adm364 sms feature packs – today, tomorrow, and beyond! martin dey senior product manager...
TRANSCRIPT
ADM364
SMS Feature Packs –Today, Tomorrow, and Beyond!
Martin DeySenior Product ManagerEnterprise Management Division
Today you will learn about…
Feature Pack Strategy
Software Update Services
Overview of Feature Packs released for SMS 2.0SUS Feature Pack
Results in action – Real Customer Deployment in action
Administrator Feature Pack
SMS 2003 Feature Pack overviewsDevice Management Feature Pack
OS Image Deployment Feature Pack
Why Feature Packs?
A response to the need for additional functionality in:Improvements to Administrative tools
Adjustments to features through add-on tools
QFE support
Common solutions to urgent problems
Support new technologiesSoftware Update Services Feature Pack – security update management
Administration Feature Pack – additional admin tools
Feature Packs are now vogue!!
Software UpdateServices
Software Update Services (SUS)
Key BenefitsKey Benefits Keeps environment up-to-date with security Keeps environment up-to-date with security
and critical patchesand critical patches Gives administrators control over patch Gives administrators control over patch
application in the enterpriseapplication in the enterprise Patches can be tested before being Patches can be tested before being
approved for applicationapproved for application
Corporate solution for Windows OS critical Corporate solution for Windows OS critical and security patch managementand security patch management
Only for critical and security (critical and Only for critical and security (critical and medium) patches and security patch rollupsmedium) patches and security patch rollups
SUS server automatically downloads SUS server automatically downloads patches from Windows Update Servicepatches from Windows Update Service
Target computers can be centrally Target computers can be centrally configured (via GP) to synchronize with configured (via GP) to synchronize with either SUS server or WU Serviceeither SUS server or WU Service
Various download and patch application Various download and patch application configuration optionsconfiguration options
Microsoft Windows Update ServiceMicrosoft Windows Update Service
Geographically Distributed EnterpriseGeographically Distributed Enterprise
IntranetIntranet
SUS ServerSUS Server
Target computers withTarget computers withAutomated Updates (AU)Automated Updates (AU)
SUS Architecture:
WindowsUpdateWindowsUpdate
InternetInternet
IntranetIntranet
SUSSUS
Security Patches, Security RollupsSecurity Patches, Security Rollups
SUS WebAdmin to SUS WebAdmin to manage updatesmanage updates
Sync UpdatesSync Updates
Download and Download and install Approved install Approved UpdatesUpdates
Corporate Servers, Corporate Servers, Workstations and LaptopsWorkstations and Laptops
Central Central SUS SUS Client Client ConfigConfig
SUS Server DetailsSupport for:
Intranet hosted WU server to support AutoUpdate v2.2 and higher clients
Administrator control over which patches get distributed within the corporation
Support for only Windows critical updates and service packs hosted on Windows Update
Client configuration using Group Policy or registry setting
Not Supported in V1:Non-Windows updates (e.g. SQL, Exchange, Office)
3rd party update publishing
Full app distribution
Driver deployments
SUS Server Scale-out
Windows UpdateWindows Update
InternetInternet IntranetIntranet
Content can be Content can be synchronized synchronized
from Windowsfrom Windows Update or a Update or a local serverlocal server
SUS / Distribution SUS / Distribution ServerServer
SUSSUS
Sync Sync
ContentContent & & List of List of Approved Approved UpdatesUpdates
SUSSUS
SyncSync
ContentContent
AutoUpdate clientsAutoUpdate clients
Win2k & WinXPWin2k & WinXP
Site in City BSite in City B
HTTPHTTP
AutoUpdate clientsAutoUpdate clients
Win2k & WinXPWin2k & WinXP
Site in City ASite in City A
Client can be directed Client can be directed to auto download and to auto download and install updatesinstall updates
ProxyProxy
ProxyProxy
Client can be directed to Client can be directed to pull approved updates pull approved updates from Microsoft.comfrom Microsoft.com
Firewal
l
Firewal
l
SMS 2.0 SUS Feature Pack
Software Update Services Feature Pack
Purpose – ensure that large organizations have ability to detect and remove vulnerabilities due to missing updatesInventory details drive the initial planning (bootstrap)Updates can be approved on a priority basisTargeting is global (“All Systems”)Service levels are described for reportingProcesses are scheduled and customisableTools used:
Security Patch Bulletin Catalog Microsoft Baseline Security Analyzer (MBSA)Microsoft Office Update ToolMicrosoft Office Update Database MSXML
Patch Scanning with SMS
InternetInternet
IntranetIntranet
Regular Regular Download of Download of
updated Scan updated Scan Tool and Tool and Patch DBPatch DB
Deploy & run scan tool
Patch scan results
Web Reports
Managed Managed Servers, Servers,
Workstations and Workstations and LaptopsLaptops
SMS 2.x Site Infra-
structure
Updates to patch Updates to patch catalogs: catalogs: MSSecure.XML and MSSecure.XML and Office patch DBOffice patch DB
microsoft.com
SMSDatabase
PatchPatchScanScanDataData
Patch deployment with SMS
InternetInternet
IntranetIntranet
Wizard Wizard downloads downloads required required patchespatches
Deploy needed patches
Status of installsManaged Managed Servers, Servers,
Workstations Workstations and Laptopsand Laptops
SMS 2.x Site Infra-structure
Patches, QFEs, Patches, QFEs, SRPs etc.SRPs etc.
