Microsoft Software Update Services

by ServerWatch Staff

Ryan Smith takes a look at Microsoft's new Software Update Services (SUS), a free software update system designed to bring the functionality of the popular Windows Update site to the Corporate Network.

by Ryan Smith

Microsoft recently introduced a new product named Software Update Services or SUS. SUS is designed to bring the functionality of the popular Windows Update site to the Corporate Network.

The basic premise of SUS is very similar to Windows Update. SUS is composed of two components, the client and the server.  The SUS client is installed on the client and configured to received Windows patches and updates from the SUS server(s).  The SUS server is installed on a Windows 2000 Server (or Windows.NET when released) and is configured to retrieve Windows updates directly from Microsoft and store the updates locally.  This allows the clients to connect to one local source to retrieve any Windows updates as opposed to having all of the clients retrieve the update via the Internet.

Software Update Services offers more functionality than my basic overview provides, though.  The SUS Server Component runs on Windows 2000 or Windows.NET server inside of your network firewall and connects to the Microsoft Windows Update web site when critical updates for Windows 2000 or Windows XP are available and downloads these updates. This process can either be scheduled or can be manually run.  After the updates are downloaded, the administrator has to validate the updates that have been downloaded so that they are ready to be distributed to the clients.

The SUS Server component has some stringent requirements though. The recommended minimum configuration for the server is a Pentium III 700 MHz with 512 MB of RAM and 6 GB of storage for setup and security packages.  The benefit is that this configuration is capable of supporting up to 15,000 clients with one SUS Server. The Windows 2000 server that SUS Server will be installed on must be running IIS and also must NOT be an Active Directory Domain Controller. In addition, Microsoft's recommendation is to run SUS Server on a dedicated server, although SUS will function if the server is performing other roles as well.

Automatic Updates Client is the client component that gets installed on your Windows 2000 servers as well as the Windows 2000 and Windows XP clients that you want to have receive automatic updates via the Software Update Services Server (as opposed to the Windows Update Web site).  A nice feature with the client is that it can be installed on Windows 2000 Servers, allowing you to use SUS not only with end-user desktops but also with your servers as well.  Configuration of the client is either via Active Directory Group Policy or the registry. It's not the easiest solution if you're not in an Active Directory environment, but it works. Additionally, if you're using a product like ScriptLogic, making mass registry entry updates is very simple to do during the logon process.

In its first release, Software Update Services only supports Windows 2000 and XP critical updates and security rollups. All of the content is digitally signed by Microsoft to ensure the validity of the files. SUS will not accept any content that has not been signed by Microsoft or is incorrect, so this should hopefully ensure that the updates being distributed via SUS are accurate.

One of the best features of Software Update Services is the price. It's 100% free from Microsoft.


With Microsoft's release of Software Update Services, they have made a substantial step forward in giving Corporate IT departments more granular control over the Windows patches that are applied to client systems by allowing administrators to validate the updates before they are distributed to clients.

For an IT department that is presently using a software update application such as UpdateExpert, Software Update Services does not presently offer more functionality and features than a product such as UpdateExpert. Furthermore, SUS has several drawbacks that I see in its current iteration including:

  • Requirement of a client side installation.

  • Only capable of supporting Windows 2000 and Windows XP. Lack of support for Windows 9x/Me isn't surprising but not supporting Windows NT Workstation/Server is. However, I understand Microsoft's position on this. They're not releasing any additional patches or updates for Windows NT 4.0, so why support the functionality in SUS. 

  • Present lack of notification of available updates on the SUS server that needs validation (this is a planned feature that according to Microsoft will be available in the next update for SUS).

  • Poor reporting on client update status. While the client updates are capable of writing system events and are also capable of updating a centralized IIS log file, there is presently no simple cut and dry reporting on how the latest Windows XP hotfix was deployed to 4,000 Windows XP Professional clients without combing through each client's system event log or parsing a cryptic IIS log file.

However, for an IT department that is not presently using any type of software update application, Software Update Services is a step in the right direction.  In its first release, SUS is a solid application that integrates very well with the client systems. Given the current state of system security at Microsoft, Software Update Services is hardly going to be a single release product, so we can only hope and expect it to get better.

Ryan Smith
This article was originally published on Wednesday Jul 31st 2002
Mobile Site | Full Site