And I use the term "management" loosely. As I write this there are more than 40 updates that need to be applied to a new Dell computer running Windows XP. There were over 20 updates for Windows 2000 Service Pack 3 to apply to new systems before Microsoft released the fourth service pack in the summer of 2003. With this ever-growing hairball of security fixes, bug fixes, critical updates, and patches, might it be easier to disconnect all machines from the Internet and work with stone tablets than deploy new systems?

But that's not feasible, of course. As things stand now, there are a few ways to handle distributing and applying updates:

• the sneakernet way;
• using Microsoft-sanctioned mechanisms; or
• investing money in third-party patch distribution systems.

In this three-part feature article, I'll discuss Microsoft's Software Update Services (SUS) in depth, including installation, administration, and maintenance. I'll also look at freeware and commercial alternatives to patch management and why certain solutions might-or might not-be the best fit for your enterprise.

About Software Update Services

Using SUS involves having at least one server connected to the Internet running the actual server component of the application. This machine acts as a local version of the public Windows Update site, containing critical updates and service packs for all supported operating systems. This server synchronizes with the public Windows Update site on a schedule which you, as the administrator, select, and you then approve or reject the availability of certain updates on the SUS server.

The Automatic Updates feature-found on Windows 2000 Service Pack 3 and higher or Windows XP Professional at any revision level-is the client side portion of SUS. Directed by a registry change or by an applied group policy object, the client computers that are running this automatic updates feature are sent to the local network's SUS server on a set schedule to download updates appropriate to their machines. The SUS server will analyze the operating system, service pack level, and currently installed updates and only push those updates that are both needed AND approved by the administrator beforehand.

There are a few phases to the SUS installation, covered well in a document Microsoft prepared entitled "Software Update Services Deployment White Paper," found at http://www.microsoft.com/windowsserversystem/sus/susdeployment.mspx. Since the installation and initial configuration is fairly straightforward, I'll step through the guide, simplifying its language in places, and point out some issues and problems I've encountered.

Synchronizing and approving content

To synchronize content, surf to the SUS administration web site, and then:

1. In the left-hand navigation pane, click Synchronize server.
2. Click the Synchronize now button in the right pane to begin the transfer.

You can also opt to schedule your synchronizations automatically, so that you don't have to remember to re-synchronize every time a new update is released-which is all too often in most of our opinions. On the Synchronize server page, click Synchronization schedule, set your desired options for synchronization and then click OK. Be aware that if the SUS server can't connect to the appropriate upstream update source, it will repeat its attempts four times, spacing out each attempt by half an hour.

Now that you have an actual library of updates on or near your SUS host machine, you can approve the updates individually for distribution to client machines within your network. To begin the update approval process, in the navigation pane, click Approve updates, and then in the right-hand pane, select the updates that you would like to approve, and click Approve when you've finished your selection.

Pushing out the Automated Updates client

Since the client installation program is an MSI, you can easily push the client-side program to clients by using Group Policy. To create a new GPO, assign it to your computers, and then have it installed automatically. The application will be installed in the context of the local computer, so be sure that authenticated users have rights on the source folders. You can also deploy the client MSI through a logon script by calling MSIEXEC followed by the client software filename as an argument. The software will be installed as requescned.

Using Group Policy, there are four options to configure:

• Configure Automatic Updates: This option specifies whether this computer will receive security updates and critical bug fixes. The first option has the currently logged on user notified before downloading updates, and notified again before installing the downloaded updates. The second option has updates automatically downloaded, but not installed until a logged on user acknowledges their presence and authorizes the installation. The third option has updates automatically downloaded and installed on a schedule that you can set in the appropriate boxes on the sheet.

  NOTE: if you configure clients to download and install updates, it only schedules them to download at the time you specify. The updates don't actually get installed until the next day at the time when the workstation normally checks for new patches.

