One of the challenges most network
administrators face is the need to distribute software updates to
servers and workstations. In small environments, visiting each
computer to perform the installation of an update might take only a
few hours. However, in medium to large networks, administrators
need a secure, reliable, and efficient way of distributing updates
as they are released.
One of the options available for distributing
updates is Software Updates Services (SUS). SUS consists of two
: the server and the client. The server (which can be
running Windows 2000 or Windows Server 2003) downloads updates from
Microsoft and stores them locally. As soon as the updates are
posted to the
Update site, they are downloaded and the
network administrator is notified that they are available. The
can then download the updates from the server instead of
retrieving them from the
Update site. One of the benefits
of using SUS is that updates can be tested before being deployed.
This eliminates the possibility that clients will download updates
before they have been
and approved by the network
Configuring Software Update Services
Software Update Services (SUS) are installed on
a server to centralize the distribution of software updates. Before
you install SUS, make sure that the computer meets the hardware and
software requirements outlined in the following lists:
A computer running SUS with the minimum hardware
requirements listed here is capable of supporting up to 15,000
The software requirements to run SUS are as
Also keep in mind that SUS must be installed on
an NTFS partition. The system partition of the SUS host must also
be formatted with NTFS. If the computer does not meet the software
requirements just outlined, the SUS setup program will not permit
you to install the software.
Software Update Services
After you have determined that your computer
meets all the requirements, you are ready to begin the installation
of SUS. The software can be downloaded for free from Microsoft's
After SUS has been downloaded, you can run setup
using the following steps:
Double-click the executable called
. This launches the setup program for Software
Update Services with Service Pack 1. Click
Accept the licensing agreement and click
Select the type of installation. Performing a
SUS with the default settings. Click
The next window displays the URL that clients
will use to connect to the SUS server. Click Install.
Click Finish. The SUS administration website
opens, from which you can configure your SUS server.
Software Update Services
If you choose a typical installation, the SUS
server is automatically configured with specific default
The SUS server is configured to retrieve
software updates from the Microsoft Windows Update servers.
The proxy server configuration is set to
automatically detect settings.
Content that is downloaded is stored
All packages are available in all supported
Any approved packages that are later updated are
not automatically approved.
Clients locate the server using its NetBIOS
If the default settings are sufficient, you do
not need to reconfigure the SUS server. If you need to make
configuration changes, an SUS server can be configured using the
SUS web administration tools. You can access the administration
tools in two ways. You can access the administration site using the
. You can also access the
web page by clicking Start, Administrative Tools, and selecting
Microsoft Software Update Services (see Figure 4.7). To begin
configuring the SUS server, click the Set Options link.
Figure 4.7. Microsoft Software Update
Services Administration website
From the Set Options page shown in Figure 4.8,
you can configure three different options. Under Select a Proxy
Server Configuration, you can specify how the SUS server
Figure 4.8. The Set Options page
Choose one of the following options based on
your network configuration:
Do Not Use a Proxy
Server to Access the Internet
Select this option if the SUS
server does not use a proxy server to connect to the Internet.
Use a Proxy Server to
Access the Internet
Select this option if the SUS server
accesses the Internet through a proxy server.
Proxy Server Settings
Select this option if your network
supports automatic discovery of proxy server settings.
Use the Following
Proxy Server to Access the Internet
Select this option if
the network does not support automatic configuration of proxy
settings. Specify the address or port number of the proxy server.
You can also specify the
account and password that the SUS
server should use if credentials are required.
The next section enables you to specify the name
that clients will use to locate the SUS server. You can specify the
NetBIOS name of the SUS server, or, if clients on the network do
not support NetBIOS, you can specify the DNS name or the IP
The final section on the Set Options window
enables you to configure the location from which the SUS server
will get software updates. An SUS server can retrieve software
updates directly from Microsoft, or it can retrieve them from
another SUS server. To have the SUS server retrieve updates from
Microsoft, select Synchronize Directly from the Microsoft Windows
Update Servers. To have the SUS server retrieve updates from
another SUS server, select Synchronize from a Local Software Update
Services Server and specify the name of the server.
An administrator can also change how the SUS
server handles updated content. This enables you to specify what
the SUS server should do when software packages that are previously
approved are updated. You can select from two options:
If you want to test an update before it is
downloaded and installed by clients, you should select the second
option (Do Not Automatically Approve New Versions of Previously
Approved Updates. I Will Manually Approve These Later). This means
that any software packages that you previously approved but that
have been updated by Microsoft require approval again by the
administrator before clients can install them.
