Home
.. About WSUS Wiki

RSS

WSUS
.. WSUS FAQ
.. WSUS on SBS
.. WSUS Troubleshooting
.. WSUS News Groups
.. Known WSUS Issues
.. WSUS Links
.. WSUS Wish List

WSUS Documents
.. WSUS Deployment Guide
.. WSUS Installation Guide
.. WSUS Release Notes
.. WSUS Best Practice

SUS
.. SUS FAQ
.. What Is SUS
.. SUS Troubleshooting
.. SUS Links
.. SUS Known Issues
.. SUS FAQ
.. What Is SUS
.. SUS Troubleshooting
.. SUS Links
.. SUS Known Issues

Wiki Community

 .. Wiki Contributors
.. I Love WSUS
.. WSUS Wiki Diary
.. Wiki Statistics
.. To Do Page

Miscellaneous Stuff
.. Other Resources
.. Do You Know?

Site Meter

Terms of Use
Trademarks

Privacy Statement

 

What is Software Update Services (SUS)?

 

Patch Management with Software Update Services - SUS

 

These days, patching with Windows Operating System is vital to keep the system safe and protected by viruses & worms (remember the worst case of Blaster or Sasser). We know to visit WindowsUpdate.com to check & install the security patches, but wouldn't it be better to centralize this update process with less user intervention and obviously TESTING before installing, thereby saving a lot of Internet Bandwidth? To end your search, Microsoft’s Software Update Service (SUS) provides an automated means to distribute and install critical operating systems security patches; it’s a free product from Microsoft, which gives the best way to automate the process of installing critical security patches from Microsoft.

 

 

 

Common Scenarios:

 

Many Organizations don’t have a strict policy in patching windows. To distribute the security patches, organizations have their own approach: for example, some organizations don’t patch until a new virus attacks and then they update their systems. This might also be because of lack of knowledge or infrastructure. In most cases, individual users will browse windowsupdate.com to install the patches without any testing and most of the time they are happy. Also, in majority of cases, either HELPDESK or Network admins install those patches, manually visiting all the users. These days there are many emerging technologies for patching Windows automatically.

 

Necessity for Automated Patch Management:

The first question would be, hey why do I need a system for automating patches, Why do we need an automated process of patching Windows operating systems? The answer is pretty simple and probably, you all know & realize the need for such automation. Let me go little further. What if we don’t have a system of patching the windows, truly, our systems are prone to risks, threats, viruses & worms. We all have witnessed the worst case of Blaster & Sasser to quote a few. In networking world, patching is certainly an essential duty for a network administrator and being a network admin, he will be certainly willing to automate this task, instead of manually visiting each user, just imagine, what if the network is huge with thousands of user, don’t say you will not patch or you have HELP DESK TEAM for such task.

What is Software Update Services, SUS?

 

 

Now, let’s discuss SUS in detail & for ease of understanding, I am dividing the subject in 10 easy chapters, (concentrating more on newbie’s);

 

 

1. SUS basics

 

 

2. SUS Components

 

3. SUS Functionality

 

4. Software Installation Overview

 

5. Configuring Automatic Update Clients

 

6. Is your Automatic Updates working with SUS?

 

7. How Automatic Updates Behave with the logged in user?

 

8. Limitations

 

9. Resources

 

10. HOW TO?

 

SUS basics:

 

 

SUS is basically designed to automate the process of patching, like; it sets up a Local Windows Update Server which will host a copy of the patches from Windows Update Server, which means your own Local Windows Update Server. Also, SUS is designed to update only anything above Windows 2000 SP2 & Windows XP SP1 & Windows 2003 that said, SUS will not support WIN 95, WIN98, WINME, and WINNT4.0 & it will never download patches for these Operating systems (I know that’s very bad, but hey who is using win95 & old operating systems in corporate environment which are now in End of Life Cycle Support)

 

 

So that means Automatic Update Client applies only to the following operating systems:

 

 

I. Windows 2000 Professional with Service Pack (SP) 2 & above.

 

 

II. Windows 2000 Server with SP2 & above.

 

III. Windows 2000 Advanced Server with SP2 & above.

 

IV. Windows XP Professional without SP1 & above.

 

V. Windows XP Home Edition without SP1 & above.

 

SUS gives a centralized administration; an administrator can allow which updates are to be approved for the distribution to the clients. The downloading of patches is done in background thru Background Intelligence Service, BITS (we will see in detail about BITS in later part).

 

 

With SUS Service Pack#1, it gives the ability to auto update Service Pack#4 for Windows 2000, windows XP Service Pack 1 & 2 and windows 2003...

