Microsoft readies pitch on patches

Microsoft customers this week are hoping to finally evaluate the company’s new patch management tools and hear more about the wide-ranging systems management platform in which those tools will be a key component.

Microsoft  customers this week are hoping to finally evaluate the company’s new patch management tools and hear more about the wide-ranging systems management platform in which those tools will be a key component.

At the company’s annual Management Summit, Microsoft is expected to unveil the first beta of Software Update Services (SUS) 2.0, a free Windows server add-on that runs behind a firewall and automates the acquisition and deployment of patches. SUS 2.0, which eventually will be built into Windows, is just one of the new tools Microsoft is developing for its much maligned patch infrastructure.

Rodney Thayer challenges Microsoft and other vendors to develop a uniform way for users to quickly find and apply patches.

Over the past few years, an onslaught of worms and viruses has shown that Microsoft’s patching tools are not up to snuff.

The next generation of tools are just a small portion of Microsoft’s Dynamic Systems Initiative (DSI), which is focused on creating a self-managing environment built around applications that can communicate their management needs to the network. DSI was announced at last year’s conference in response to similar utility computing plans from HP, IBM and Sun. While DSI is still in the conceptual stage, Microsoft can wait no longer to improve the patch tools that are part of the plan.

“I am keeping my fingers crossed that they put out better tools for free that help me manage the patching of their products, including Office,” says Dave Neige, LAN administrator for Dots Fashions, a chain of clothing stores based in Solon, Ohio. Neige runs SUS 1.0, a tool he says lacks intelligence because of a shortage of management controls.

“SUS provides no history and no auditing. If I had to pay for it I wouldn’t like it,” says Neige, who adds that budget constraints prevent him from deploying a patch management platform from another vendor such as BigFix, ConfigureSoft or Shavlik Technologies.

SUS 2.0 is designed to correct some of the flaws Neige points out. It also is the first of a handful of patch tools Microsoft has promised, including Microsoft Installer (MSI) 3.0, a one-stop Web site that would offer patch installer technology; all Microsoft patches; a common assessment and reporting engine to verify whether patches are needed and installed correctly; and the reduction in patch size to conserve bandwidth during deployment.

Last year, Microsoft’s chief security strategist Scott Charney created a 30-member internal task force to identify those needs and consolidate them into a standardized architecture to stretch across all Microsoft products. Today, the company has a hodgepodge of patch tools that individual product groups developed.

Microsoft CEO Steve Ballmer said last October that the fruits of Charney’s effort would be seen in May 2004 “with one patching experience . . . that works across Windows and all of the application products.”

So far, little has been made available. The beta for SUS 2.0 has been delayed twice. The second beta of MSI 3.0 was released in January, and the final version is expected to ship with Windows XP Service Pack 2 later this year.

Microsoft consolidated its patch releases onto a monthly schedule and upgraded certain tools, such as the Microsoft Baseline Security Analyzer (MBSA), a scanning engine that shipped in January.

Users say they hope to see a new road map this week, but some are forging ahead without Microsoft.

“We don’t use SUS because we developed our own tools that basically allow us to patch machines on boot up,” says Wally Beck, security manager for desktop and servers at Gainesville University in Georgia. “Microsoft is making progress but they need to have some auditing features to make sure things are installed correctly.”

Microsoft says the software is expected to add support for Office, SQL Server and Exchange patches, as well as simple reporting capabilities, support for the uninstall feature contained in some patches and additional administrative controls.

“We are unsure just how good 2.0 may be,” says Mark Shavlik, president of Shavlik, which licenses patch technology to Microsoft for use in HFNetChk and MBSA. “Testers who saw early [SUS] code late last year said it wasn’t ready. The feedback was it was too manual.”

Another question is the overlap with System Management Server (SMS) 2003, released just two months ago, which also has patching capabilities (see our review of SMS 2003).

“I don’t understand the purpose in creating new technology to do a task that is addressed by SMS,” says Peter Pawlak, an analyst with Directions on Microsoft, an independent research firm. “They should make two versions [of SMS], one a basic version.”

SMS and SUS differ in many ways, with SMS capable of deploying software other than patches and working in a distributed fashion. SUS is free; SMS is licensed.

Microsoft has promised it will use this week’s show to explain how the two technologies, which are built on different architectures, complement one another.

Along with that explanation, Microsoft also is scheduled to give previews of MSI 3.0. The installer technology for server and other applications dictates the way patches install and report problems. Operating system patches are installed using a technology called Update.exe. While MSI 3.0 will help solve the tangle of eight installer technologies Microsoft has today, the key will be adding support in existing products.

“I hope to hear that the installer technology will give me more control [over installing/verifying patches],” says Brad Carpenter, senior systems analyst with Lane Country in Eugene, Ore. Carpenter has shunned Microsoft’s tools, relying instead on LANDesk’s Management Suite 8 patch management tools because they provide a more holistic approach to patching.

In addition, users say they hope to hear when Microsoft will fulfill its promise to deliver one Web site where they can download any Microsoft patch for any product. The company has been adding Exchange and SQL Server patches to the existing Windows Update site, which previously had been only for Windows patches.

Despite all the promised technology gains, end users and experts say a key factor toward the success of improving patching lies in the consistency of the data that the new technologies provide. Users have complained for years that results returned by different Microsoft tools don’t always match, leaving users uncertain if patches are correctly installed or installed at all.