Windows Patch Management, Software Update Services (Part 2)
The previous article in this series began our discussion of Software Update Services. SUS is a free patch deployment solution from Microsoft that also offers limited auditing/inventory capabilities. "Windows Patch Management, Software Update Services (Part 1)" discussed the basic principles of SUS' operations: installation, configuration, and basic administration procedures. Part 2 completes our coverage of SUS solutions with a description of client settings, more advanced configuration options, and Microsoft's plans for future versions of SUS. Microsoft's SUS tool is designed to enable a highly customized deployment infrastructure by facilitating patch selectivity. We complete our coverage of SUS with a look at client settings, advanced configuration options, and future plans.
Installation of SUS Client Software
SUS 1.0 SP1 clients must have the latest version of Automatic Update component (downloadable from http://www.microsoft.com/Windows2000/downloads/recommended/susclient/download.asp). This updated version is required only for systems running Windows 2000 with SP2 or Windows XP without SP1 (newer service packs and Windows 2003 Server systems have the newer version built in). Since the software is provided in the form of the Windows Installer package (*.MSI file), it is deployable using Group Policies.
Configuration of SUS client software
Remote configuration of SUS clients can be accomplished via group policies and direct registry changes (in a non-Active-Directory environment). Note that since SUS clients employ the same mechanism as Windows Updates (with a few additional configuration options), we covered the majority of relevant settings in the second article of this series.
In short, the Group-Policy-based method involves modifying entries stored in the WUAU.ADM administrative template, the most recent version of which has been released with SUS SP1 and is available for download from the Microsoft Web site at http://www.microsoft.com/downloads/details.aspx?FamilyId=D26A0AEA-D274-42E6-8025-8C667B4C94E9&displaylang=en. The template is intended for Windows 2000 SP 2 and XP systems. (It is already included with the administrative templates bundled with Windows 2003 Server.) Once it is added, via the Add/Remove Templates option in the Computer Configuration section of the Group Policy Editor MMC snap-in for the Group Policy Objects linked to the relevant Active Directory container (the one containing target clients that will be receiving patch updates from SUS servers), the Windows Update node appears in the Administrative Templates -> Windows Components subfolder.
Besides the generic Windows Update settings described in the previous article and mentioned above, there is a single entry labeled "Specify intranet Microsoft update service location," which plays an essential role in the SUS client configuration. From here, you would specify the URL paths to your SUS server (from which clients download approved patches) and intranet statistics server (to which clients upload information describing their patch download and installation status). These names must match the ones specified on the SUS Admin Web page under the "Set options" entry.
In case you cannot configure your clients via group policies (limitations of non-AD environments), you can accomplish your goal via registry changes. The SUS-related settings reside in the HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate registry key. The WUServer entry contains a URL path to a SUS server, and WUStatusServer points to an SUS statistics server (both entries are of REG_SZ data type). They correspond to two entries in the WUAU.ADM template, referenced in the previous paragraph. Remaining settings reside in the AU subkey of the HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate key and include UseWUServer entry (REG_DWORD data type), which can take the value of 0 (indicating use of Windows Update) or 1 (instructing the client computer to pull updates from a SUS server).
Typically, an SUS server is used as the source of patches for other SUS servers, although this is by no means a requirement. Creating a non-SUS, manually configured distribution point might be useful in situations where a remote site without direct Internet connectivity is separated from the main office by a slow WAN link. In this case, you can copy updates from an SUS server at the main office to a removable media, ship them to the remote site, and restore them to their local distribution point. To accomplish this, two servers are needed -- the first one would have the SUS server software installed (functioning as the source of update files) and another one would serve as the distribution point. Both of them must run Internet Information Server 5.0 (or later) listening on TCP port 80 (default).
- On the distribution server, with help of Internet Information Services Manager console, create a folder called Content (its location is not relevant, although you should pick a fast, lightly used drive with ample free space available), a subfolder called cabs, and a virtual directory called Content that points to the cabs subfolder (SUS server creates this structure automatically during installation).
- Copy all files from the cabs folder on the SUS server to cabs folder at the distribution point.
- Copy autocatalog1.cab, aurtf1.cab, and approveditems.txt from the root of the SUS Web site on the SUS servers to the root of the Web site on the distribution point. (This process will need to be repeated each time a new update for internal redistribution to client computers is approved.)
- Finally, point the target SUS servers to the Web site on the distribution server as the source of patch updates (using the option available after selecting the "Set options" on the SUS main Web page).