 

 

It’s important to note that, SUS will never download the driver updates; it only distributes critical security updates.

 

 

SUS is definitely the Local Windows Update Server, but it doesn’t give the same interface as windows update, rather the patches are downloaded via Automatic Update Client (AU) using BITS.

 

 

SUS will never PUSH any patches, rather it only publishes those patches on the Server as Approved Patches and AU client will do the PULL part. Its basically PULL technology from Automatic Update Client rather than PUSH, most of the folks get confused here, it’s always a PULL method.

 

 

SUS Components:

 

 

Apart from SUS software package at the server, at the clients, it’s mainly comprised of Automatic Update Client, AU & Background Intelligent Transfer Service, BITS.

 

 

a) Automatic Update Client:

 

 

What is Automatic Update Client?

 

Automatic Update Client, AU enables the download and installation of Windows updates. If this service is disabled, this computer will not be able to use the Automatic Updates feature. AU client is installed by default along with the O/S from anything above Windows 2000 SP3 and Windows XP SP1, Windows 2003 (I have discussed this earlier).

 

AU client will talk to the local SUS server and checks for the approved updates, if there are updates which are approved and needed by the client, then based on the AU OPTIONS (we will discuss about AU OPTIONS, in detail) it will install those patches.

 

 

Normally, AU client takes 17-22 hours to check for update on SUS SERVER that said, this time is random and you can’t really define that in this version of SUS SP1

Also, AU stores patches in C:\WUTEMP or C:\ProgramFiles\WindowsUpdate\wuaudnld.tmp while waiting to install the patches.

 

b) Background Intelligent Transfer Service:

 

 

What is Background Intelligent Transfer Service?

 

Background Intelligent Transfer Service, BITS, transfers files in the background using idle network bandwidth. If the service is stopped, features such as Windows Update, and MSN Explorer will be unable to automatically download programs and other information. If this service is disabled, any services that explicitly depend on it may fail to transfer files if they do not have a fail safe mechanism to transfer files directly through IE in case BITS has been disabled.

 

If AU client detects the patches are available to be downloaded, then it hooks up BITS to download those patches, BITS service is set to manual startup and it gets started when required.

 

 

3. SUS Functionality:

 

 

As discussed, SUS consist of Server Component and Client Component too. Let me explain how it works;

 

 

How SUS Server works?

 

 

SUS Server will synchronize with Microsoft Windows Update Server and downloads all the missing patches.

 

     

  1. Here, Administrator has an option to APPROVE the new patches, he can TEST that prior to approval. Once the patch is approved, AU client will check in for any new updates.
  2. If AU client finds any new updates, then based on AU OPTIONS, it will download & install those patches. Once the patches are installed, if a reboot is required, then the logged in user is given an option to reboot.

How are the clients configured?

Normally, Automatic Update clients are configured via Group Policies, before we get in to the client configuration; let’s see the various options available for the clients.

 

 

Very often Newbie's think of, how do the clients get the updates from the local SUS Server. To understand this we have to know about AU OPTIONS, AU options mean the available options to configure the AU client. It specifies whether this computer will receive security updates through SUS. This setting lets you specify if automatic updates are enabled on this computer. If the service is enabled, you must select one of the three options in the Group Policy Setting:

 

 

Once the updates are approved then it’s on AU client to download those approved patches based upon the AU Options let’s see what those AU OPTIONS are;

 

 

AU OPTIONS:

 

 

There are mainly 3 AU Options available viz;

 

A) AU OPTION 2 = Notify before downloading any updates and notify again before installing them.

 

When Windows finds updates that apply to this computer, an icon (balloon) appears in the status area with a message that updates are ready to be downloaded. Clicking the icon or message provides the option to select the specific updates to download. Windows then downloads the selected updates in the background. When the download is complete, the icon appears in the status area again, with notification that the updates are ready to be installed. Clicking the icon or message provides the option to select which updates to install.

 

B) AU OPTION 3 = (Default setting) Download the updates automatically and notify when they are ready to be installed.

 

Windows finds updates that apply to your computer and downloads these updates in the background (the user is not notified or interrupted during this process). When the download is complete, the icon appears in the status area, with notification that the updates are ready to be installed. Clicking the icon or message provides the option to select which updates to install.

 

 

C) AU OPTION 4 = Automatically download updates and install them on the schedule specified below

 

 

Specify the schedule using the options in the Group Policy Setting. If no schedule is specified, the default schedule for all installations will be everyday at 3:00 AM. If any of the updates require a restart to complete the installation, Windows will restart the computer automatically. (If a user is logged on to the computer when Windows is ready to restart, the user will be notified to restart.)

