Users turn to Microsoft's SMS for patch management

Patch management wasn't a burning concern for many users of Microsoft Corp.'s Systems Management Server when they purchased earlier editions of the software. But that mind-set is changing.

A set of tools for automating the patching process is the No. 1 product feature that customers have been buzzing about since the long-awaited release of SMS 2003 in November, according to David Hamilton, director of Microsoft's enterprise management division. Hamilton said he bases that assessment on interviews with customers and on the numerous message boards and community groups he monitors.

"The viruses weren't very smart, so patch management wasn't a huge issue two years ago," said Roger Wilding, a Portland, Ore.-based senior technical engineer who's responsible for 5,000 desktop PCs at CNF Inc., a shipping and supply chain services company in Palo Alto, Calif.

Wilding said automated patch management was too cumbersome and expensive to consider in the past, when viruses were typically confined to individual PCs. But last year, after some nasty viruses hit Windows-based systems on a widespread basis, Wilding turned to Microsoft's Software Update Services Feature Pack for SMS 2.0, before it became available with SMS 2003.

As part of Microsoft's early-adopter program, CNF in August upgraded to an SMS 2003 beta-test release that included the SUS Feature Pack, and it has since moved to the production version of the change and configuration management software.

Wilding said the new tools make patches so much easier to deploy that he has more time to test them to make sure they won't cause any problems on CNF's systems.

SMS 2.0 helped IT managers get Windows patches and roll them out to PCs. But users had to take the initiative to identify which machines needed individual patches and then turn the patches into SMS packages for distribution, said Hamilton.

With SMS 2003, users no longer have to download and configure the SUS Feature Pack, and they can work from the same management interface they use for SMS itself. In addition, they get a new Advanced Client, which uses a Windows technology called Background Intelligent Transfer Services (BITS) to provide connectivity for conducting management operations over low-bandwidth or poor-quality network links.

Michael Niehaus, an IT consultant at Marathon Oil Corp. in Houston, said his company has begun using SMS 2003 to scan workstations and servers for security patch needs and to push patches to the servers. Marathon Oil already had a homegrown process in place for patching its PCs, but Niehaus said he expects to swap that approach for SMS 2003 this year to get BITS and the "network-friendly" Advanced Client technology.

Not for Everyone

But for some users, SMS may not be enough for patch management. Bill Egan, a systems administrator at LendingTree Inc. in Charlotte, N.C., said the company's IT staffers had a steep learning curve with Microsoft's software and found the SUS Feature Pack to be "unwieldy" with SMS 2.0.

LendingTree also uses St. Bernard Software Inc.'s UpdateExpert to push out patches and Shavlik Technologies LLC's HFNetChk to get a more granular view of the patch status of systems. "We found that no one tool was perfect, so we use them to complement each other," Egan said.

There also are still plenty of Microsoft customers who don't use SMS at all. Werner Co., a ladder maker in Greenville, Pa., plans to test SMS 2003, but CIO Robert Rosati said his workers found the previous version "too clunky" for patch management. Instead, Werner built manual packages and deployed them through a custom application.