How to use the Extended Security Update Inventory Tool
To use the Extended Security Update Inventory Tool for detection, install the tool or upgrade the tool if it is already installed.
After the distribution points are updated, make sure that the Extended Security Update Inventory Tool advertisement ran successfully for the
All Systems collection or for the collection that is designated by local policy.
How to determine whether the MS06-017 security update is required
To quickly determine whether computers in your environment require the MS06-017 security update, use one of the following methods:
- Open the Distribute Software Updates Wizard. Then, verify that 911831 is listed as "Applicable" in the QNumber field on the Add/Remove Updates page.
- Run the Compliance by Bulletin-ID and Qnumber report in SMS, and then verify that 911831 is listed as "Applicable."
If
911831 is listed as "Applicable," computers in your environment require the MS06-017 security update. You can use the following query to create a dynamic collection that will contain all the computers that list
911831 as �Applicable�:
select SMS_R_System.ResourceID,SMS_R_System.ResourceType,SMS_R_System.Name,SMS_R_System.SMSUniqueIdentifier,SMS_R_System.ResourceDomainORWorkgroup,SMS_R_System.Client from SMS_R_System inner join SMS_G_System_PATCHSTATE on SMS_G_System_PATCHSTATE.ResourceID = SMS_R_System.ResourceId where SMS_G_System_PATCHSTATE.QNumbers = "911831" and SMS_G_System_PATCHSTATE.Status = "Applicable"
How to deploy the MS06-017 security update
To deploy the MS06-017 security update, follow these steps:
- Manually download the update from the link that is provided in the security bulletin.
- Create a standard SMS software distribution package.
- Create an advertisement that uses the dynamic collection that you created by using the query.
When you create the software program that is advertised to run the tool, you must click to select the
Allow users to interact with program check box on the
Environment tab.
We recommended that you schedule this advertisement to run periodically to make sure that all the vulnerable computers are updated.
As soon as the advertisement runs successfully, you can verify the update status of the targeted computers by using the collection that you created. After all the affected computers are updated, the number of computers in the collection should be zero.
Alternatively, you can verify the update status of the targeted computers by running the
Compliance by Bulletin-ID and Qnumber report in SMS.
For more information about how to use standard SMS software distribution steps, see the "Systems Management Server 2003 Operations Guide." To find this guide, visit the following Microsoft Web site:
Important You might use the SMS Distribute Software Updates Wizard to deploy and to authorize other security updates that use the Extended Security Update Inventory Tool scan type. In this case, you should not include the MS06-17 security update in your deployment package. The update will not be installed correctly.