Abstract

Allows to define a machine specific maintenance slot in which to install patches and other software. This slot is relative to an administrator-set time frame in which a certain patch or software installation has to take place. Inside this time frame, the server's owner (a person who is the main user of a machine) is free to select a suitable slot in which operations are performed. This allows for a flexible and user friendly integration of administrator driven installations. The project is based on Microsoft Systems Management Server.

Motivation

Distribution of patches is critical to system stability and security. For administrators of a substantial amount of servers, an automatic and convenient way to do so is required. Another requirement for the environment I was working in was, that a role called "Server Owner" be defined. All servers would be set up and maintained by the central IT organisation, but the users of those machines (DBAs, WebAdmins, LOBAdmins, etc.) were to be given a say at what point their servers would be taken down for maintenance. The central organisation defined SLAs regarding patching (two weeks after release a patch had to be installed), and Server Owners were to be free to choose any point within this timeframe to conduct maintenance.

Components

• Microsoft SMS
• Software Update Services Feature Pack (if using SMS 2.0)

Prerequisites

• Extend sms_def.mof with a Maintenance Slot class, Registry provider, which reads the registry stored maintenance slot during SMS hardware inventory
• Create 22 collections, rule based on the Maintenance Slot number

Process overview

MBSA files sync

Synchronization of MBSA source files (containing all available patches for all supported platforms and applications) is done via an advertisement running against the SMS central site server itself. In order to be able to download these files, a logged on user (on the console!) is neccessary, as "Internet Options" are queried for proxy settings and the like.

MBSA scan on all clients

A recurring advertisement is run on all Windows-SMS-clients to store MBSA scan results in local WMI. These values are brought to the SMS database via hardware inventory.

Downloading patches

Download patches into an existing package to maintain structure. If there is no package for a given language / product, create a new one where the others are located and observe the naming convention. To be able to transfer only those patches to child sites which are really needed, we split platform / product and language. F.ex. like W2k3 Patches English.

Advertising patches via script

There is a script attached, which can be used to create a new set of advertisements targeting the 22 maintenance slot collections.

Monitoring success

Web Reporting, Admin Console, etc

How to use the script

Run the script with cscript and of a future Tuesday. This day will be "day 0" of the next round of patches. It will create advertisements for each package and program specified in the script, to all the Maintenance Slot collections. You can download the script after login.

• Create a new program for each patch package, choose a name that includes the starting week ("Patches as of week 20").
• Modify the script to include the new program name.
• Start the script with a correct set of parameters (it must be a Tuesday, and it should be one in the future. All mandatory advertisements in the past will be executed immediately). It will delete advertisements created in previous runs before creating the new ones.
• Every advertisement deleted / created will be logged on the console.

What does a Server Owner have to do?

The first thing to do is to select a server boot slot. If new patches are applicable for his system, the server will automatically install the patch and reboot itself (if necessary) at this time. One may start this process any time sooner, if convenient. Aside from that: Nothing!

There are 14 days and 22 possible timeslots to select from. If you want aserver to be patched and rebooted on the morning of the second Monday, you select slot number "20". To make the actual change, you modify your server's registry at:

HKEY_LOCAL_MACHINE\SOFTWARE\Micronas\SysSup\MaintenanceSlot

How does the patch process work

The patch process is based on a two week rhythm. Microsoft releases new patches on Tuesday, so this process begins on Tuesday, too. Within 14 days all servers are patched. In case of emergency this time limit needs to be shortened.

Modifications to the system

You can use the script to distribute programs outside security patches, without deleting current patches. To do so, change the comment inserted in each advertisement, which is used to identify which advertisements are created via the script. If you plan to include a program that should run alongside a new round of patches you need to be aware that patches boot after a countdown of 5 minutes. If your program is not finished within that time, your advertisement will fail. In such a case it might be better to use the "run another program first" property of the patch program.