|Systems Management Server Roadmap|
|Apr. 3, 2006|
In an unusual step, Microsoft has released public betas of the next two releases of Systems Management Server (SMS) at the same time. ISVs and corporate IT departments wanting to allow their software to be patched using SMS should consider evaluating SMS 2003 Release 2 (R2), a minor release slated for mid-2006, that adds the ability to patch non-Microsoft software. However, the next release, code-named SMS v4 and slated for the first half of 2007, introduces many more new or improved capabilities. (For a timeline of upcoming SMS releases, see the illustration "SMS Roadmap Timeline".)
SMS 2003 is Microsoft's current product for inventorying Windows-based hardware and software assets, distributing software, applying patches, tracking licenses, and diagnosing and fixing problems on remote systems. Both beta releases follow closely on the heels of SMS 2003 SP2, which introduced several new features (see the sidebar "SMS 2003 SP2".)
SMS 2003 Release 2
The unspecified SMS 2003 update announced at the Apr. 2005 Microsoft Management Summit is now officially SMS 2003 R2. This means that current SMS 2003 customers without Software Assurance (SA) will have to pay to get the upgrade, and they will need new SMS Client Access Licenses (CALs) as well. An open beta version of SMS 2003 R2 was released in Feb. 2006 and the product is slated for release before summer 2006.
Although Microsoft considers SMS R2 a full release, it is actually a feature pack for SMS 2003 SP2 systems; it does not contain the base SMS code and adds only two new capabilities: third-party patching and vulnerability assessment.
R2's Inventory Tool for Custom Updates (ITCU) feature can detect and install required patches for non-Microsoft products, including custom applications. Even though many non-Microsoft products, particularly antivirus and antispyware products, have their own self-updating capabilities, organizations could benefit from a single enterprisewide product performing all their software updates. However, the new custom updates feature works differently from the SMS tools for patching Microsoft software.
SMS's existing Distribute Software Updates feature uses scheduled SMS jobs to periodically synchronize SMS's database with published catalogs of patch applicability information from the Microsoft Update, Windows Update, or Office Update Web sites. However, R2's ITCU gets catalog data for non-Microsoft software indirectly. It requires installation of the Custom Updates Publishing Tool (CUPT) included with R2 on a computer in the customer's environment. Using this tool, an administrator imports Windows Update-format catalog files from ISVs and publishes catalog files to the SMS site server. The CUPT can also be used to generate Windows Update-format catalog files for any in-house or third-party product that uses executable or Microsoft Installer files to patch existing software.
Once the catalog files have been published to SMS, the Custom Updates job runs on all target computers and uses the catalog data together with the built-in Windows Update Agent to scan each computer. SMS's inventory feature returns the results back to the SMS server telling it which patches are needed. Administrators can then use SMS 2003's Distribute Software Updates Wizard to install the required patch files on computers where they are required.
The beta of SMS 2003 R2 lacks an automated custom software catalog import function, however. This appears to be a significant shortcoming, as administrators will have to stay abreast of when new versions of the catalogs are published and manually import them.
(For more information on the CUPT, see the sidebar "Custom Update Publishing Tool".)
SMS 2003 R2 can run the Microsoft Baseline Security Analyzer (MBSA) 2.0—a free tool that scans computers for a wide range of security problems—on SMS-managed computers and consolidate the results in the SMS database. Administrators can then view MBSA compliance status across all target computers and drill down to view which deficiencies were found on specific computers.
The new SMS 2003 R2 approach for vulnerability assessment is superior to the current alternative—using MBSA on its own. While MBSA has long had a feature that allows administrators to run the tool over the network (using DCOM) and target multiple computers in a single scan, it suffers from a variety of limitations, such as an inability to store reports in a central database, a requirement that PCs be online at the time the scan is run, and the possibility that scans will be blocked by firewalls. Running MBSA from SMS 2003 R2 overcomes these limitations.
Deployment Tool Updated for Vista
In concert with the release of Windows Vista, Microsoft plans to ship a free update to the SMS 2003 OS Deployment (OSD) feature pack so that SMS 2003 or SMS 2003 R2 can be used to deploy Vista images.
In mid-2004, Microsoft rolled out the SMS 2003 OSD feature pack—an add-on for SMS 2003 that allows organizations to use SMS to deploy new system images out to workstations remotely, avoiding the need to send a technician to the computer. This feature pack uses Windows Imaging Format (WIM), a new technology for building and maintaining file-based OS images. However, Windows Vista (due for launch in late 2006) and the next version of Windows Server (code-named Longhorn and due in 2007) will use a later version of WIM. SMS's current OSD feature pack is incompatible with the newer Vista WIM files. Hence, a new version of the OSD feature pack is necessary.
