ADM364

SMS Feature Packs –Today, Tomorrow, and Beyond!

Martin DeySenior Product ManagerEnterprise Management Division

Today you will learn about…

Feature Pack Strategy

Software Update Services

Overview of Feature Packs released for SMS 2.0SUS Feature Pack

Results in action – Real Customer Deployment in action

Administrator Feature Pack

SMS 2003 Feature Pack overviewsDevice Management Feature Pack

OS Image Deployment Feature Pack

Why Feature Packs?

A response to the need for additional functionality in:Improvements to Administrative tools

Adjustments to features through add-on tools

QFE support

Common solutions to urgent problems

Support new technologiesSoftware Update Services Feature Pack – security update management

Administration Feature Pack – additional admin tools

Feature Packs are now vogue!!

Software UpdateServices

Software Update Services (SUS)

Key BenefitsKey Benefits Keeps environment up-to-date with security Keeps environment up-to-date with security

and critical patchesand critical patches Gives administrators control over patch Gives administrators control over patch

application in the enterpriseapplication in the enterprise Patches can be tested before being Patches can be tested before being

approved for applicationapproved for application

Corporate solution for Windows OS critical Corporate solution for Windows OS critical and security patch managementand security patch management

Only for critical and security (critical and Only for critical and security (critical and medium) patches and security patch rollupsmedium) patches and security patch rollups

SUS server automatically downloads SUS server automatically downloads patches from Windows Update Servicepatches from Windows Update Service

Target computers can be centrally Target computers can be centrally configured (via GP) to synchronize with configured (via GP) to synchronize with either SUS server or WU Serviceeither SUS server or WU Service

Various download and patch application Various download and patch application configuration optionsconfiguration options

Microsoft Windows Update ServiceMicrosoft Windows Update Service

Geographically Distributed EnterpriseGeographically Distributed Enterprise

IntranetIntranet

SUS ServerSUS Server

Target computers withTarget computers withAutomated Updates (AU)Automated Updates (AU)

SUS Architecture:

WindowsUpdateWindowsUpdate

InternetInternet

IntranetIntranet

SUSSUS

Security Patches, Security RollupsSecurity Patches, Security Rollups

SUS WebAdmin to SUS WebAdmin to manage updatesmanage updates

Sync UpdatesSync Updates

Download and Download and install Approved install Approved UpdatesUpdates

Corporate Servers, Corporate Servers, Workstations and LaptopsWorkstations and Laptops

Central Central SUS SUS Client Client ConfigConfig

SUS Server DetailsSupport for:

Intranet hosted WU server to support AutoUpdate v2.2 and higher clients

Administrator control over which patches get distributed within the corporation

Support for only Windows critical updates and service packs hosted on Windows Update

Client configuration using Group Policy or registry setting

Not Supported in V1:Non-Windows updates (e.g. SQL, Exchange, Office)

3rd party update publishing

Full app distribution

Driver deployments

SUS Server Scale-out

Windows UpdateWindows Update

InternetInternet IntranetIntranet

Content can be Content can be synchronized synchronized

from Windowsfrom Windows Update or a Update or a local serverlocal server

SUS / Distribution SUS / Distribution ServerServer

SUSSUS

Sync Sync

ContentContent & & List of List of Approved Approved UpdatesUpdates

SUSSUS

SyncSync

ContentContent

AutoUpdate clientsAutoUpdate clients

Win2k & WinXPWin2k & WinXP

Site in City BSite in City B

HTTPHTTP

AutoUpdate clientsAutoUpdate clients

Win2k & WinXPWin2k & WinXP

Site in City ASite in City A

Client can be directed Client can be directed to auto download and to auto download and install updatesinstall updates

ProxyProxy

ProxyProxy

Client can be directed to Client can be directed to pull approved updates pull approved updates from Microsoft.comfrom Microsoft.com

Firewal

l

Firewal

l

SMS 2.0 SUS Feature Pack

Software Update Services Feature Pack

Purpose – ensure that large organizations have ability to detect and remove vulnerabilities due to missing updatesInventory details drive the initial planning (bootstrap)Updates can be approved on a priority basisTargeting is global (“All Systems”)Service levels are described for reportingProcesses are scheduled and customisableTools used:

