WSUS: Update Services for Decentralized Environments

WSUS provides the features that administrators need to manage and distribute updates through a Web-based tool, which can be accessed from Internet Explorer on any Windows computer on a corporate network. While similar to SMS, WSUS has fewer features and doesn't support updates for all Windows applications. WSUS is a tool that can be used to manage certain types of updates or segments of computers where a simpler solution can work. This might include managing a sandbox network that for security reasons isn't connected to your main SMS instance and doesn't require the level of management that SMS provides. It could also include the management of a smaller remote site that isn't covered under your organization's SMS licensing. While WSUS doesn't support the software and hardware inventory features and is a much simpler tool, it can be a useful tool in your environment if deployed correctly.

When it comes to SMS and WSUS, some organizations may be able to choose between one or the other. While WSUS mirrors many of the capabilities in SMS, it is generally less functional and flexible in comparison. See the following table for a comparison of features and capabilities.


Windows Server
Update Services

SMS 2003

Supported Software and Content


Supported software for Content

Win2K, WS2003, WinXP Pro,
Office 2003, Office XP,
Exchange 2000, SQLServer
2000, MSDE

Same as WSUS and Win98
and can update any other
Windows-based software

Supported content types for
supported software

All software updates, critical
driver updates, Service Packs,
and Feature Packs

All updates, Service Packs,
and Feature Packs, and
supports update and app
installs for any Windows-based

Update Management Capabilities


Targeting content to systems



Network bandwidth optimization



Patch distribution control



Patch installation and scheduling



Patch installation status reporting



Deployment planning



Inventory management



Compliance checking



WSUS provides a central point of update for servers, clients, or other WSUS servers in your environment. The WSUS server that acts as an update source is called an upstream server. In a WSUS implementation, at least one WSUS server in the network must connect to Microsoft Update to get available update information. The administrator can determine, based on network security and configuration, how many other servers connect directly to Microsoft Update.

A client computer component for Automatic Updates is built into Windows 2000 with SP3, Windows XP, and Windows Server 2003 operating systems. Automatic Updates enables both server and client computers to receive updates from Microsoft Update or from a server running WSUS. WSUS is the successor to Software Update Services (SUS). It builds on the features that SUS provided and extends it by providing the following features:

  • More extensive updates for Microsoft products

  • The ability to automatically download updates from Microsoft Update by product and type

  • Ability to target updates to specific computers and computer groups

  • Ability to verify that updates are suitable for each computer before installation

  • Reporting capabilities

  • Data migration and import/export capabilities

  • Extensibility through an API

  • Additional language support for international customers

  • Better bandwidth utilization through BITS

WSUS is flexible enough to meet the update management needs of a wide range of organizations. Whether you're a small IT shop that relies on dial-up connectivity or a large business with thousands of users distributed across multiple sites, the solution can function in your environment. Depending on the size of the organization, its location, and its connectivity infrastructure, administrators can determine the most efficient way to scale out their WSUS servers to provide system update services. Let's look at some of the common scenarios for deploying WSUS components in small, medium, and more restricted networks.

In a single WSUS server scenario, administrators can set up a server running WSUS inside their corporate firewall, which synchronizes content directly with Microsoft Update, and distributes updates to client computers. In this case, a single WSUS server supporting many clients provides the interface to updates via Microsoft Update.

A number of configurations are possible for WSUS that incorporate many servers to help scale the solution in larger organizations or those with more sophisticated network environments. WSUS servers can be partitioned logically to support different groups of client computers and servers. In this case, the individual WSUS server communications to Microsoft Update are in support of a group of clients. Each WSUS server operates independently and is aware of only its own clients. An example of this configuration is shown in Figure 2-9.

image from book
Figure 2-9

Administrators can deploy multiple servers running WSUS that synchronize all content within their organization's intranet. In this scenario, only one WSUS server is exposed to the Internet. This is the only server that downloads updates from Microsoft Update. This server is set up as the upstream server, and serves as the source to which the downstream server synchronizes. When applicable, servers can be located throughout a geographically dispersed network to provide the best connectivity to all client computers. Communications across the network are limited to the main upstream server and its downstream WSUS servers. If corporate policy or other conditions limit computer access to the Internet, administrators can set up an internal server running WSUS. In this case, a server is created that is connected to the Internet but is isolated from the main corporate network. After downloading, testing, and approving the updates on this server, the WSUS administrator can then export the update metadata and content to a CD, and then import the update metadata and content to servers running WSUS within the intranet via that same CD.

As you can tell, WSUS provides an important set of features to enable you to update the software on your clients and servers in your IT environment. But more important than managing software updates and system patching is having a complete story for management, monitoring, and remediation of issues whether they exist on your clients or servers. That is where MOM, SMS, and WSUS working together deliver value to the IT administrator.

Professional MOM 2005, SMS 2003, and WSUS
Professional MOM 2005, SMS 2003, and WSUS
ISBN: 0764589636
EAN: 2147483647
Year: 2006
Pages: 132 © 2008-2017.
If you may any questions please contact us: