What is Microsoft Software Update Services (SUS)?

by Daniel Petri - January 8, 2009

What is Microsoft Software Update Services (SUS)?

Microsoft SUS is a free patch management tool provided by Microsoft to help network administrators deploy security patches more easily. In simple terms, Microsoft SUS is a version of Windows Update that you can run on your network.

Today corporations have to frequently check the Windows Update site or the Microsoft Security Web site for patches. Then they have to manually download patches that have been made available since they last visited the site, test the patches, and then distribute the patches manually or by using their traditional software-distribution tools.

Instead of each workstation having to connect to the Internet to update Windows, each workstation connects to the Microsoft SUS Server instead and updates from there. Microsoft SUS Server alone requires access to the public Internet as it connects to Windows Update.

Software Update Services solves these problems by providing dynamic notification of critical updates to Windows computers as well as automatic distribution of those updates to your corporate Windows desktops and servers. For Software Update Services to function, only one corporate intranet computer requires access to the public Internet.

By connecting to Windows Update, Microsoft SUS Server provides notification of critical updates as well as performing automatic distribution of those updates to your workstations and servers. Microsoft SUS server gives the administrator control over updates: The administrator can test and approve updates from the public Windows Update site before deployment on the corporate intranet. Deployment takes place on a schedule created by the administrator.

Software Update Services leverages the successful Windows Automatic Updates service first available in Windows XP, and allows information technology professionals to configure a server that contains content from the live Windows Update site in their own Windows-based intranets to service corporate servers and clients.

Software Update Services

The server features include:

  • Built-in security. The administrative pages are restricted to local administrators on the computer that hosts the updates. The synchronization validates the digital certificates on any downloads to the update server. If the certificates are not from Microsoft, the packages are deleted.
  • Selective content approval. Updates synchronized to your server running Software Update Services are not made automatically available to the computers that have been configured to get updates from that server. The administrator approves the updates before they are made available for download. This allows the administrator to test the packages being deploying them.
  • Content synchronization. The server is synchronized with the public Windows Update service either manually or automatically. The administrator can set a schedule or have the synchronization component of the server do it automatically at preset times. Alternatively, the administrator can use the Synchronize Now button to manually synchronize.
  • Server-to-server synchronization. Because you may need multiple servers running Microsoft SUS inside your corporation in order to bring the updates closer to your desktops and servers for downloading, Microsoft SUS will allow you to point to another server running Microsoft SUS instead of Windows Update, allowing these critical software updates to be distributed around your enterprise.
  • Update package hosting flexibility. Administrators have the flexibility of downloading the actual updates to their intranet, or pointing computers to a worldwide network of download servers maintained by Microsoft. Downloading updates might appeal to an administrator with a network closed to the Internet. Large networks spread over geographically disparate sites might find it more beneficial to use the Microsoft maintained download servers. These are the actual Windows Update download servers. In a scenario like this, an administrator would download and test updates at a central site, then point computers requiring updates to one of the Windows Update download servers. Microsoft maintains a worldwide network of these type servers.
  • Multi-language support. Although the Software Update Services administrative interface is available only in English or Japanese, the server supports the publishing of updates to multiple operating-system language versions. Administrators can configure the list of languages for which they want updates downloaded.
  • Remote administration via HTTP or HTTPS. The administrative interface is Web-based and therefore allows for remote (internal) administration using Internet Explorer 5.5 or higher.
  • Update status logging. You can specify the address of a Web server where the Automatic Updates client should send statistics about updates that have been downloaded, and whether the updates have been installed. These statistics are sent using the HTTP protocol and appear in the log file of the Web server.

Download Software Update Services Server 1.0 with Service Pack 1 HERE (33mb)

Microsoft SUS Server limitations

Though very good as what it does, Microsoft’s patch management tool does have a few limitations:

  • It does not push out service packs; you need a separate solution for that.
  • It only handles patches at operating system level (including Internet Explorer and IIS), but not application patches such as Microsoft Office, Microsoft Exchange Server, Microsoft SQL Server, etc.
  • It requires Windows 2000 and up, so it cannot patch Windows NT 4 systems.
  • It cannot deploy custom patches for third party software.
  • It does not allow you to scan your network for missing patches, so you cannot check if everything has been installed correctly. There is no easy reporting system for this.

This means that you still require a patch management solution to perform the above tasks. Microsoft does not plan to add the above features, since it promotes Microsoft SMS server as a tool for that. So, Microsoft SUS server is ideal for operating system patches if used in conjunction with a patch management tool.

Read more on how to overcome SUS's limitations by using a 3rd party tool called GFI LANguard Network Security Scanner.

Windows Automatic Update Client

To use SUS on your network you will need to use the Windows Automatic Update Client.