Security Patch Bulletin Catalog Microsoft Baseline Security Analyzer (MBSA)Microsoft Office Update ToolMicrosoft Office Update Database MSXML

Patch Scanning with SMS

InternetInternet

IntranetIntranet

Regular Regular Download of Download of

updated Scan updated Scan Tool and Tool and Patch DBPatch DB

Deploy & run scan tool

Patch scan results

Web Reports

Managed Managed Servers, Servers,

Workstations and Workstations and LaptopsLaptops

SMS 2.x Site Infra-

structure

Updates to patch Updates to patch catalogs: catalogs: MSSecure.XML and MSSecure.XML and Office patch DBOffice patch DB

microsoft.com

SMSDatabase

PatchPatchScanScanDataData

Patch deployment with SMS

InternetInternet

IntranetIntranet

Wizard Wizard downloads downloads required required patchespatches

Deploy needed patches

Status of installsManaged Managed Servers, Servers,

Workstations Workstations and Laptopsand Laptops

SMS 2.x Site Infra-structure

Patches, QFEs, Patches, QFEs, SRPs etc.SRPs etc.

microsoft.com

SMSDatabase

Patch WizardPatchPatchScanScanDataData

Required deployment Required deployment configuration configuration

SMS 2.0 SUS Feature Pack

demodemo

customercustomer

Case Study: CNFA new paradigm for patch management

Case Study: CNF

CNF is a global supply chain management company

Air Freight, Customs, Ocean Forwarding

Supply Chain Logistics

Logistics Management

Ground TransportationWWW.CNF.COM

CNF’s Infrastructure

~3,000 workstations globallymost in the United States

Over 700 individual locationsSome locations on a 32K circuit

Some locations reside in a customers facility

Some locations are on a B2B VPN

Windows 95 through WindowsXP

Mixture of workstations and laptops

To patch or not to patch…Life before the SUS FP… and Nimda

No manageable way to determine which workstation needed which patchesSystems patched “as touched”

Patches were applied to all new images and rebuilt workstations

Patching each workstation proactively was too costly in tech time and lost employee productivityManual end-user process achieved <10% success rateAnd it’s a never ending cycle!!!!

What changed their minds?

Virus infectionsNimda

Code Red

Melissa

I love you

Business Resumption/ProtectionPost 9/11

Renewed emphasis on secure computing

SUSFP to the rescue

With MS Consulting services, SUSFP was installed and running on pilot workstations within 2 days

Dogfood! - IT Team are THE pilot group!

SUSFP impact on SMS servers was negligible

DB growth, but well within predicted size

Rolled SUSFP company wide within a week of the successful pilot

SUSFP to the rescue (cont)

Provided concise reports (out of the box):What patches each workstation needed

Number of workstations that needed each patch

When a patch was applied

SMS 2003 Patch Web Reports areeven better!

SUS FP – Statistics

Weekly inventories

56 approved security bulletins across CNF’s workstations

1,133 eligible workstations

37,412 individual patches appliedAverage of 33.5 patches per workstation

0 workstations broke due toSUS FP security patching!!!

SUSFP – Reality Check

Patching now routineOur employees now trust SMS and SUSFP

Management expects workstations to stay current

Developers have a baseline to test their applications against

Management impressed by exposure and trouble-free solution

Hardware budget increased

WAN link speeds to remote sites being upgraded to ensure total patch coverage

SUSFP – Lessons LearnedTest, test, and retest all patches before deployingDOGFOOD, pilot group of savvy users, then the “public”Inconsistent QFix behavior

Microsoft working to address this issue

Consider network bandwidthHardware testing

VMware great, but hardware specific QFixes need to be tested on real hardware

To force a reboot or not…..

Enabled Products / Components

Component / Product Feature Pack SUS / SUS SA

Windows 2000 / XP Yes Yes

IIS 5.0 Yes Yes

Internet Explorer Yes Yes

Windows Media Player Yes Yes

MS-XML Yes (1) Yes

MDAC Yes (1) Yes

Windows NT 4.0 Yes No

IIS 4.0 Yes No

SQL Server Yes No

Exchange Yes No

MS-Office Yes No

(1) Available using standard SMS software distribution(1) Available using standard SMS software distribution

