[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ntbugtraq
Subject:    Re: SMS SUS and Update Rollup 1 for XP (826939)
From:       "Threlkeld, Richard" <richardt () QUALCOMM ! COM>
Date:       2003-10-31 5:36:21
[Download RAW message or body]

Can't make any comments on the 3rd party tools however in regards to the
SMS SUSFP:

An SRP like this is handled outside of the SMS SUSFP.  This is handled
in the same way that service packs are distributed with SMS, through
normal packaging and SMS Software Distribution methods and not with the
SUSFP by using the DSUW (Distribute Software Updates Wizard).  This has
been communicated by Microsoft since the SMS SUSFP was first released.
SMS Administrators using the SUSFP don't need to push out this SRP since
the DSUW does this in a more robust method by being able to include all
the updates in this SRP and more into one update package.

The Update Rollup (826939) is not in MSSECURE.XML because of the above
philosophy:
http://www.microsoft.com/technet/security/search/mssecure.xml

Because of this, the data source that the MBSA (via the SUSFP Scan Tool)
uses to scan the system doesn't look for the SRP so it cannot enter it
into WMI.  An SRP is a collection of updates so the MBSA cannot scan to
make sure that the registry and all the individual files that it *might*
have updated are updated.  However it can scan individually to make sure
that the updates included in the SRP
(http://support.microsoft.com/?kbid=826939) have been applied and these
should reported correctly through the SUSFP even after installing the
SRP.

I believe the philosophy is also why Windows Update does not install it
when you scan for updates.  It installs the updates individually, kind
of like a much larger 'web based' SRP of sorts.

This rollup should query HKLM\Software\Microsoft\Updates\WindowsXP for
any missing updates and only apply those that are missing.  On all the
testing I've done and seen I haven't seen it remove any of the registry
entries underneath the ..\Updates\WindowsXP key, is this what you are
saying is happening?  It's actually the MBSA command line interface that
the SUSFP uses to scan the system for Installed and Applicable updates
which looks not only in the registry but also at file version checksums.
However once again the SRP shouldn't remove these entries and if this is
happening then another call to PSS may be warranted because this should
not be.  Maybe it is from ARP that you are seeing updates remove from
after installing 826939 and not the ..\Updates\WindowsXP hive?

Also, Add/Remove programs is not the best place to look for Hotfixes
since they do not always register depending on what command line
switches were specified by the Administrator to allow uninstall.  This
is why the SMS SUSFP enumerates if a patch is Installed or Applicable
and places this into WMI so that it can roll up into the SMS Database
because ARP isn't a good source of information.

So to summarize, you won't be able to report if the rollup package is
installed with the SUSFP however you still should be able to see if the
updates that the rollup applied have been installed.  If you are using
SMS and are still interested in seeing which systems have installed the
SRP you can easily make an SMS_DEF.MOF modification and use a registry
provider to pull the key information for ..\Updates\WindowsXP and use
that class for reporting instead of the SMS SUSFP.



Best,

Richard Threlkeld 
Microsoft MVP - SMS
richardt@qualcomm.com 
 

-----Original Message-----
From: Windows NTBugtraq Mailing List
[mailto:NTBUGTRAQ@listserv.ntbugtraq.com] On Behalf Of Brian Mays
Sent: Thursday, October 30, 2003 7:56 AM
To: NTBUGTRAQ@listserv.ntbugtraq.com
Subject: SMS SUS and Update Rollup 1 for XP (826939)

Russ,

I have an update from Microsoft regarding this issue.

Earlier, I sent in an email to the list trying to determine if there was
something that I could do to fix the problem with the rollup not showing
up in the SMS SUS reports as installed.  I called Microsoft Professional
Support Services and they told me that this was an issue that would be
looked into and that a work around would be to distribute the individual
security updates included in the rollup package as a "group" via the
"Distribute Software Updates" wizard in SMS.  This way each individual
update is listed in the registry and in the Add/Remove Programs window.

Basically, it looks like "rollup" packages will pose a problem for
anyone who is using SMS SUS or other third-party tools to deploy and
"report" on critical updates.  The rollup packages remove registry
entries for updates, which are included in the rollup, that were applied
previously.  This procedure makes some scanning tools register the
previous updates as "Not Installed".

Brian Mays
Manager of Network Systems
Stein Mart, Inc.
Jacksonville, FL

-----
Marcus Ranum's new book "The Myth of Homeland Security" is now out and
is available from http://www.amazon.com/ranum In this hard-hitting
review of the homeland security business, Ranum shows us how the problem
is vastly harder than it's being made to sound, and how special
interests, butt covering, and bureaucracy are threatening to derail any
chance of making progress.
-----

-----
Marcus Ranum's new book "The Myth of Homeland Security" is now out and
is available from http://www.amazon.com/ranum In this hard-hitting
review of the homeland security business, Ranum shows us how the problem
is vastly harder than it's being made to sound, and how special
interests, butt covering, and bureaucracy are threatening to derail any
chance of making progress.
-----

[prev in list] [next in list] [prev in thread] [next in thread]