Patch management is a process that gives organizations control over the deployment and maintenance of interim software releases into their production environments. 1
In the never ending battle to combat the never ending patch cycle. Microsoft has released Software Update Services, or SUS as it is commonly known. SUS is a way for an enterprise to distribute these patches on a approved basis. SUS is one of the tools MS recommends in a patch management solution, another primary tool is MBSA and the flagship product is SMS
The premise behind SUS is to one, or many, central server(s) check Windows Update and allow for an administrator to approve which items are allowed to be distributed across the network. SUS will check Windows XP, Windows 2000, Windows 2003, Office, and some other products in the Windows Server System.
One of the bonus is the system allows for a bridgehead server to connect to Windows Update and then other servers synchronize against this “master” server. In an enterprise that is spread through many locations and often connected with slower site links, this eases network traffic.
There are three steps for setting up SUS. The first and easiest is downloading and installing the latest version, 1.0.3, but check at the Microsoft download site. When one installs SUS, the IIS Lockdown tool is run against IIS, which is required to run. (Along with at least Windows 2000 Server.) When the program is installed, one can choose to install any patches or a language specific version of that patch.
A commonly asked question on the newsgroups is: “Why did it download all the versions of the .NET Framework when I only asked for the (insert language here) updates.” The official answer is that the .NET Framework can be installed in any language on any language versions of the OS. For example one could install the Japanese version of the .NET Framework on an English versions of Windows XP Pro. While many feel this is a design flaw, MS has promised the next version, Windows Update Services, will be more customizable and have a greater ability to select certain patches and applications to check. (Another asked question is: “Why did patches for Sharepoint Services download?” and the same answer applies)
Back to the installation, the 2nd step is to synchronize the server with Windows Update. Ever since service pack 2 for XP was released the download time is huge for all the patches. Remember this is the complete catalogue, so start the download and go home for the day, it will finish sometime during the night, depending on connection speed. While you are waiting, schedule the download time and date from Windows Update. (This is when you would like the SUS server to sync, plan for sometime off peak hours.)
Once the patches are downloaded, one must approve the updates. All of the work, including synchronizing and scheduling is down through a webpage, http://servername/SUSAdmin. Approving is easy as clicking on “Approve,” of course after you tested it of course to see what applications are broken by the patch.
Through the use of a Group Policy, applied at the computer level, one can schedule when these approved updates will be delivered. A note on the policy, one cannot apply it at the user level, so make sure in Active Directory the computer group is setup correctly. Through the use of the “new” Group Policy Management Console, which works only under XP Pro and Win 2k3 Server, one can apply the Software Update Policy. This policy has several settings to deal with. The first is “Configure Automatic Updates”, which allows one to configure how often and when each computer checks the SUS server. Two other places to configure this policy are “No auto-restart for scheduled Automatic Updates” and “Specify intranet Microsoft update services location.”
A note under the auto-restarting setting, once again another design flaw and frequently asked question on the newsgroups. There are three options, Disabled, Not Configured, or Enabled. Here again is some tricky and supposedly resolved in the next version, when it comes out. With “Disabled” or “Not Configured” the computer will automatically restart within 5 minutes whether or not the client would like to. If this policy is “Enabled” then the user will be prompted whether or not he/she will want to reboot. There is a five minute time out period on.
Hopefully this allows one to setup and configure SUS to allow for some part of patch management in a Windows/Microsoft environment. While it is not perfect, it is a least a step in the right direction. When I first looked at SUS, the service would not apply Office patches or service packs. Now it can and when the next version, whenever it comes out will increase the ability to have a better patch management system. A big selling point is the cost, a free download from MS.
1. Taken from “Patch Management Using Microsoft Software Update Services: Solution Accelerator” a nice white paper that explains a lot of how to setup and deploy SUS.
Perhaps the greatest reference is the newsgroup, Microsoft.public.softwareupdatesvcs