Windows Patch Management: Updating MS Office
Scanning for Microsoft Office updates is no longer limited to the computer on which the scan is launched. The Office Update Inventory Tool offers the capability to scan multiple computers to determine if upgrades are needed.
The previous article in this series discussed HFNetChk and Microsoft Baseline Security Analyzer (MBSA) two free solutions available from Microsoft that provide a comprehensive evaluation of security-related software patches and system configuration settings.
Although the most recent version of MBSA saw its management functionality extended and the inclusion of additional Microsoft products (such as Microsoft Content Management Server, Commerce Server, and Host Integration Server), the capability to scan remotely for updates to its flagship product Office is still missing. Detecting Office-related patches (covering versions 2000, XP, and 2003) is limited strictly to the computer from which the scan is launched.
To remedy this situation, Microsoft released Office Update Inventory Tool (currently in version 2.0) as a stand-alone, free download (in addition to including it with the Office 2003 Resource Kit).
Office Update Inventory Tool provides the same functionality as the local Office patch update scan included with MBSA 1.2 (in fact, MBSA comes bundled with the Office Update Inventory Tool files stored in the OfficeUpd subfolder of the main installation directory). The main difference is the range of supported operating systems (Office Update Inventory Tool is superior in this regard because it is not subject to the compatibility limitations of other subcomponents of MBSA) and the way each tool is designed to operate.
While MBSA is used primarily to scan large groups of computers remotely (for all updates, with the exception of Office-related ones), Office Update Inventory Tool produces only listings that summarize the status of Office patches on the local machine. This means, in a typical scenario multiple instances of the tool would be running individually on each Windows computer. The tools then dump the results of their scans into a common network share to be analyzed in a comprehensive fashion.
Office Update Inventory Tool consists of two separate executables (and four supporting files). The first one (appropriately named INVENTORY.EXE) inventories the local system and generates a log file containing the results, while the second one (CONVERT.EXE) converts the resulting log file into a desired format. In addition to an XML file, you can generate a file in CSV format (i.e., comma-separated value), which can then be displayed easily in Excel or MOF (i.e., Management Object Format) output and then used by Systems Management Server to update its inventory information. Both executables and accompanying files are available in two separate downloads (Invcm.exe and Invcif.exe), packaged in self-extracting format, and published on the Microsoft Office Online Web Site.
While Invcm.exe (containing INVENTORY.EXE; oudetect.dll, which contains supporting code libraries; and CONVERT.EXE) is fairly static, Invcif.exe (which contains three compressed files: patchdata.xml listing update files, cifs\Puids.cif storing detection data, and inventorycatalog.html describing mapping between updates and detection data) changes with every new Office patch. It should therefore be downloaded on regular basis. Fortunately (like with MBSA), every time the Office Update Inventory Tool is launched, it checks for a newer version of its two executables, as well as update and detection data, and downloads them automatically.