Security updates not available

[billybarty]

I am trying to distribute security updates released on the 13th through SMS 2.0. I have done the sync with Microsoft a couple of times and the results show as successful. i then have scanned our clients using the expedited program that will update our server as soon as the scan is done. Everything appears to be working right, however when I go through the wizard and it scans our clients none of the new updates are available. I looked at the date on the mssecure.xml file and it is from the 13th so it should have the latest updates. Any idea what I am doing wrong?

 

[Mich]

This has always been an issue with me. First, open mssecure.xml in notepad and search for MS04-013. If you find it then your mssecure.xml is current. Second, new updates will only be available after machines report them as missing. I know, I know, if your mssecure is up to date why are they not showing up? I have no idea. Maybe someone else here can point you in the right direction.

To get around this problem, I download the patch myself, create a package for each patch, and push those packages. It's a little cumbersome, but it works just fine. I only have so many days to install critical patches on our machines, so I typically don't have time to wait for MS.

 

[Mich]

Oops, I just noticed you are using 2.0. I was referring to 2003. I don't know if the processes are different or not.

 

[billybarty]

I've verified the updates are part of the mssecure.xml file and have scanned our clients again using the (expedited) program to update the server right away. Where can I see when the server was updated following the scan to see if it is completing properly?

 

[tbrennans]

the patches require a re-boot and if it didnt reboot it wont show up as installed

 

[billybarty]

Another thing I am wondering about is for when new systems come on the network and how patch management is handled by other people. We use about 4 different images for our desktops and laptops and don't want to update our images every time there is a new patch available. So what I have been doing with SMS is creating a collection for each patch and the criteria for that collection is based on a query that only contains systems where that specific patch is applicable and then leave the ad to never expire. This way, when a new system comes on it will get all the required patches. The problem is that a new system comes on and it might not be scanned and receive the patch for 7 days so the system is unprotected and the user is wondering why a week after he got his new system it is installing patches and rebooting. I'm looking for the ways that other SMS admins handles new systems patch management. Thanks for all your help

 

[Mich]

After setting the system up with an image we run windowsupdate.

 

[tbrennans]

one other reason you could have problems is if you havent updated to msba 1.2 which you'll need to update

 

[billybarty]

I am sure the mssecure.xml file is current and the inventory scans have completed successfully. I would like to verify that the scan results are being kicked up to our server. Can anyone tell me is there is a file that is updated after the scan or a log file I can look at. I am looking in the securitypatch folder and the only files that have been modified lately is the mssecure file.

 

[tbrennans]

Its not the mssecure.xml file that wouldnt be new its the actual msba 1.2 upgrade that needs to be in place to read the new mssecure.xml file. msba 1.x wont see the new patches

but to answer your question check the securitypatch.log for install info

securitysyncxml.log and the patchdownloader.log

will indicate if the patches were downloaded

 

[tbrennans]

Its not the mssecure.xml file that wouldnt be new its the actual msba 1.2 upgrade that needs to be in place to read the new mssecure.xml file. msba 1.1 wont see the new patches

but to answer your question check the securitypatch.log for install info

securitysyncxml.log and the patchdownloader.log

will indicate if the patches were downloaded

 

[billybarty]

I just updated my system to msba1.2. Do I have to distribute this to all my clients?
I looked in the securitysync.xml file located on the server and this is what it contains
Initialized log file - SyncXML started at 4/19/2004 12:18:05 PM
Command line specified package to update on DPs as RS100013
Command line specified folder to update as \\CRBS0007\C$\Program Files\SecurityPatch.
Command line specified site code: RS1.
Command line specified site server: CRBS0007.
Specified folder is local, changing it to: C:\PROGRAM FILES\SECURITYPATCH
Download completed -

http://go.microsoft.com/fwlink/?LinkId=9160

Download completed successfully.
Updating Distribution Points for Package: RS100013, Site: CRBS0007, SiteCode: RS1, Source dir: \\CRBS0007\C$\Program Files\SecurityPatch
Failed to update Distribution Points. Error code: 2147942405
I searched for the code on the Internet and it says it is access denied.
I looked in site settings>component configuration>software distribution and the NT account area is blank.
we have some SMS domain accounts but I'm not sure if one of them should be in this spot. there have been no known changes to our setup and the distribution worked well that last time patches were sent out. All this help is greatly appreciated

 

[tbrennans]

check out/download this article by Richard Threlkeld

http://www.myitforum.com/articles/1/view.asp?id=7064

 

[billybarty]

We ran a new SUSFP in November of last year. Is this the latest that you are referring to that uses the MBSA 1.2 or a way I can check my version we have on the server?

 

[tbrennans]

the latest one put out was march 2nd this year....don't know what changes might be in there :-|

SecurityPatch_ENU.EXE

PatchWiz_ENU.EXE

Sorry I can't be of more help on that