microsoft.com
SMSDatabase
Patch WizardPatchPatchScanScanDataData
Required deployment Required deployment configuration configuration
SMS 2.0 SUS Feature Pack
demodemo
customercustomer
Case Study: CNFA new paradigm for patch management
Case Study: CNF
CNF is a global supply chain management company
Air Freight, Customs, Ocean Forwarding
Supply Chain Logistics
Logistics Management
Ground TransportationWWW.CNF.COM
CNF’s Infrastructure
~3,000 workstations globallymost in the United States
Over 700 individual locationsSome locations on a 32K circuit
Some locations reside in a customers facility
Some locations are on a B2B VPN
Windows 95 through WindowsXP
Mixture of workstations and laptops
To patch or not to patch…Life before the SUS FP… and Nimda
No manageable way to determine which workstation needed which patchesSystems patched “as touched”
Patches were applied to all new images and rebuilt workstations
Patching each workstation proactively was too costly in tech time and lost employee productivityManual end-user process achieved <10% success rateAnd it’s a never ending cycle!!!!
What changed their minds?
Virus infectionsNimda
Code Red
Melissa
I love you
Business Resumption/ProtectionPost 9/11
Renewed emphasis on secure computing
SUSFP to the rescue
With MS Consulting services, SUSFP was installed and running on pilot workstations within 2 days
Dogfood! - IT Team are THE pilot group!
SUSFP impact on SMS servers was negligible
DB growth, but well within predicted size
Rolled SUSFP company wide within a week of the successful pilot
SUSFP to the rescue (cont)
Provided concise reports (out of the box):What patches each workstation needed
Number of workstations that needed each patch
When a patch was applied
SMS 2003 Patch Web Reports areeven better!
SUS FP – Statistics
Weekly inventories
56 approved security bulletins across CNF’s workstations
1,133 eligible workstations
37,412 individual patches appliedAverage of 33.5 patches per workstation
0 workstations broke due toSUS FP security patching!!!
SUSFP – Reality Check
Patching now routineOur employees now trust SMS and SUSFP
Management expects workstations to stay current
Developers have a baseline to test their applications against
Management impressed by exposure and trouble-free solution
Hardware budget increased
WAN link speeds to remote sites being upgraded to ensure total patch coverage
SUSFP – Lessons LearnedTest, test, and retest all patches before deployingDOGFOOD, pilot group of savvy users, then the “public”Inconsistent QFix behavior
Microsoft working to address this issue
Consider network bandwidthHardware testing
VMware great, but hardware specific QFixes need to be tested on real hardware
To force a reboot or not…..
