Thus far, our Windows Patch Management series has focused on a number of free solutions from Microsoft that offer patch deployment and inventory capabilities. This installment and the next will round out the picture with coverage of Software Update Services (SUS), another patch deployment mechanism from Microsoft.
Unlike the free patch deployment tools previously covered in this series, Microsoft’s Software Update Services tool is designed to enable a highly customized deployment infrastructure by facilitating patch selectivity. We discuss SUS’ features and benefits, as well as how to install, configure, and administer it.
SUS was first released in June 2002 and is currently at version 1.0, Service Pack 1. Unlike the tools in the same category that we previously described (such as Critical Update Notification and Windows Update), which are intended primarily for non-managed environments and are limited in their ability to be centrally managed, SUS was designed to enable a higher level of customization for deployment infrastructure and patch selectivity.
In traditional Windows Update scenarios, client computers running the Automatic Update service pull a list of applicable updates directly from Microsoft servers. SUS also relies on the Automatic Update service running on client computers (which limits its scope to Windows 2000 and later operating systems), but it adds a layer of processing. This layer consists of at least one computer internal to a company’s network running Windows 2000 SP2, or later, or Windows 2003 Server on which SUS software has been installed.
Windows update files are first downloaded to one or more of these servers from Internet-based Microsoft servers. This layer can have sublayers of additional SUS servers that simplify the coordination of patch deployment in larger environments: SUS servers are configured to synchronize content with other SUS servers — not Microsoft Update Internet servers — residing higher in this hierarchy. Appropriately configured client computers obtain the updates (using Automatic Update mechanism). The system administrator designates which updates are approved for distribution throughout the enterprise.
This approach provides several benefits:
Service Pack 1 extends the basic feature set found in SUS 1.0. From an SMB point of view, one of the most important changes is ability to install SUS software on domain controllers. The lack of this functionality in the previous edition prevented SUS from being implemented in environments using Windows 2000 and 2003 Small Business Server editions, as they operate as domain controllers. The current incarnation of SUS also supports the deployment of Windows service packs (starting with Windows 2000 SP4 and Windows XP SP1), in addition to security patches. However, it does not allow updates to any other Microsoft products, such as Office, Exchange 2000, or SQL 2000 Servers.
SUS clients can be set to send information about patch operation to an SUS statistics server. This must be a Windows server running Internet Information Server, and it can be the one running the SUS component. If a different server is to be used, copy WUtrack.bin file from the SUS Web site root folder to the statistic server Web site root folder. Patch download and installation statistics sent by clients are recorded in the IIS logs.
More information about log content analysis is found in Appendix C of the “SUS SP1 Deployment Guide,” downloadable from http://www.microsoft.com/windowsserversystem/sus/susdeployment.mspx.
Alternatively, you can also employ Microsoft Baseline Security Analyzer (by launching it from the command line using the syntax MBSACLI /hf /sus “http://SUSServer”) to execute a security scan against list of locally approved updates rather than against a full list of the updates contained in mssecure.xml file on the Microsoft Internet Update servers.
Marcin Policht obtained his Master of Computer Science degree about 20 years ago and has been since then working in the Information Technology field, handling variety of responsibilities, but focusing primarily on the areas of identity and access management, virtualization, system management, and, more recently private, hybrid, and public cloud services. He has authored the first book dedicated to Windows Management Instrumentation and co-written several others dealing with subjects ranging from core operating system features to high-availability solutions. His articles have been published on such Web sites as ServerWatch.com and DatabaseJournal.com. For his contributions to the Microsoft technical community, he has been awarded the title of Microsoft MVP over the last ten years.
ServerWatch is a top resource on servers. Explore the latest news, reviews and guides for server administrators now.
Property of TechnologyAdvice. © 2025 TechnologyAdvice. All Rights Reserved
Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.