Enabled Categories

Category SUS Feature Pack 1.0

SUS -Software Assurance

SUS 1.0

Critical Security Updates (1) Yes Yes Yes

Security Roll-ups Yes Yes Yes

Windows Critical Updates Yes (2) Yes Yes

Service Packs Yes (2) Yes No

Recommended Updates Yes (2) Yes No

Advanced Security Updates Yes (2) Yes No

Application Compatibility Updates

Yes (2) Yes No

Driver Updates Yes (2) No No

(1) Includes critical, important, moderate and low severity items(1) Includes critical, important, moderate and low severity items(2) Available using standard SMS software distribution(2) Available using standard SMS software distribution

Patch Command Lines

Sustained Engineering Baseline (SEBase) initiative

Filename standards

Command line/behavior standards

Review of installer engines and examplesInternet Explorer (IExpress)

Windows (hotfix.exe/update.exe)

MS-Office (ohotfix.exe/Windows Installer)

Recent Updates

MBSA v1.1 Integration

Provides additional detectionExchange (5.5 and 2000)

SQL Server (7.0 and 2000)

Windows Media Player (6.4 and above)

Available from PSS using KB 814906

Or download now from microsoft.com

SMS 2.0 Administration Feature Pack

Administration Feature Pack

Transfer site settings from one site to another

Menu extension Wizard or command line

Manage Site Accounts One or more sites in a hierarchyCommand-line tool used to manage SMS accounts

Elevated Rights Deployment ToolInstall software using SMS that requires a reboot, then continued administrative rights

Web Reporting ToolReports on

Software update statusEA true-upQFE status

Administration Feature Pack

demodemo

SMS 2003 Feature Packs

SMS 2003 Feature Packs

Device Management Feature Pack

OS Imaging Feature Pack

Windows CEWindows XP Embedded

Pocket PC/SmartPhone

Device Space

Point of Sale (POS)

Single Purpose Commercial Device (SPD)

Windows Based Terminal (WBT)

Personal Digital Assistance (PDA)

Smart Phone

Device Management needs

Features Administrators need to manage devicesAsset Mgmt: How many, where, what hardware/configuration?

Security+Config: Enforce settings and patches

App updates: Distribute packaged and LOB apps

Backup+Recovery

Remote Troubleshooting

Features Administrators requested includedSingle UI experience for desktops, POS, WBTs, PDAs etc

Leverage a single management infrastructure

Manageability enabling deploymentIn many segments lack of management is a deployment blocker for corporate adoption or upgrade of existing simple devices

Management Strategy for devicesWindows XP Embedded

Mainly ‘PC like’ devices with sufficient power, memory and CPUWith SMS infrastructure use SMS 2003 Advanced Client Embedded VersionWithout SMS use XPe Device Update Agent – simple functionality

Windows CE/PocketPCHandhelds or small devices with limited memoryWith SMS infrastructure use SMS 2003 Device Management Client

Windows SmartphoneAre currently managed via WAP protocols. Potential for SMS enterprise management in the future – under investigation

SMS XPe Advanced ClientSolution overview

Embedded version of the SMS 2003 Advanced Client

Plugs into XP Embedded target designer for building images

Will be available for download on XP embedded web site

Agent features identical to conventional SMS adv client with the exception of Remote Tools

CAL Licensing identical to conventional client

SMS 2003 Device Management Feature Pack

Add-on to SMS 2003 to manage Windows CE based devices

Target marketPDA and Single Purpose handheld devices in the enterprise

Enterprises who want a single management SMS infrastructure for servers, desktops and devices

Enterprises who want a common administration experience with desktops

CE Device ManagementFeature Set

Feature setDiscovery/Identification

Hardware Inventory

Software Inventory and File Collection

Software Distribution

Script Execution

Network Architecture

MP ComponentsMP Components

ISAPIISAPIDLLsDLLs

Admin UIAdmin UIFrameworkFramework

Distribution Distribution Points/IIS Points/IIS EnabledEnabled

Primary Site Primary Site ServerServer

Site DatabaseSite Database

Management Management PointPoint

Advanced Advanced ClientsClients

SMS Admin UISMS Admin UI

ISAPIISAPIDLLsDLLsDevice Management Device Management

Point (DMP)Point (DMP)

DMP DMP ComponentsComponents

Device UIDevice UI

1: Enter Name of DMP – device registers with SMS1: Enter Name of DMP – device registers with SMS