WIM and the accompanying Windows Automated Installation Kit (WAIK) tools will eliminate the need for organizations to build individual images for each hardware configuration. In addition, system images will be modifiable, allowing systems administrators to make changes to images, such as installing a patch or a new driver, without having to create a new image. This new capability should dramatically reduce the time required by administrators to maintain the images used to create new server and workstation systems.
SMS Version 4
A major upgrade to SMS is due in the first half of 2007. Code-named SMS Version 4 (v4), Microsoft made its first public beta available in Feb. 2006, only a few days after the company posted the SMS 2003 R2 Beta. However, unlike the SMS 2003 R2 beta, which was feature-complete and modest in scope, the first SMS v4 beta is far from feature-complete and another beta will follow later in 2006.
While SMS v4's server components will run on Longhorn Server and exploit certain new features in Longhorn and Vista, such as the new system imaging technology and Network Access Protection, SMS v4 will also run on Windows Server 2003. However, SMS v4 will not include the SMS Legacy Client, which was needed to manage Windows NT 4.0 and Windows 98 systems.
What's in Beta 1
Of the features that made it into SMS v4 Beta 1, the following four will likely be of greatest interest:
Integration of feature packs. The mobile device management feature pack (for managing Windows Mobile devices) and the SMS 2003 OS Deployment (OSD) Feature Pack, which allows organizations to use SMS to deploy new system images out to workstations remotely, have been rolled into the base SMS product. SMS v4's OSD will be easier to use and have more capabilities than its predecessor. In the shipping version, the OSD feature will work with the updated Windows Imaging Format (WIM) in Vista and Longhorn, and it will integrate with the Windows Automated Installation Kit (WAIK) contained in Windows Vista and Longhorn.
Updated patch distribution. The technology and user interface for managing and distributing patches is being revamped in SMS v4, and it will unify management and distribution of Microsoft, third-party, and internally developed applications.
V4 also introduces the concept of selective download. SMS 2003 requires clients to download from an SMS server all the patches bundled in a patch package; only then can the client install the necessary patches on the system. In contrast, SMS v4 clients will be able to copy only the patches they need. This will require less disk space on the managed clients and reduce network traffic, which is especially important for remote clients that connect over slower networks.
Longhorn NAP integration. Longhorn Server will have a new Network Policy Service (NPS) that supports Microsoft's Network Access Protection (NAP)—a feature that limits to a quarantined network any computers that do not meet the organization's security policy. In concert with NPS and NAP, SMS v4 will be able to update a quarantined system so that it complies with policy and can gain full network access.
Branch office distribution points. With SMS 2003, organizations with many small branch offices must run certain server-based SMS components at each location in order to distribute software and collect inventory. These branch SMS servers reduce traffic on the network connecting the branch office back to the facility hosting the SMS central site server, but sometimes they force customers to install a server at each site when they might not be needed for other purposes, such as file and print services. In v4, a new SMS server role, the branch distribution point, will allow a small branch office to stage SMS software distribution packages on Windows XP or Vista workstations using Background Intelligent Transfer Service (BITS); workstations at that site will then get their software and updates over the local network.
Still to Come
Beta 2 of SMS v4, expected by the end of 2006, will be feature-complete and add support for the following three key features:
Desired configuration management. In late 2005, Microsoft published a little-known solution offering called Desired Configuration Monitoring (DCM). This solution goes way beyond Group Policy, allowing administrators to define desired configurations in XML manifests using a graphical authoring tool and then use SMS 2003 to proactively monitor configuration settings on target systems for compliance with the desired configuration. The DCM solution offering is aimed primarily at Exchange, but it can be used for any software that stores settings information in the Windows Registry, the file system, the IIS metabase, Active Directory, or Windows Management Instrumentation (WMI). The DCM is only for monitoring and reporting compliance; it does not automatically remediate configuration settings.
SMS v4 Beta 2 will take DCM much further by employing System Definition Model (SDM) documents—standardized XML documents that provide the information needed to deploy, configure, and manage various components of a system—which will accompany future hardware and software products as part of Microsoft's Dynamic Systems Initiative (DSI). SMS v4's DCM feature will make it possible to manage all of a computer's applications and OS components to match a desired installation and configuration state. This is an improvement over SMS today, in which each application and system component on a computer is managed independently from others.