The client is based on the Windows Automatic Updates technology that was significantly updated for Windows XP. Automatic Updates is a proactive pull service that enables users with administrative privileges to automatically download and install Windows updates such as critical operating-system fixes and Windows security patches. The features include:

  • Built-in security: Only users with local administrative privileges can interact with Automatic Updates. This prevents unauthorized users from tampering with the installation of critical updates. Before installing a downloaded update, Automatic Updates verifies that Microsoft has digitally signed the files.
  • Just-in-time validation: Automatic Updates uses the Windows Update service technologies to scan the system and determine which updates are applicable to a particular computer.
  • Background downloads: Automatic Updates uses the Background Intelligent Transfer Service (BITS), an innovative bandwidth-throttling technology built into Windows XP and newer operating systems, to download updates to the computer. This bandwidth-throttling technology uses only idle bandwidth so that downloads do not interfere with or slow down other network activity, such as Internet browsing.
  • Chained installation: Automatic Updates uses the Windows Update technologies to install downloaded updates. If multiple updates are being installed and one of them requires a restart, Automatic Updates installs them all together and then requests a single restart.
  • Multi-user awareness: Automatic Updates is multi-user aware, which means that it displays different UI depending on which administrative user is logged on.
  • Manageability: In an Active Directory environment, an administrator can configure the behavior of Automatic Updates using Group Policy. Otherwise, an administrator can remotely configure Automatic Updates using registry keys through the use of a logon script or similar mechanism.
  • Multi-language support: The client is supported on localized versions of Windows.

This update applies to the following operating systems:

  • Windows 2000 Professional with Service Pack 2
  • Windows 2000 Server with Service Pack 2
  • Windows 2000 Advanced Server with Service Pack 2
  • Windows XP Professional
  • Windows XP Home Edition

Note: Windows 2000 Service Pack 3 (SP3) and Windows XP Service Pack 1 (SP1) include the Automatic Updates component, eliminating the need to download the client component separately.

Download Windows automatic updating (SUS Client) HERE (1mb)

Administrator Control via Policies

The Automatic Updates behavior can be driven by configuring Group Policy settings in an Active Directory environment.

Administrators can use Group Policy in an Active Directory environment or can configure registry keys to specify a server running Software Update Services. Computers running Automatic Updates then use this specified server to get updates.

The Software Update Services installation package includes a policy template file, WUAU.ADM, which contains the Group Policy settings described earlier in this paper. These settings can be loaded into Group Policy Editor for deployment. These policies are also included in the System.adm file in Windows 2000 Service Pack 3, and will be included in the Windows Server 2003 family, and in Windows XP Service Pack 1.

Download Software Update Services 1.0 ADM File for Service Pack 1 HERE (25kb)

Loading of the WUAU.ADM template in GPO

Image of the WUAU.ADM template in place

Images of the GPO setting options for Windows Automatic Updates.

After you have configured the Microsoft SUS client, patches are deployed automatically. The user is notified through a message in the task bar (see image).

System Requirements and supported clients

System Requirements:

  • Supported Operating Systems: Windows 2000, Windows Server 2003

SUS Server 1.0 with SP1 has the following minimum hardware requirements:

  • Pentium III 700 MHz or higher processor
  • 512 megabytes (MB) of RAM
  • 6 gigabytes (GB) of available hard disk space

Your client computers must be running Windows 2000 Professional with Service Pack 2 (SP2) or later, Windows XP Professional, or Windows 2000 Server with SP2 or later in order to run Automatic Updates. Note: Windows NT 4.0 is not supported.

SUS supports updates for Windows 2000 Professional with Service Pack 2, Windows 2000 Server, and Windows XP Professional. It does not include provisions for updates to any other Microsoft products such as Microsoft Office, SQL Server, or Exchange Server.

SUS with SP1 can now be used to deploy Service Packs - SP1 for XP and SP4 for W2K.

SUS Server 1.0 with SP1 automatically installs under the Web site that is currently running. It will not interfere with this or any other Web sites. If no other Web site is currently running, SUS Server 1.0 with SP1 will create a new Web site.

Read more about SUS management on the GFI LANguard Network Security Scanner page.

Here are a few screenshots of SUS and it's main screens:

SUS Welcome screen

SUS Synchronize Now and Schedule buttons

The Synchronization settings window

The Synchronization process and detail window

The Synchronization Log

Microsoft Software Update Services (SUS)

Download Software Update Services Server 1.0 with Service Pack 1 HERE (33mb)

Download Windows automatic updating (SUS Client) HERE (1mb)

Download Software Update Services 1.0 ADM File for Service Pack 1 HERE (25kb)

Software Update Services Deployment White Paper (Doc, 2.51mb)



Join The Petri Insider - Weekly IT Tutorial and Tips, Whitepaper and Webinars