One of your duties as IT manager is to monitor numerous sources for updates to your operating systems and software. Once an update is released, it has to be tested and then deployed to all or selected systems on the network. Often, the deployment process is manual, requiring you to touch every system you have to patch. Fortunately, there is an easier way—Software Update Services (SUS) from Microsoft.

SUS can be used to deploy critical updates to Windows 2000, XP, and .NET systems. Essentially, it’s a form of the Windows Update Service that has been configured for deployment in private networks. The server component of SUS creates a virtual Windows Update Service server on a private network, and the client component allows the SUS server to push updates to the client.

SUS functions as follows:

  • The SUS server component regularly polls the Windows Update Service site and downloads all new updates.
  • SUS notifies the administrator of the new updates.
  • The administrator tests the new updates and, once approved, adds them to the distribution set.
  • The SUS clients are configured to poll the SUS server for new updates. If an update is available, the SUS clients download it, and the Windows Update icon appears in the notification area.
  • If a user is present, he or she can open the Windows Update notification dialog box and initiate the installation.
  • If no user is present or the user fails to manually initiate the installation at the defined installation time, the system will display a five-minute warning. At the end of the five-minute countdown, the update is installed and the system is rebooted.

SUS is free of charge for licensed users of Windows 2000, XP, and .NET. SUS is best suited for small to medium-size networks, where it can greatly reduce administrative overhead by eliminating the need to manually install updates on every system. It’s easy to install and configure and lets you update clients without granting the entire network Internet access.

Some drawbacks…
SUS is not for everyone. It can be used to distribute updates only to the latest three Windows operating systems—Windows 2000 (SP2+) Professional and Server, XP (Pro and Home), and the .NET family of servers. SUS is also restricted to distributing three types of updates: critical updates, critical security updates, and security roll-ups. It can’t be used to distribute service packs and is limited to updating the core OS and native software components (i.e., part of the OS right off of the installation CD). Also, it can’t be used to distribute updates for other Microsoft products, such as Office, Exchange, or SQL Server.

A single SUS server can support up to 15,000 clients. However, Microsoft’s guided tool, used to select a security update management solution, recommends deploying SUS in environments with 500 or fewer clients. In larger environments, Microsoft recommends using the Systems Management Server 2.0 with the free SMS Value Pack (available in late 2002).

Finally, SUS must be installed onto a nondomain controller. However, it does rely heavily on Active Directory to perform its activities. If you’re using a non-Active-Directory network, SUS can be reconfigured to deploy updates without AD, but doing so requires extensive registry editing.

…but how serious are they?
Clearly, SUS has its limitations, but they aren’t fatal. Updating the core OS is, after all, the most critical aspect of maintaining security, and SUS will perform this operation for you free of charge. In addition, it’s a simple and direct method to implement administrative oversight into the Windows Update system. By configuring clients to access your controlled internal update server, you control which updates are installed and onto which systems.

As for SUS’s operating system limitations, any secure network will have Windows 2000 and newer systems anyway, so the lack of support for Windows 98/SE/Me is moot. Likewise, service pack distribution can be tricky, and you’d be well advised to think hard before trusting the deployment of SPs to an automated system. Having to manually install SPs or use a script-based installation method initiated by the GPO is not a bad alternative.

Finally, there are few non-OS (or core components such as IE, Windows Media Player, etc.) updates, so having to manually install them or use a GPO script distribution method is not a huge problem. Any IT manager worth the salary is using scripts to simplify life anyway.

Other available products
SUS is not the only update distribution product available. There are a handful of alternatives; however, you’ll have to buy them, and they’re not cheap. Microsoft’s Systems Management Server 2.0 with the free SMS Value Pack (available in late 2002) offers the same functionality as SUS plus the installation of service packs, includes support for all Microsoft product updates (Office, Exchange, SQL Server, etc.), and supports much larger networks. SMS 2.0 requires both server licenses and client access licenses. Click here for pricing guidelines.

Sunbelt Software‘s UpdateEXPERT supports the same clients as SUS (plus Microsoft Exchange and SQL Server), but it also supports the distribution of service packs. Sunbelt charges $780 per 1-50 machines, and on from there. If you can afford them, these two products offer a wider range of capabilities, so either of them may be a worthwhile investment.

But if you can’t spend the money on these alternatives, SUS is a worthwhile choice despite its limitations. When properly deployed and maintained, Software Update Services will give you greater control over your network. By removing the burden of installing patches from end users and reassigning it to an automated process, you’ll reduce help desk calls and system failures as well.

For more information on Microsoft Software Update Services, to download the client and server components, and to access installation and configuration documentation, visit the SUS Web page.