The new version of Windows Server Update Services (WSUS) is currently wrapping up its beta phase. The new version of this free product incorporates several improvements over previous iterations, including a new MMC interface, a new report engine, and improved group targeting.
The installation of this product presents you with one of the nicest configurations wizards Microsoft has used (Figure A). During the initial configuration of WSUS Version 3 you can select whether to synchronize with Microsoft Windows Update directly, or connect to another WSUS server for updates. This allows you to have multiple WSUS servers, which can be distributed geographically, but only need to maintain update approvals on one master server.
|WSUS Configuration Wizard|
You also choose which language updates you wish to download, what categories (critical, security, service pack, update, etc.) of updates you wish to download, set your synchronization schedule, and pick which products you wish to download updates for. WSUS v3 has the largest available list of products to download updates for. The updatable products now include Windows Vista, Microsoft System Center Data Protection Manager, and Forefront Client Security. (See Figure B)
WSUS in operation
The first thing you will notice after the installation is that the Web interface from previous versions of WSUS has been replaced by a new MMC console. The new console is a significant step up from the previous console. The home page of the console presents you with an automatically generated listing of current system and update status, along with any events that require attention. The console itself also feels much more responsive than the Web interface of previous versions, though at times there is still lag. This is due in large part to the fact that when a large number of items are synchronized on the server, data retrieval from your database server must access a large amount of data.
Your first visit will probably be to the options tab (Figure C). From here you configure nearly every aspect of your WSUS server. You can change any of the options you selected in the initial setup wizard. You can even entirely run through the initial configuration wizard if you need to. This is especially helpful, as you can add new products such as Vista to your synchronization schedule as you deploy them in your environment.
The Automatic Approval option allows you to specify criteria for updates that will then approve them for distribution to computers. The interface for this has undergone a dramatic facelift, and now closely resembles the dialog for adding rules to Microsoft Outlook. You will also need to configure your computer group assignment settings from the options tab.
New in Version 3 are several options. The first of these is a Server Cleanup Wizard (Figure D). This allows you to remove old updates, data files, and definitions from your server. Also an option for automatic E-Mail Notifications has been added. Lastly the Reporting Rollup option allows downstream server to upload their report data to their master servers.
|Server Cleanup Wizard|
The reporting interface for WSUS Version 3 has been totally redesigned. The new reporting has obviously borrowed heavily from SQL Server 2005 Reporting Services, and requires the freely available Visual Studio Report Viewer. If you are familiar with SQL Server 2005 Reporting Services interface, then this interface will feel very natural to you. Your reporting is now fully customizable, and each report generated can easily be exported to PDF for XLS, which makes them much easier to present to management.
Another improvement to the report structure of WSUS is the welcome addition of the WSUS Reporters group. This group allows you to create view only users of WSUS who only have access to reports. This is a marked improvement over previous versions of WSUS where you had to full access to WSUS to view reports, which, along with the inability to export reports, limited the amount of people who could benefit from the built-in reporting.
Under your Computers and Groups tab you will find the computers you have assigned to this update server. You can assign computers easily via GPO's in your Active Directory to computer groups. This new version gives you much more manageability as now you can nest groups. This allows you to create sub groups which you can then customize policies for, but still allows them to part of some larger groups (such as Critical Updates). This greatly extends the flexibility of WSUS, especially for large enterprises.
Under the updates tab you can see all updates that have been stored in WSUS system. The initial update page presents you with several charts that show you the status of the updates on your system. The update tab drops down, and gives you four update categories to view by default: All Updates, Critical Updates, Security Updates, and WSUS Updates. You can navigate to any of the sub tabs to see a default view of these categories. While in each of these tabs you can customize your view of these updates even further with the built in controls.
|WSUS Updates Tab|
Also, you can now add, remove, and rearrange columns, along with the ability to sort by any tab. This is present in nearly every part of the console, but in the update views is where this feature really makes its presence shown. While it may seem minor, this ability greatly enhances the usability of these features from previous versions of WSUS.
While the underlying subsystem of WSUS has not undergone many significant changes from the previous version, the new changes to the user interface have had a major impact upon the product. While previous versions of WSUS (and SUS) have been a great addition when budgetary concerns prevented the purchase of a third party upgrade platform, WSUS Version 3 puts this product into the contender category among any patch deployment software packages.
It is still partially hampered by its ability to only update Microsoft products, but Microsoft updates represent a very significant portion of most updates deployed. When it is released WSUS Version 3 will become a great patch deployment package if you don't have the budget for one, and will be worth considering even if you already do have one.