Management of Internet-connected PCs. Today, Internet-based users must first establish a virtual private network (VPN) connection before SMS can inventory or install software on their PCs. SMS v4 will provide the means to do this securely without requiring the VPN connection, making it easier for organizations to maintain the computers of mobile and home office users.
In addition to Monad support, the new interface will require far fewer steps to perform common tasks, such as deploying patches, and have more extensive multithreading so that administrators can continue performing tasks while others are being completed. Drag-and-drop and multiple-selection editing will finally be possible for some types of SMS objects.
Implications for Current SMS Customers
Customers currently on SMS 2003 have the rare opportunity to evaluate the next two releases of SMS at the same time. Furthermore, because it seems very likely that SMS v4 will ship within a year of SMS 2003 R2, many may want to skip SMS 2003 R2 and go directly to v4. This decision will depend heavily on whether the customer purchased SA on SMS servers and CALs (or has an Enterprise Agreement for Core CALs, which include SMS CALs).
Customers with upgrade rights. Because SMS 2003 R2 is essentially a feature pack, it is simple to install and will not disrupt existing SMS 2003 systems. Customers who bought SMS 2003 as soon as it shipped (late in 2003) and who purchased SA at the same time will have upgrade rights until the end of 2006. For these customers, installing the released version of SMS 2003 R2 is a no-brainer. Even if they have no immediate need for R2's Custom Update feature, the Vulnerability Assessment feature could prove useful.
However, customers who bought SMS with three years of SA prior to mid-2004 could find that their SA lapses before SMS v4 ships in mid-2007. These customers will have to decide whether to renew their SMS SA agreements for another three years (at 75% of the full license price over the three years) if they want to upgrade to SMS v4.
Customers without upgrade rights. SMS 2003 R2 does not contain enough new functionality to warrant its purchase by customers who don't have upgrade rights. These customers could easily skip R2 and wait for v4 to ship. However, because the price of R2 will probably be close to that of SMS 2003, these customers might want to consider purchasing R2 together with SA rights (which can only be acquired with new licenses) to hedge the risk of a price increase on SMS v4 (customers with SA would get the right to upgrade to v4 when it's released). The downside to this tactic is that the earlier customers purchase SA, the earlier their three-year SA term will expire, which could cause them to miss the next release of SMS to follow v4.
Other considerations. Customers who plan to maintain significant numbers of Windows NT 4.0 computers (or virtual machines running NT 4.0) will not be able to manage those machines with SMS v4.
Implications for Software Vendors
Market share numbers on SMS are hard to come by, but in Apr. 2005 Microsoft claimed that more than 20,000 unique enterprises run SMS, and Service Pack 1 had been downloaded 83,000 times. Many of these customers manage tens or even hundreds of thousands of systems with SMS 2003. Even though SMS is too complex for most small businesses, it's conceivable that SMS could garner a market share exceeding 50% of the Windows computers in medium and large organizations.
This growth could influence the strategy of other software vendors who target the Windows enterprise market, and particularly their decision to embrace SMS's custom updates functionality.
Even though these ISVs have (or should have) their own patch distribution mechanisms, many organizations using SMS would like to use a single tool to manage patching of all their software. When SMS 2003 R2 ships with the CUPT tool and a published schema for the catalog files, it will become relatively easy for ISVs to generate and publish SMS-compatible catalog files to the Web and keep them maintained. ISVs that publish these catalog files and package their patches as Windows Installer files or other executables that can be installed silently without user interaction will make it vastly easier for organizations with SMS to keep the vendor's products up to date. Increasing the likelihood that patches get installed will, in turn, help increase customer satisfaction and avoid security problems.
ISVs that do not gear up to support SMS-based patching could find that organizations depending on SMS could shun their products in favor of competing products that do.
SMS 2003 SP2 and the two betas are available at www.microsoft.com/smserver.
MBSA 2.0 is described in "New Baseline Security Analyzer Uncovers Patch Problems" on page 7 of the Mar. 2004 Update.
The SMS 2003 OSD feature pack and the Business Desktop Deployment (BDD) Solution Accelerator that depends on it are described in "New Desktop Upgrade Push" on page 7 of the Dec. 2004 Update.
SMS 2003 was detailed in "Stronger Testing, Mobile Support Make Systems Management Server Worth a New Look" on page 9 of the Nov. 2003 Update.