The software update management feature in SMS provides an end-to-end solution for centralized software update management. Assessing and maintaining the integrity of system software in a networked environment through a well-defined software update management program is critical for successful information security, regardless of existing controls over physical access to a system.
The software update management feature also gives the IT administrator full control over the software updates distribution process, allowing you to successfully complete administrative tasks such as:
Deploying mandatory software updates without user interface
Defining multiple scopes for the same package, where the same package is distributed with different runtime parameters to multiple collections
Applying updates within specified beginning and end times on the advanced client
Using software update templates that are imported from reference computers to expedite the deployment of critical software updates
The predefined software update reports provide you with an easy way to access the status of software update deployment throughout your enterprise. You can use these reports to view the global compliance level for each authorized patch and reported potential security problem. This is particularly useful in tracking the status of critical software updates, such as those protecting against the actions of a harmful virus. These reports also make it possible for you to create collections of computers to which specific software updates should be applied or to delete collections for which software updates are no longer necessary. By using the dashboard feature in SMS 2003, you can build dashboards that provide a complete view of software updates compliance throughout the organization. An example of these dashboard and reporting capabilities is shown in Figure 12-3.
The predefined collections, packages, and advertisements that are created by software update inventory tools are designed to simplify the workflow for your software update deployment. This provides you with an easy way to distribute the software updates to a test collection before deploying them in a production environment.
By carefully planning your software update strategy, you can create and maintain software update packages and distribute them based on any criterion. For example, you can create a package with stringent enforcement rules that contains only critical updates, another that contains recommended updates and has moderate enforcement rules, and a third with lenient enforcement rules that contains optional updates. You can also create packages that contain only updates for specific operating systems or versions, such as Windows NT 4.0 and Windows 2000, to simplify migration scenarios.
In addition, you can use the software update inventory data to perform specific queries, such as querying for clients that have properties that meet criteria in the vulnerability matrix for a given software update. This data can be useful in determining if the patch should be deployed and who might be affected — for example, how many computers are running Internet Information Services (IIS) but are not actually hosting a line of business web sites.