 

 

To use this setting, click Enabled, and then select one of the options (2, 3, or 4). If you select 4, you can set a recurring schedule (if no schedule is specified, all installations will occur on scheduled time).

 

 

If the status is set to Enabled, AU client recognizes when this computer is online and checks in with the Local SUS Server for all the updates to be applied to that computer.

 

 

If the status is set to Not Configured, use of Automatic Updates is not specified at the Group Policy level. However, an administrator can still configure Automatic Updates through Control Panel.

 

 

4. Software Installation Overview:

 

 

Let's now see the installation of SUS in these steps;

 

 

Minimum O/S Windows 2000 Server at least or Windows 2003 Server.

 

     

  1. Prior to installing of SUS package, lets take care of some pre-requisites,
  2. NTFS Partition with at least 4 GB enough to store all those patches.
  3. Internet Information Service, IIS. It’s a must to use ANONYMOUS ACCESS on Default Website where SUS will be installed.
  4. Internet Explore version.
  5. Installation is guided thru typical wizard and that should be very simple. It will store the patches in default of c:\sus\content

  6. Ater the installation, browse thru http://Your-SUS-Server-Name-or-IP/Susadmin. Click on SET OPTIONS;

    a) To configure the Proxy options,

 

b) Language to download the patches,

 

c) Set synchronize schedule and connect the server to the Internet to synchronize and download all of the patches from Microsoft Windows Update using SUS's Web-based interface, this is from where you administer SUS, http://SUS-Server-Name-or-IP/Susadmin

 

Now, you have to approve the patches, which you wish to be installed at the clients.

5. Configuring Automatic Update Clients:

 

 

Now, let’s see how these AU OPTIONS are configured on Clients;

 

 

You can always configure AU Client settings thru Group Policy Settings or manual regedits; for the moment I will try to highlight the configuration thru GPO. If time permits, I will try to write more on manual regedits or configuring thru Local Policy.

 

Configuring AU Client thru Group Policy:

The simple & best way of configuring Automatic Update Client is by use of Group policy in Active Directory Environment. This method allows greater granularity of control over how the Automatic Updates Client behaves & to apply any changes to it. You will need to configure the AU client using GPO, if you want to get updates from your Local SUS server.

Before we proceed, download WUAU.adm Template from Microsoft Downloads. See the direct link in RESOURCES Section at the end.

You will need to identify the target clients, which will use SUS Server for Critical Patches. Here are some steps;

1. Open Active Directory Users & Computers.

2. Open the GPO from the target OU.

3. Add a new policy & expand the Computer Configuration container.

4. Expand the Administrative Templates container

5. Right click Administrative Templates in the MMC and import the WUADM template in to the Policy from \windows\inf directory or the \winnt\inf directory, depending on your OS.

6. Expand the Windows Components container

7. Click the windows updates container

8. In this container you will be able to configure

a) Configure Automatic Updates

b) Intranet Microsoft Update Service Location

c) Reschedule Automatic Updates Scheduled installations

d) No auto-restart for scheduled Automatic Updates installations.

Use the Resultant Set of Policies (RSOP), like Group Policy Management Console, GPMC or GPRESULT to investigate if the policies are applied to the clients.

NOTE: Group policy is not the only way to deploy the AU Client Settings; you can even do the regedits manually.

6. Is your Automatic Updates working with SUS?

Now, SUS is installed and AU clients are configured (happily I assume), but, hey how will you check if everything is working, like how will you TEST the functionality. Let’s put this again in simple steps;

 

a) Test SUS: First, make sure it’s synchronizing with Microsoft Update Server daily, looking at Synchronization & Application Event logs and then, do nothing, yes simply nothing, that’s it. Isn’t that simple?

b) Test Automatic Updates: This is more important for Automatic Updates, as SUS will only approve updates but it has to be pulled by the AU client only. First, you have got to make sure AU gets appropriate settings via GPO…. But how?? Very simple, just do a simple reg query from command prompt; reg query "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /s as shown in this figure This is where normal troubleshooting starts, according to me, for any errors you can always have a look at the Error Codes mentioned in SUS Deployment Guide.

 

 

7. How Automatic Updates Behave with the logged in user?

 

 

It’s more important to understand how Automatic Client behaves with the logged in user, if that’s part of LOCAL ADMINISTRATOR or vice-versa.

