployment information for the Software Update Management feature of SMS 2003 SP1. Typically patch data for Microsoft products is released the second Tuesday of the month at 10am. Once this content goes live, the WSUSScan.cab is generated. There is typically a delay in the delivery of this file due to the fact that it must be processed from live data and go through several steps before it can be posted to the Web. Typically these steps are:

CAB creation from live WU/MU content
General processing and evaluation of integrity of the file
Authenticode or Digital signing by a Microsoft certificate prior to public release

The above processes can take anywhere from 30-90 minutes.

For Tuesday, November 8, 2005, I will do my best to provide status on the CAB generation and availability for customers so that they can know when it is appropriate to synchronize or download the CAB for use in SMS. Please see below for latest status:

Pending release of live Microsoft Update content (scheduled for 10am)...
(10:00 AM PST) MU/WU content is live...WSUSScan.cab release is pending
(11:18 AM PST) WSUSScan.cab is still pending release, please stand by...
(11:29 AM PST) Catalog has made it through internal processes and should be released live shortly...
(12:18 PM PST) No word yet on the CAB although it has passed all internal reviews and should be posted any minute now...
(1:08 PM PST) Catalog release is live! CAB file digital signature time is November 08, 2005 10:31:03 AM...

SMS ITMU Deployment of MS05-048 (KB 907245)

bryanke — Mon, 17 Oct 2005 21:27:00 GMT

Some folks have asked me why they are not able to find KB 907245 in the Distribute Software Updates Wizard when approving the October security bulletins from Microsoft. This one is a bit tricky, because the master KB number for MS05-048 is 907045. However, the vulnerability actually affects two distinct Microsoft products: Windows and Exchange. The fix for each is listed under separate KB numbers. So if you are looking to approve and deploy the fix for Windows, search under KB 901017. If you are looking to approve and deploy the fix for Exchange 2000, search under 906780.

SMS ITMU Deployment Guidance for October Security Releases

bryanke — Tue, 11 Oct 2005 18:33:00 GMT

This is just a quick article to let you know that all Microsoft security updates released for the month of October are detected and deployable using the new SMS Inventory Tool for Microsoft Updates (ITMU) available for download at http://www.microsoft.com/smserver/downloads/2003/tools/msupdates.mspx.

There is one interesting deployment scenario that I want to make SMS administrators aware of this month.

One update, Security Update for Windows XP (KB902400), is broken into to two distinctly deployable entities in the SMS Administrator Console. One of the updates targets XP SP1 with a severity rating of Critical. The other update targets XP SP2 with a severity rating of Moderate. When you select either one of these updates for approval, you will receive a message in the admin console that both of these uniquely deployable updates are intended to be deployed as a bundle. If you do not have one or the other service pack in your environment or just want to identify which is which, the following information should help you out:

Security Update for Windows XP (KB902400)

Unique Update ID: 8eed21a4-d10b-458d-b51a-1c2aab4ef14a
Deployable to Windows XP SP2 only

Unique Update ID: 1ede20f3-9cb8-4e3a-a93a-2d22bc76df59
Deployable to Windows XP SP1 only

ITMU introduces the concept of bundles. The DSUW or Administrator Console can provide you information about updates that are intended to be deployed together and what their individual unique update ID's are. You can find this information in the Software Updates node of the main console tree. In the DSUW's Add and Remove Updates screen, you can use the Information button for any bundled update to get extended property information (like the above unique update ID's).

For more information about bundle handling in ITMU, check out this great video tutorial: http://support.microsoft.com/servicedesks/showmehow/082305.asx

SMS Security Scan Tools Supported Products

bryanke — Fri, 07 Oct 2005 04:02:00 GMT

The following article does a nice job of explaining when to use certain SMS security scan tools and what the supported product story is for each.

http://myitforum.techtarget.com/blog/osug/archive/2005/08/10/12562.aspx

Windows Installer Requirement and the SMS 2003 Inventory Tool for Microsoft Updates

bryanke — Thu, 11 Aug 2005 20:14:00 GMT

I want to provide some clarification regarding the Windows Installer 3.1 requirement for the newly released SMS 2003 Inventory Tool for Microsoft Updates. This tool provides integration with the Windows Update Agent and the catalog of updates available on Windows Update and Microsoft Update to enterprise customers.

You may notice that the tool has a requirement on MSI 3.1. This is due to the fact that MSI 3.1 is considered a mandatory update in the Windows Update world. A mandatory update is basically a required update to get the full functionality for detecting and deploying MSP-based updates through the Windows Update Agent. Windows Server Update Services (WSUS) has a hard requirement on MSI 3.1. This means that no clients will be offered any updates until MSI 3.1 is installed on the client computer for WSUS clients and home computers using Automatic Updates. On my home machine, I delayed installing MSI 3.1 just out of pure laziness for several months. When I finally did, there were over a dozen updates applicable on my machine that I had not been aware of because the mandatory MSI 3.1 update had not been installed. WSUS clients will automatically get MSI 3.1 before any patches are applied. Home users are advised to install MSI 3.1 as part of the automatic updates process.

In the enterprise, with SMS and the new inventory tool, the story is slightly different. SMS does not force an update or upgrade to MSI 3.1. In fact, you will still be able to scan machines *successfully* even with MSI 2.0 on the managed client. I have to clarify what successfully means. This means that the scan will not fail. However, you will not receive update detection and deployment information for any MSI-based updates. This includes the CAB's MSP files that Microsoft Office uses to deploy updates to Office XP and Office 2003. You will get no errors, no warnings, no nothing. Updates will simply not be shown as applicable, because the MSI API's that the Windows Update Agent relies on simply are not there in older versions. It bears mentioning that in the future, many more products at Microsoft will be jumping on the Microsoft Update, affectionately known as MU, bandwagon. If these product teams use an MSI-based servicing model, you will also not receive an accurate applicability status for those updates. Bottom line: You might not know what you are missing in the future.

So let's talk MSI 3.0 vs. 3.1. If your clients are running MSI 3.0, you will actually see successful scan results for all clients. However, I strongly encourage you to upgrade to MSI 3.1. Several critical fixes were made that make this a valuable update and one that is well worth deploying.

One other thing to point out. The Windows Installer 3.1 download center page documents the latest version as 3.1.4000.2435. However, if you run msiexec from the command line, the listed version is 3.01.4000.1823. This is perfectly fine and the correct version you should be seeing. The msi.dll version is the actual version that is reflected on the download center page.

So, with my official Microsoft hat on, I say update to the required, mandatory, important and highly useful MSI 3.1. If you call product support and request assistance with MSI 2.0 or 3.0 or otherwise need a hotfix, you will be asked to first update to MSI 3.1. So that is the official support for MSI. But go ahead, read between the lines, and make your own informed decision that is right for you regarding the upgrade to MSI 3.1.

Feel free to send comments or e-mail me.

SMS Inventory Tool for Microsoft Updates Pre-Installation Guide Available

bryanke — Sat, 06 Aug 2005 18:58:00 GMT

In anticipation of the upcoming release of the Systems Management Server 2003 Inventory Tool for Microsoft Updates, Microsoft has released a Pre-Installation guide that can help customers prepare their SMS environments for the new tool. As an add on to SMS 2003 SP1, several enhancements were made to the product to support the new tool. Unfortunately that means several updates and prerequisites must be deployed prior to installing the new tool. This guide should give customers all the info they need to begin to prepare their environment. Click here to download the guide.