Update Distribution Flowchart

Distributing software updates through Systems Management Server (SMS) is a three-part process. (Although this example shows how security patches are managed, Office patches follow nearly the same process.)

Part 1: Discover which patches are needed. SMS causes a special version of the Microsoft Baseline Security Analyzer (MBSA) to run on each managed computer on a scheduled basis (typically daily). MBSA compares the installed patches against the MSSecure.XML security catalog file and writes the results to the WMI data store. Meanwhile, a designated computer periodically checks if a new version of the security catalog file exists and, if so, downloads it and any tool updates to the SMS server. After the security scan runs, SMS collects the list of installed and applicable patches and aggregates them in the SMS database, which provides the data for Web reports listing the patch status of all managed computers.

Part 2: Build package containing needed patches. An SMS administrator routinely runs SMS’s Distribute Software Updates Wizard (DSUW; for an illustration, see “The Distribute Software Updates Wizard“) and checks for any new required patches. The administrator approves any desired patches and DSUW downloads them. The administrator enters the silent install switches for each patch (which depend on the type of installer used by the patch) and enters additional package information (such as whether it should cause servers to reboot). DSUW builds a patch package (or updates an existing one) that contains the patches and creates an XML file listing the patches in the package. The package and accompanying file list are bundled with PATCHINSTALL.EXE, a tool that looks at Windows Management Instrumentation (WMI) information, calls only the applicable patches to install, and chains them together such that only one reboot (if any) is needed. The DSUW replicates the patch package to all selected SMS distribution point servers.