 

Users with Local Admin Privilege:

 

 

AU client activity is transparent to all those users with local admin privilege.

 

They can see all those notification balloons.

 

They will be prompted for AU Option 2 & 3 and 4.

 

Most important, they can delay or postpone the reboot.

 

Normal Users or Users with Local Admin Privilege:

 

 

To normal users, AU Client activity is hidden.

 

They can’t see all those notification balloons.

 

They will not be prompted of any of the AU OPTIONS.

 

AU options 2 & 3 will not work for normal users.

 

They cannot postpone the reboot as the NO options will be grayed out.

 

8. Limitations:

 

 

I don’t want to list the limitations, but I have to be Optimistic, Yes, SUS has got some limitations;

  1. SUS only distributes critical patches and it will not download any driver updates.
  2. SUS only delivers patches for the Windows 2000, XP and 2003 operating systems. It will never download patches for Windows 9x and Windows NT.
  3. SUS will not deliver patches for Office, ISA, SQL, and Exchange.
  4. SUS will not deliver patches for Non-Microsoft operating systems.
  5. With SUS you cannot roll out patches from the clients, you can only Un-approve, which will restrict future installations, but it will not un-install those from the clients.
  6. SUS lacks reporting features, its tough to know the patches installed at the clients.
  7. With SUS you cannot target the clients; it's automatically targeted to all those computers configured with AU for local SUS.
  8. Reboots could affect logged in users, there is no way to say NO if a patch requires a reboot.
  9. AU Client will check in SUS Server for Approved patches at a random time, 17-22 hours and it’s not possible to increase/decrease this time.

 

9. Resources:

 

 

Software Update Services Interactive Simulation:

http://www.microsoft.com/windowsserver2003/evaluation/demos/sims/sus/viewer.htm

 

Download SUS software:

http://tinyurl.com/5ihu

 

Download Automatic Updates Client:

http://tinyurl.com/8nxy

 

Software Update Services 1.0 ADM File for Service Pack 1:

http://tinyurl.com/4zfgo


SUS Deployment Guide:

http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/xpsp2sus.mspx

 

SUS white Paper:

http://www.microsoft.com/windowsserversystem/sus/susoverview.mspx

 

Sign Up for the SUS Newsletter:
http://tinyurl.com/7xj3g


More Information:

http://www.microsoft.com/windowsserversystem/sus/default.mspx

 

If you have any questions/ doubts/ queries, feel free to post on

 

 

Microsoft SUS Discussion Groups Home:

 

http://tinyurl.com/3rp5h

You can access MS SUS News Group from Google:

 

http://tinyurl.com/6ut84


SUSSERVER.COM

 

 

http://forums.susserver.com

 

FAQSHOP.COM

 

 

http://www.faqshop.com/forums/viewforum.php?f=4

 

HOW TO?

 

 

HOW TO: Configure and Use Automatic Updates in Windows XP
http://support.microsoft.com/default.aspx?...kb;EN-US;306525

HOW TO: Schedule Automatic Updates in Windows XP and Windows 2000
http://support.microsoft.com/default.aspx?...kb;EN-US;327838

HOW TO: Configure Automatic Updates to Prompt You Before You Download Updates in Windows XP
http://support.microsoft.com/default.aspx?...b;en-us;Q283629

Disabling Auto Update Service in Control Panel Does Not Shut Down the Service
http://support.microsoft.com/default.aspx?...b;en-us;Q283151

Description of the Automatic Update Feature in Windows XP
http://support.microsoft.com/default.aspx?...b;en-us;Q294871

Automatic Updates 2.2 Client Does Not Detect Approved Updates from Software Update Services
http://support.microsoft.com/default.aspx?...b;en-us;Q323184

HOW TO: Force Automatic Updates 2.2 to Perform a Detection Cycle
http://support.microsoft.com/default.aspx?...b;en-us;Q326693

HOW TO: Configure Automatic Updates by Using Group Policy or Registry Settings
http://support.microsoft.com/default.aspx?...kb;EN-US;328010

HOW TO: Configure and use Automatic Updates in Windows 2000
http://support.microsoft.com/default.aspx?...kb;EN-US;327850

 

10. What Next?

 

 

WUS, yes Windows Update Service which is next iteration of SUS formerly called as SUS 2.0 is already in to BETA.

 

 

Hope this gave you an insight to SUS.

 

 

Happy Reading,

 

"Save the Internet, Keep all Systems Patched"

Last Modified 12/16/05 12:23 PM

Hide Tools

Site
Changes
Index
Search

User
Log In
Register