2. Device reports discovery + inventory data2. Device reports discovery + inventory data

3 Discovery+Inv data transferred to SMS db3 Discovery+Inv data transferred to SMS db

4 Retrieve SW adverts for client4 Retrieve SW adverts for client

5 Optional + Mandatory SW Adverts sent5 Optional + Mandatory SW Adverts sent

6. Device requests 6. Device requests contentcontent

location (from DMP) location (from DMP) and pulls and pulls

from local Dist Pointfrom local Dist Point

7. Device reports status 7. Device reports status of SW installation requestof SW installation request

SMS 2003 CE Device Mgmt Network Architecture (1)

Connectionhttp(s) to Device Management Point (DMP)

Optional https to server (needs cert provisioning)

XML based protocol

Identical docked (via http PC proxy) and network Wireless/Ethernet behavior for device

PollingDevice polls MP on interval to report discovery data and pick up software advertisements

SMS Programs can have bandwidth/connection criteria

Fault tolerant for unreliable networks

SMS 2003 CE Device Mgmt Network Architecture (2)

Device MP dependent on standard MPAlways resident on same machine

Shares SQL connection account

Distribution PointsDMP can refer clients to a DP with IIS installed (‘BITS enabled’)

Client ‘roaming’ supported within SMS hierarchyClient will be referred to local content servers (DPs). Supports local and regional roaming.

Change of Device MP is a manual operation via client UI, but not normally necessary

Client Installation and Config

Options for installing mgmt client :

A) Client built-in to OEM ROM

B) CAB install via Active Sync

Client CAB

Options for registering with Device Management Point

A) Type DMP name in Device Control Panel applet

B) Run registry config file on the device

C) Distribute config via SMS desktop distribution

C) CAB install from device

D) CAB install via SMS desktopdistribution

Install client Register with DMP

Image Deployment Feature Pack

Image Deployment Feature Pack

OS Deployment is an essential task in most large Enterprises.

OS Deployment can be achieved either via an upgrade in place or by deploying a new image

Installing a OS + Apps on a new machine in a lab (which replaces an existing machine)

Imaging a machine in production (re-imaged for help desk failure, deploy new OS + Apps)

Value in providing the SAME processes to do both including:

state migration, deploy, app deploy, status, targeting

Core ScenariosMachine re-provisioning

Fully functioning computerSMS 2003 client installedUser state must be migrated

Raw iron provisioningNew computer without an OSUser will insert bootable mediaUser state doesn’t need to be migrated

Disaster recoveryComputer unable to bootUser will insert bootable mediaUser state migrated if possible

Overview of ID with SMS 2003

Create a SWD Package from Image

Create an Advertisement

Execute the Package on the target SMS client computer

Monitor status from SMS client computer showing new OS + Apps

Creating an Image Package

Creating an Image Package is just like creating any other SMS packageUse specific Package Definition Files (PDF)Use specific Image Deployment Files (IDF) to create packages with image specific deployment properties

Unique scheduling optionsUser State Migration integrationSecurity accounts

Deploying Images

Distributing an Image Package is just like distributing any other SMS package

All the benefits of SMS SWDSite-site distribution, delta rep to DP’s

BITS download to client

Deploy images + additional software all at once

Status to show complete lifecycle.

Image Package Execution

User notification and approval

Various steps:Copying of the Image Package from DP.

Saving of user, machine and SMS Client state/data

Boot into WinPE, image laid out.

Boot into new Image, restoring of user, machine and SMS Client state/data.

Client with new Image and fully managed by SMS

Image Deployment

demodemo

Next Steps…

SMS team is committed to continue delivering value to our customers

Feature Packs give us the ability to do this in a supported way!

Now an adopted practice at MS – look for more FP’s to come!

Continue giving us your ideas for improvements at smswish@microsoft.com

Community Resources

Community Resourceshttp://www.microsoft.com/communities/default.mspx

Most Valuable Professional (MVP)http://www.mvp.support.microsoft.com/

NewsgroupsConverse online with Microsoft Newsgroups, including Worldwidehttp://www.microsoft.com/communities/newsgroups/default.mspx

User GroupsMeet and learn with your peershttp://www.microsoft.com/communities/usergroups/default.mspx

evaluationsevaluations

© 2003 Microsoft Corporation. All rights reserved.© 2003 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.