Patch management is one of the hottest topics today. The outspread of Nimda using Operating System holes showed that though Microsoft provided patches half a year before the outspread of the virus a lot of machines were not updated. Other "worm" viruses soon followed.
Microsoft provided SUS v.1 which was a sort of corporate Windows Update, configurable using Group Policy or the registry. The first release was a bit buggy and was soon updated. However the tool is still a bit limited, not updating Microsoft applications nor providing any means to actually track whether computers are actually being updated.
Microsoft also provides a SMS 2003 tool that can update Office applications and has reporting features but is difficult to configure and requires a lot of attention.
Microsoft now is on its way to releasing Windows Updates Services (WUS), the successor to SUS, providing the much needed reporting features and able to update Office XP, 2003, Exchange 2003 and SQL (and MSDE) 2000. Other applications will probably be added over time.
WUS naturally requires disk space which varies according to the updates you eventually download. It also requires some operating system updates. If you haven't updated your server you might get the following error during installation:
The .Net framework update is available through Windows Update
Or download through this link:
The BITS 2.0 update will not be available for Windows 2003 through the Windows Update site while WUS is still in Beta.
However, you can get it here:
The next release should have these updates included with the installation package of WUS.
The Beta version does not upgrade SUS. This will change in the release version of WUS.
Setup allows you to select where to store the updates.
MSDE 2000 can be installed to support WUS (currently only if you install it on Windows 2003) or you can use any Microsoft SQL server.
WUS should not be installed on a web server because clients look for the default web site when connecting. You can change the port of the WusAdmin website though if you like.
The WUS GUI is much different than that of the SUS. Navigation is done by using the large icons on the top right-hand side of the screen. The "Home" page shows a summary of WUS activities. As you can see from the screenshot WUS uses port 8530 by default.
The synchronization screen will be familiar to those using SUS, but now also has "Update Classifications" which refer to the type of updates you will require and you can also select which products you want updated.
The classifications list shows Microsoft is serious with delivering almost everything, eventually, through WUS. For now, not all the classifications are delivered even when marked.
The Advanced Synchronization dialog box allows you to select languages and decide on the way updates are downloaded and stored. My selections save up disk space since I have to approve an update before downloading it, but I wanted full packages because fast installation is key with client computers who might need to upgrade a service pack, for example.
The "Updates" panes show which updates have already been downloaded or scheduled for download. You can also search for a specific update. This is a much welcome feature since eventually with more application and Operating System added to WUS the list of patches can become very long, especially if your enterprise is International and needs to support a lot of languages.
If you don't have the staff to evaluate updates, really trust Microsoft or think that the value of patches is greater than the damage they might do you can automatically approve updates. Microsoft provides much required granularity so that you can approve patches of specific classifications and distribute them to certain computer groups.
This is probably the least developed part of WUS. You can create computer groups or assign them to groups using group policy.
Group Policy configuration remains pretty much the same as it was with SUS as can be seen in the following screenshot. If you don't see the "Windows Update" setting, you can extract the wuau.adm file from the WUS directory and import them to the Administrative Templates.
Once you synchronize the update list the updates begin to download in the background using BITS 2.0 which is quite different from what happened with SUS which was trying to download all the updates at once. This is much better for organization where such synchronization might fail because of bandwidth problems.
The welcome screen shows all the relevant information regarding WUS. As you can see in the "Status" pane some of the updates are "in need of files" which means that WUS is aware of their existence and might have even approved them but they are still being downloaded. Some of the updates can only be approved once they are downloaded because you need to read their EULA (a kind of disclaimer/contract common in the software business) first.
I was happy to discover that WUS, as advertised, downloaded Office patches and Service Packs, though for now, no Hebrew services packs were downloaded even though we need them. I did not test this for more major languages but I hope Microsoft will let WUS download Office patches for all languages by the time WUS final version is released.
Beta testing showed some clients do not update by themselves. To make sure clients are updated make sure they have been updated by the Microsoft BITS 2.0 update package from Windows Update or a SUS installation. The client is also included in Windows XP SP2. By the time WUS is released all clients should be able to update themselves when contracting.
After updating the client you should run the following command on the workstations:
If you're still getting errors, look for server errors in:
%ProgramFiles%\Microsoft Windows Update Services\LogFiles\SoftwareDistribution.log and Client errors in:
Note that Office updates do not install on client machines that do not have Windows Installer version 3.0 installed.
You can get it here:
WUS shows great promise and provides much required features that should probably also find their way into SMS. Microsoft wants the update experience to be as painless as possible but this requires some client-side updating which right now is not as streamlined as one would expect. I wish Microsoft would provide a regular MSI file with quiet installation that provides all the updates required to use WUS - BITS 2.0, Windows Installer 3.0, and the WUS client itself. The updates from the web is a nice idea but I'd rather have a single file distributed through login script or group policy than having to troubleshoot web downloads across the enterprise.
However, once the initial installation and update process is done, WUS will provide an easy to use patch management covering most of the needs in terms of Microsoft software.
WUS will not at first have the ability to deliver custom patches but this might be added to future versions.