When an SUS server connects to the Microsoft
Windows Update site, it can download two types of content. First,
it downloads a file that describes the list of packages
(Aucatalog1.cab). Second, it downloads the actual software
As an administrator, you can choose whether the
SUS server should download the packages or just the catalog file.
If the SUS server downloads only the catalog file, any clients that
are configured for Automatic Updates first check the list of
approved packages from the local SUS server and then connect to the
Windows Update servers to download the approved packages. You can
also choose to download the packages and store them locally on the
SUS server. If the updates are stored locally on the SUS server,
any clients configured for Automatic Updates will download the
approved software packages directly from the local SUS server. On
this screen, you can also specify the locales that will be
downloaded by selecting each language that you need to support on
Configuring Automatic Client Update Settings
For SUS to work, clients need to install a
special version of Automatic Update software. When the updated
version of Automatic Update is installed, clients can download
updates from a server running SUS, and the updates can be installed
at a preconfigured interval. The updated version of Automatic
Update can run on Windows 2000 and later platforms.
Automatic Client Update
The Automatic Update client can be installed in
a number of ways. You can run the setup locally on each client
computer, or you can choose to perform a centralized deployment.
Installing the client locally is a very simple process. Simply
download the client from Microsoft's website and run the
file. To install the client automatically using
Active Directory, perform the following steps:
Click Start, point to Administrative Tools,
and click Active Directory Users and Computers.
Right-click the appropriate Organizational
Unit and click Properties.
From the Group Policy tab, click Edit to use
policy object, or click New to create a new
Under Computer Configuration, select Software
Right-click Software Installation, point to
New, and click Package.
file and click
The Deploy Software window appears. Click
Assigned and click OK.
Automatic Client Update Settings
After you've installed the Automatic Updates
software, you can configure the settings using the software
interface on the client or through a Group Policy Object.
A few steps must be completed before you can
configure Automatic Updates via a Group Policy Object. First, you
must load the Automatic Update policy settings template. To do so,
open the appropriate Group Policy Object. Under either Computer
Settings or User Settings, right-click Administrative Templates and
click Add. Type in the name for the Automatic Updates ADM file
) located in the
and click Open.
After you have completed these steps, you can
begin configuring the Automatic Updates Group Policy Object
settings for clients on the network. Table 4.1 summarizes the
settings that are available (see Figure 4.9).
Figure 4.9. Automatic Update group
Table 4.1. Automatic Update Settings
Group Policy Setting
Configure Automatic Updates
Three options are available:
Notify for Download and Notify for InstallAn
administrative user (member of the Local Administrators group) is
notified before the download and installation of any updates. This
means that an administrator must approve any new updates before
they are downloaded and installed.
Auto Download and Notify for InstallUpdates are
automatically downloaded, and an administrative user is notified
Auto Download and Schedule the InstallUpdates
are automatically downloaded and scheduled for installation.
Specify Intranet Microsoft Update Service
With this option, administrators can define the
SUS server from which clients will retrieve updates. You can also
specify which server clients will send statistics to, such as the
successful installation of an update.
Reschedule Automatic Updates Scheduled
If automatic updates are configured to install
at a particular time and the scheduled time
administrator can use this option to configure when the
installation will occur next.
No Autorestart for Scheduled Automatic Updates
This option can be used to prevent Automatic
Updates from restarting a computer when a user is logged on.
If an environment does not
Directory, Automatic Update settings can be configured only by
instituting various Registry entries to make the needed
To define which SUS server clients you should
use to retrieve updates and send status information to, add the
following entries under
This specifies the location of
the server from which updates will be downloaded. The SUS server is
identified by HTTP name, such as http://SUSserver.
This specifies the
location of the server to which the client will send status
information. Again, the server is identified by HTTP name.
To configure other settings, such as the day and
time that updates should occur, add the following entries under
This specifies that the
client must use an SUS server to obtain updates. Set the value to
for clients for Automatic Updates to use an SUS
Use this option to configure
whether the local administrator should be notified of downloads and
installations, as well as whether updates should be installed on a
defined schedule. The possible values are
download and installation),
(automatically download and
notify of installation), or
(automatic download and
This defines the
day that updates should be installed. The values range from
indicates every day and
specific days of the week (
= Sunday and
This defines the
time of day that updates should be installed. The value is
specified in 24-
This defines when
updates should occur when the predefined scheduled time has passed.
The value is specified in minutes (
defines whether Automatic Updates can reboot a computer when a user
is logged on. Set this value to
to enable the logged-on
user to choose whether to reboot the computer.
This enables or disables