• Specify intranet Microsoft update service location: This option designates an SUS server from which to download updates. To use this setting, you must set two server name values (which can be the same): the server from which the Automatic Updates client detects and downloads updates, and the server to which updated workstations upload statistics.
• Reschedule Automatic Updates scheduled installations: This option specifies the amount of time to wait after boot before continuing with a scheduled installation that was missed previously. If the status is set to Enabled, a missed scheduled installation will occur the specified number of minutes after the computer is next started. If the status is set to Disabled or Not Configured, a missed scheduled installation will simply roll over to the next scheduled installation.
• No auto-restart for scheduled Automatic Updates installations: This option designates whether a client computer should automatically reboot or not when an update that is just installed requires a system restart. If the status is set to Enabled, Automatic Updates will not restart a computer automatically during a scheduled installation if a user is logged in to the computer, instead notifying the user to restart the computer to complete the installation. If the status is set to Disabled or Not Configured, Automatic Updates will notify the user that the computer will automatically restart in 5 minutes to complete the installation.

You need to be aware of a potential problem with GPO assignment: if you assign the SUS instructions as a GPO at the domain level, the time that you specify hosts to get their updates is identical for all of them. So you'd have 5,000 computers contacting your SUS server for updates, which could possibly slow the server down to a death crawl. Instead, consider adding the GPO at the OU level, which would simplify things by alternating the time at which systems contact the SUS server for updates.

To adjust some of these behavior settings through registry changes, use the following guide:

• To enable or disable Automatic Updates: create the value NoAutoUpdate in the HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU key. The value is a DWORD with possible values zero (enabled) or one (disabled).
• To configure the update download and notification behavior: create the value AUOptions in the HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU key. The value is a DWORD that includes integers 2 (notify of download and notify before installation), 3 (automatically download but notify before installation), and 4 (automatically download and schedule the installation).
• To schedule an automated installation: create the values ScheduledInstallDay and ScheduledInstallTime in the HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU key. The value for each is a DWORD. For ScheduledInstallDay, the range is from 0 to 7, with zero indicating every day and one through seven indicating the days of the week, Sunday through Saturday, respectively. For ScheduledInstallTime, the range is from 0-23, signifying the hour of the day in military time.
• To specify a particular SUS server to use with the Automatic Updates client: create the value UseWUServer in the HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU key. The value is a DWORD; set it to 1 to enable the custom SUS server name. Then, create the values WUServer and WUStatusServer in the same key, of types Reg_SZ, and specify the name (with the http://) as the value.
• To specify how long to wait before completing a missed installation: create the value RescheduleWaitTime in the HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU key. The value is a DWORD that ranges from 1 to 60, measured in minutes.
• To specify whether to restart a scheduled installation with a currently logged in non-administrative user: create the NoAutoRebootWithLoggedOnUsers value in the HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU key. The value is a DWORD that can be zero, which indicates that a reboot will indeed take place, or one, which indicates the reboot will be postponed while a user is logged on.

Consider using a Registry editor file such as the following to automate registry changes. Below is a sample file that you can modify according to the above guide:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate]
"WUServer"="http://YOUR-SUS-SERVER"
"WUStatusServer"="http://YOUR-SUS-SERVER"

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU]
"RescheduleWaitTime"=dword:00000003
"NoAutoRebootWithLoggedOnUsers"=dword:00000000
"NoAutoUpdate"=dword:00000000
"AUOptions"=dword:00000004
"ScheduledInstallDay"=dword:00000000
"ScheduledInstallTime"=dword:00000006
"UseWUServer"=dword:00000001

You might even consider creating and using an MSI to distribute the SUS register settings to be very beneficial. You can deploy the changes via a .exe or .msi on a non-domain machine. Additionally, you can use the Add/Remove Applications applet in the Control Panel to remove settings. Finally, they're relatively easy to create, using the free copy of WinInstall LE that comes free on the Windows 2000 Server distribution CD. There are also third-party packaging tools available.

Coming up

• Native support for easy, useful log analysis
• Broader multiple platform coverage
• Patching for applications and server programs in addition to the operating system itself

There are ways around at least the first limitation, however, and in the upcoming second part of the article, I'll cover a couple of ways-and their associated tradeoffs-to use and glean information from log files. I'll also cover some common problems and their workarounds, and how to monitor the status of client downloads and installations.