I received the following email from a webcast attendee of a “Security Patch Management Tools (Part 3) – SMS with the SUS Feature Pack” webcast. (Yes.. I know the webcast description says my teammate Keith Combs is the presenter, but I took this one over for him at the last minute. )
“I watched your web cast (on demand), and you stated that if we had any questions not covered to drop you a note. We currently run sms 2003, to push out all of our updates. We have approx 2000 PC’s and out of those there are 200 or so that sit on a shelf, or are not connected to the network consistently. Right now we have to go around an plug them in once a month when we send out our security patches. Is there any way through GPO or through the advertisements to enforce the policy, if you (the PC) do not have this patch, download the minute you hit log on to the network. While not causing properly patched PC’s to do an excessive amount of checking to see if they have the current patch version.”
Well, I have to confess that I’m not an SMS Guru, but I forwarded the question to a coworker of mine who had an idea. He suggested that, in the case of the SMS 2003 Advanced Client, that you trust the “Persistent Notificaton” feature, which will quickly notify your user on this seldom-connected PC that there are updates available. Other already-updated machines won’t be continually pestered.
Check out this document: Software Update Management Advanced Features, which includes the following text:
The persistent notification icon is a feature that allows a user on a computer that is running the SMS Advanced Client to receive notifications and schedule software update installations independent of the software update advertisement. This allows for better compliance by allowing users to install updates at their convenience, and it reduces system load because the advertisement does not have to be scheduled as often.
If this feature is enabled by the SMS administrator for a software updates program or package, an icon appears in the notification area (also called the “system tray”) whenever a user is logged on and there are pending, uninstalled software updates. When the computer is in compliance, the notification area icon does not appear.
I hope that answers your question.
If you have additional questions, or if you are someone who has a better answer, please give us some feedback.