Enabled Products / Components
Component / Product Feature Pack SUS / SUS SA
Windows 2000 / XP Yes Yes
IIS 5.0 Yes Yes
Internet Explorer Yes Yes
Windows Media Player Yes Yes
MS-XML Yes (1) Yes
MDAC Yes (1) Yes
Windows NT 4.0 Yes No
IIS 4.0 Yes No
SQL Server Yes No
Exchange Yes No
MS-Office Yes No
(1) Available using standard SMS software distribution(1) Available using standard SMS software distribution
Enabled Categories
Category SUS Feature Pack 1.0
SUS -Software Assurance
SUS 1.0
Critical Security Updates (1) Yes Yes Yes
Security Roll-ups Yes Yes Yes
Windows Critical Updates Yes (2) Yes Yes
Service Packs Yes (2) Yes No
Recommended Updates Yes (2) Yes No
Advanced Security Updates Yes (2) Yes No
Application Compatibility Updates
Yes (2) Yes No
Driver Updates Yes (2) No No
(1) Includes critical, important, moderate and low severity items(1) Includes critical, important, moderate and low severity items(2) Available using standard SMS software distribution(2) Available using standard SMS software distribution
Patch Command Lines
Sustained Engineering Baseline (SEBase) initiative
Filename standards
Command line/behavior standards
Review of installer engines and examplesInternet Explorer (IExpress)
Windows (hotfix.exe/update.exe)
MS-Office (ohotfix.exe/Windows Installer)
Recent Updates
MBSA v1.1 Integration
Provides additional detectionExchange (5.5 and 2000)
SQL Server (7.0 and 2000)
Windows Media Player (6.4 and above)
Available from PSS using KB 814906
Or download now from microsoft.com
SMS 2.0 Administration Feature Pack
Administration Feature Pack
Transfer site settings from one site to another
Menu extension Wizard or command line
Manage Site Accounts One or more sites in a hierarchyCommand-line tool used to manage SMS accounts
Elevated Rights Deployment ToolInstall software using SMS that requires a reboot, then continued administrative rights
Web Reporting ToolReports on
Software update statusEA true-upQFE status
Administration Feature Pack
demodemo
SMS 2003 Feature Packs
SMS 2003 Feature Packs
Device Management Feature Pack
OS Imaging Feature Pack
Windows CEWindows XP Embedded
Pocket PC/SmartPhone
Device Space
Point of Sale (POS)
Single Purpose Commercial Device (SPD)
Windows Based Terminal (WBT)
Personal Digital Assistance (PDA)
Smart Phone
Device Management needs
Features Administrators need to manage devicesAsset Mgmt: How many, where, what hardware/configuration?
Security+Config: Enforce settings and patches
App updates: Distribute packaged and LOB apps
Backup+Recovery
Remote Troubleshooting
Features Administrators requested includedSingle UI experience for desktops, POS, WBTs, PDAs etc
Leverage a single management infrastructure
Manageability enabling deploymentIn many segments lack of management is a deployment blocker for corporate adoption or upgrade of existing simple devices
Management Strategy for devicesWindows XP Embedded
Mainly ‘PC like’ devices with sufficient power, memory and CPUWith SMS infrastructure use SMS 2003 Advanced Client Embedded VersionWithout SMS use XPe Device Update Agent – simple functionality
Windows CE/PocketPCHandhelds or small devices with limited memoryWith SMS infrastructure use SMS 2003 Device Management Client
Windows SmartphoneAre currently managed via WAP protocols. Potential for SMS enterprise management in the future – under investigation
SMS XPe Advanced ClientSolution overview
Embedded version of the SMS 2003 Advanced Client
Plugs into XP Embedded target designer for building images
Will be available for download on XP embedded web site
Agent features identical to conventional SMS adv client with the exception of Remote Tools
CAL Licensing identical to conventional client
SMS 2003 Device Management Feature Pack
Add-on to SMS 2003 to manage Windows CE based devices
Target marketPDA and Single Purpose handheld devices in the enterprise
Enterprises who want a single management SMS infrastructure for servers, desktops and devices
Enterprises who want a common administration experience with desktops
CE Device ManagementFeature Set
Feature setDiscovery/Identification
Hardware Inventory
Software Inventory and File Collection
Software Distribution
Script Execution
Network Architecture
MP ComponentsMP Components
ISAPIISAPIDLLsDLLs
Admin UIAdmin UIFrameworkFramework
Distribution Distribution Points/IIS Points/IIS EnabledEnabled
Primary Site Primary Site ServerServer
Site DatabaseSite Database
Management Management PointPoint
Advanced Advanced ClientsClients
SMS Admin UISMS Admin UI
ISAPIISAPIDLLsDLLsDevice Management Device Management
Point (DMP)Point (DMP)
DMP DMP ComponentsComponents
Device UIDevice UI
1: Enter Name of DMP – device registers with SMS1: Enter Name of DMP – device registers with SMS
