What is Microsoft Software Update Services (SUS)?
Microsoft SUS is a free patch management tool provided by Microsoft to help network administrators deploy security patches more easily. In simple terms, Microsoft SUS is a version of Windows Update that you can run on your network.
Today corporations have to frequently check the Windows Update site or the Microsoft Security Web site for patches. Then they have to manually download patches that have been made available since they last visited the site, test the patches, and then distribute the patches manually or by using their traditional software-distribution tools.
Instead of each workstation having to connect to the Internet to update Windows, each workstation connects to the Microsoft SUS Server instead and updates from there. Microsoft SUS Server alone requires access to the public Internet as it connects to Windows Update.
Software Update Services solves these problems by providing dynamic notification of critical updates to Windows computers as well as automatic distribution of those updates to your corporate Windows desktops and servers. For Software Update Services to function, only one corporate intranet computer requires access to the public Internet.
By connecting to Windows Update, Microsoft SUS Server provides notification of critical updates as well as performing automatic distribution of those updates to your workstations and servers. Microsoft SUS server gives the administrator control over updates: The administrator can test and approve updates from the public Windows Update site before deployment on the corporate intranet. Deployment takes place on a schedule created by the administrator.
Software Update Services leverages the successful Windows Automatic Updates service first available in Windows XP, and allows information technology professionals to configure a server that contains content from the live Windows Update site in their own Windows-based intranets to service corporate servers and clients.
The server features include:
Download Software Update Services Server 1.0 with Service Pack 1 HERE (33mb)
Though very good as what it does, Microsoft’s patch management tool does have a few limitations:
This means that you still require a patch management solution to perform the above tasks. Microsoft does not plan to add the above features, since it promotes Microsoft SMS server as a tool for that. So, Microsoft SUS server is ideal for operating system patches if used in conjunction with a patch management tool.
Read more on how to overcome SUS’s limitations by using a 3rd party tool called GFI LANguard Network Security Scanner.
To use SUS on your network you will need to use the Windows Automatic Update Client.
The client is based on the Windows Automatic Updates technology that was significantly updated for Windows XP. Automatic Updates is a proactive pull service that enables users with administrative privileges to automatically download and install Windows updates such as critical operating-system fixes and Windows security patches. The features include:
This update applies to the following operating systems:
Note: Windows 2000 Service Pack 3 (SP3) and Windows XP Service Pack 1 (SP1) include the Automatic Updates component, eliminating the need to download the client component separately.
Download Windows automatic updating (SUS Client) HERE (1mb)
The Automatic Updates behavior can be driven by configuring Group Policy settings in an Active Directory environment.
Administrators can use Group Policy in an Active Directory environment or can configure registry keys to specify a server running Software Update Services. Computers running Automatic Updates then use this specified server to get updates.
The Software Update Services installation package includes a policy template file, WUAU.ADM, which contains the Group Policy settings described earlier in this paper. These settings can be loaded into Group Policy Editor for deployment. These policies are also included in the System.adm file in Windows 2000 Service Pack 3, and will be included in the Windows Server 2003 family, and in Windows XP Service Pack 1.
Download Software Update Services 1.0 ADM File for Service Pack 1 HERE (25kb)
Loading of the WUAU.ADM template in GPO
Image of the WUAU.ADM template in place
Images of the GPO setting options for Windows Automatic Updates.
After you have configured the Microsoft SUS client, patches are deployed automatically. The user is notified through a message in the task bar (see image).
System Requirements:
SUS Server 1.0 with SP1 has the following minimum hardware requirements:
Your client computers must be running Windows 2000 Professional with Service Pack 2 (SP2) or later, Windows XP Professional, or Windows 2000 Server with SP2 or later in order to run Automatic Updates. Note: Windows NT 4.0 is not supported.
SUS supports updates for Windows 2000 Professional with Service Pack 2, Windows 2000 Server, and Windows XP Professional. It does not include provisions for updates to any other Microsoft products such as Microsoft Office, SQL Server, or Exchange Server.
SUS with SP1 can now be used to deploy Service Packs – SP1 for XP and SP4 for W2K.
SUS Server 1.0 with SP1 automatically installs under the Web site that is currently running. It will not interfere with this or any other Web sites. If no other Web site is currently running, SUS Server 1.0 with SP1 will create a new Web site.
Read more about SUS management on the GFI LANguard Network Security Scanner page.
Here are a few screenshots of SUS and it’s main screens:
SUS Welcome screen
SUS Synchronize Now and Schedule buttons
The Synchronization settings window
The Synchronization process and detail window
The Synchronization Log
Microsoft Software Update Services (SUS)
Download Software Update Services Server 1.0 with Service Pack 1 HERE (33mb)
Download Windows automatic updating (SUS Client) HERE (1mb)
Download Software Update Services 1.0 ADM File for Service Pack 1 HERE (25kb)
Software Update Services Deployment White Paper (Doc, 2.51mb)