by Ryan Smith
Microsoft recently introduced a new product named Software Update Services
or SUS. SUS is designed to bring the functionality of the popular Windows Update
site to the Corporate Network.
Ryan Smith takes a look at Microsoft’s new Software Update Services (SUS), a free software update system designed to bring the functionality of the popular Windows Update site to the Corporate Network.
The basic premise of SUS is very similar to Windows Update. SUS is composed
of two components, the client and the server. The SUS client is installed
on the client and configured to received Windows patches and updates from the
SUS server(s). The SUS server is installed on a Windows 2000 Server (or
Windows.NET when released) and is configured to retrieve Windows updates
directly from Microsoft and store the updates locally. This allows the
clients to connect to one local source to retrieve any Windows updates as
opposed to having all of the clients retrieve the update via the
Software Update Services offers more functionality than my basic overview
provides, though. The SUS Server Component runs on Windows 2000 or
Windows.NET server inside of your network firewall and connects to the Microsoft
Windows Update web site when critical updates for Windows 2000 or Windows XP are
available and downloads these updates. This process can either be scheduled or
can be manually run. After the updates are downloaded, the administrator
has to validate the updates that have been downloaded so that they are ready to
be distributed to the clients.
The SUS Server component has some stringent requirements though. The
recommended minimum configuration for the server is a Pentium III 700 MHz with
512 MB of RAM and 6 GB of storage for setup and security packages. The
benefit is that this configuration is capable of supporting up to 15,000 clients
with one SUS Server. The Windows 2000 server that SUS Server will be installed
on must be running IIS and also must NOT be an Active Directory Domain
Controller. In addition, Microsoft’s recommendation is to run SUS Server on a
dedicated server, although SUS will function if the server is performing other
roles as well.
Automatic Updates Client is the client component that gets installed on your
Windows 2000 servers as well as the Windows 2000 and Windows XP clients that you want
to have receive automatic updates via the Software Update Services Server (as opposed
to the Windows Update Web site). A nice feature with the client is that it
can be installed on Windows 2000 Servers, allowing you to use SUS not only with
end-user desktops but also with your servers as well. Configuration of the
client is either via Active Directory Group Policy or the registry. It’s
not the easiest solution if you’re not in an Active Directory environment, but
it works. Additionally, if you’re using a product like ScriptLogic, making mass
registry entry updates is very simple to do during the logon process.
In its first release, Software Update Services only supports Windows 2000 and XP
critical updates and security rollups. All of the content is digitally signed by
Microsoft to ensure the validity of the files. SUS will not accept any content that
has not been signed by Microsoft or is incorrect, so this should hopefully
ensure that the updates being distributed via SUS are accurate.
One of the best features of Software Update Services is the price. It’s
100% free from Microsoft.
With Microsoft’s release of Software Update Services, they have made a substantial
step forward in giving Corporate IT departments more granular control over the Windows
patches that are applied to client systems by allowing administrators to
validate the updates before they are distributed to clients.
For an IT department that is presently using a software update
application such as UpdateExpert, Software Update Services does not presently
offer more functionality and features than a product such as UpdateExpert. Furthermore, SUS
has several drawbacks that I see in its current iteration including:
- Requirement of a client side installation.
- Only capable of supporting Windows 2000 and Windows XP. Lack of support
for Windows 9x/Me isn’t surprising but not supporting Windows NT
Workstation/Server is. However, I understand Microsoft’s position on this.
They’re not releasing any additional patches or updates for Windows NT 4.0,
so why support the functionality in SUS.
- Present lack of notification of available updates on the SUS server that
needs validation (this is a planned feature that according to Microsoft will
be available in the next update for SUS).
- Poor reporting on client update status. While the client updates are
capable of writing system events and are also capable of updating a centralized
IIS log file, there is presently no simple cut and dry reporting on how the
latest Windows XP hotfix was deployed to 4,000 Windows XP Professional
clients without combing through each client’s system event log or parsing a
cryptic IIS log file.
However, for an IT
department that is not presently using any type of software update application,
Software Update Services is a step in the right direction. In its first
release, SUS is a solid application that integrates very well with the client
systems. Given the current state of system security at Microsoft, Software
Update Services is hardly going to be a single release product, so we can only hope and expect it to get better.