2. Device reports discovery + inventory data2. Device reports discovery + inventory data
3 Discovery+Inv data transferred to SMS db3 Discovery+Inv data transferred to SMS db
4 Retrieve SW adverts for client4 Retrieve SW adverts for client
5 Optional + Mandatory SW Adverts sent5 Optional + Mandatory SW Adverts sent
6. Device requests 6. Device requests contentcontent
location (from DMP) location (from DMP) and pulls and pulls
from local Dist Pointfrom local Dist Point
7. Device reports status 7. Device reports status of SW installation requestof SW installation request
SMS 2003 CE Device Mgmt Network Architecture (1)
Connectionhttp(s) to Device Management Point (DMP)
Optional https to server (needs cert provisioning)
XML based protocol
Identical docked (via http PC proxy) and network Wireless/Ethernet behavior for device
PollingDevice polls MP on interval to report discovery data and pick up software advertisements
SMS Programs can have bandwidth/connection criteria
Fault tolerant for unreliable networks
SMS 2003 CE Device Mgmt Network Architecture (2)
Device MP dependent on standard MPAlways resident on same machine
Shares SQL connection account
Distribution PointsDMP can refer clients to a DP with IIS installed (‘BITS enabled’)
Client ‘roaming’ supported within SMS hierarchyClient will be referred to local content servers (DPs). Supports local and regional roaming.
Change of Device MP is a manual operation via client UI, but not normally necessary
Client Installation and Config
Options for installing mgmt client :
A) Client built-in to OEM ROM
B) CAB install via Active Sync
Client CAB
Options for registering with Device Management Point
A) Type DMP name in Device Control Panel applet
B) Run registry config file on the device
C) Distribute config via SMS desktop distribution
C) CAB install from device
D) CAB install via SMS desktopdistribution
Install client Register with DMP
Image Deployment Feature Pack
Image Deployment Feature Pack
OS Deployment is an essential task in most large Enterprises.
OS Deployment can be achieved either via an upgrade in place or by deploying a new image
Installing a OS + Apps on a new machine in a lab (which replaces an existing machine)
Imaging a machine in production (re-imaged for help desk failure, deploy new OS + Apps)
Value in providing the SAME processes to do both including:
state migration, deploy, app deploy, status, targeting
Core ScenariosMachine re-provisioning
Fully functioning computerSMS 2003 client installedUser state must be migrated
Raw iron provisioningNew computer without an OSUser will insert bootable mediaUser state doesn’t need to be migrated
Disaster recoveryComputer unable to bootUser will insert bootable mediaUser state migrated if possible
Overview of ID with SMS 2003
Create a SWD Package from Image
Create an Advertisement
Execute the Package on the target SMS client computer
Monitor status from SMS client computer showing new OS + Apps
Creating an Image Package
Creating an Image Package is just like creating any other SMS packageUse specific Package Definition Files (PDF)Use specific Image Deployment Files (IDF) to create packages with image specific deployment properties
Unique scheduling optionsUser State Migration integrationSecurity accounts
Deploying Images
Distributing an Image Package is just like distributing any other SMS package
All the benefits of SMS SWDSite-site distribution, delta rep to DP’s
BITS download to client
Deploy images + additional software all at once
Status to show complete lifecycle.
Image Package Execution
User notification and approval
Various steps:Copying of the Image Package from DP.
Saving of user, machine and SMS Client state/data
Boot into WinPE, image laid out.
Boot into new Image, restoring of user, machine and SMS Client state/data.
Client with new Image and fully managed by SMS
Image Deployment
demodemo
Next Steps…
SMS team is committed to continue delivering value to our customers
Feature Packs give us the ability to do this in a supported way!
Now an adopted practice at MS – look for more FP’s to come!
Continue giving us your ideas for improvements at [email protected]
Community Resources
Community Resourceshttp://www.microsoft.com/communities/default.mspx
Most Valuable Professional (MVP)http://www.mvp.support.microsoft.com/
NewsgroupsConverse online with Microsoft Newsgroups, including Worldwidehttp://www.microsoft.com/communities/newsgroups/default.mspx
User GroupsMeet and learn with your peershttp://www.microsoft.com/communities/usergroups/default.mspx
evaluationsevaluations
© 2003 Microsoft Corporation. All rights reserved.© 2003 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.