In-Depth
WSUS: Better Name, Better Product
Readers report that Microsoft's Windows Server Update Services (WSUS) tool is a vast improvement over its predecessor SUS.
In its latest incarnation, Microsoft's free patch management and update tool
is on its third acronym. It started out as SUS (Software Update Services). It
then bore the unfortunate acronym WUS (Windows Update Services). The new version
is called WSUS (Windows Software Update Services). More importantly, it also
resolves many of the shortcomings of the earlier version.
WSUS officially debuted in June, but has been embraced by final beta users.
"This latest version is as close to perfect as I've seen," says Jason Stanke,
a senior consultant at MindGent LLC, an IT consultancy in Indianapolis, Ind.
Stanke uses WSUS internally and to support several customer sites. "We haven't
encountered one bug. The performance is a lot quicker. It doesn't break other
things. It simply works, which makes my life easier."
A key WSUS improvement is the expanded menu of product updates. It now handles
updates for Exchange Server, SQL Server and Office, as well as Windows. It also
improves on the performance, testing and reporting capabilities of its predecessors.
The expanded application support is a definite plus. "The main reason I like
it is because it supports more platforms, like Office and Exchange," says Clyde
Graham, manager of information systems for the City of Ridgeland, Miss. "It's
not as full-featured as SMS [Systems Management Server], but it bridges the
gap a little better."
Windows
Server Update Services (WSUS) |
|
Graham manages nearly 120 computers and 11 servers--all running different versions
of Windows and various Microsoft applications--for the city's police department,
fire department and city offices. He also appreciates the greater degree of
control he gets with WSUS. "I can control what's going out instead of just doing
automatic updates on each individual machine," he says. "And I can force updates
down [to client computers] now. With SUS, I couldn't do that."
Reboot This
WSUS provides much more control over the patching process than its predecessors.
You can schedule patch deployment and require users to reboot after patches
are installed. You can even give them the option to reboot later, although there
are concerns with this feature. "That's great if they're in the middle of something
and they don't want to reboot right away," says Jim Burtoft, senior consultant
at Blair Technology Group in Altoona, Pa. "But actually the prompting for restart
is my biggest complaint right now."
If a user doesn't reboot right away, WSUS prompts them at approximately five-minute
intervals, says Burtoft. "It's annoying. It would be nice if you could tell
it to never prompt a user for a restart, but you can't. You can tell it to not
restart automatically, you can tell it to only install the updates at certain
times, and you can give it a delay between restarts, but there's no way you
can tell it to not prompt the user for restarts."
 |
"This latest version
is as close to perfect
as I've seen."
Jason Stanke,
Senior Consultant, MindGent LLC
|
For most, that's a small price to pay for greater patching control. "The constant
restart thing can be a pain," says Jason Griffith, information systems specialist
and assistant network administrator for the state of West Virginia's Department
of Agriculture in Charleston, W.V. "But if you just set it to automatically
reboot, you don't have to worry. It's not a real show-stopper."
Test Drive Those Patches
The biggest advantage that WSUS has over SUS is that you can now set up group
policies and test patches before deploying them across the enterprise. "We liked
SUS, but the disadvantage was the lack of testing," Burtoft says. "If you approved
a patch with SUS, it went out to everybody. The nice thing with WSUS is that
you can set up a test group and apply your patches [to that group] first. After
they've been deployed and you haven't had any problems, then you can roll it
out to everybody."
Burtoft says setting up Group Policies is fairly straightforward. "You can
make your test group as big or as small as you like," he says. "We set up a
series of test groups. First, we'll set up a basic alpha test group to make
sure the patch doesn't blue screen anything or break anything obvious. Then
if it works there, we'll roll it out to a more widespread test group of machines
in different departments. If it works there, we'll roll it out companywide.
It makes the whole process much easier to manage."
V8 Performance
Performance is also better with WSUS because it uses a new technology called
Background Intelligent Transfer Service (BITS). It determines how much bandwidth
is available on the local network before sending patches to target machines.
"SUS didn't use BITS, so if you pushed a big update, there'd be some lag time
with the clients and people complained about that," explains MindGent's Stanke.
"The problem was that it would hit the update server and if you had a lot of
updates, it would suck them all down at once. If you were trying to do something
else at the same time, there was a visible difference in performance. Now with
WSUS, it's all done in the background and nobody even notices. There are no
performance issues."
That's not always the case, though--especially when using it across a wide area
network. "BITS is great, but we had trouble using it across the WAN," Burtoft
says. "It listens on the network and gauges how much traffic there is so that
it will use only a portion of the bandwidth. But the problem is that it can
only look at the local network, which could be running at 10MB or 100MB. If
you're downloading the patch over a 128K WAN link, it doesn't figure that out.
It only sees the LAN side and says, 'Hey, I have a 100MB connection and I'm
only using 1 percent, so I can download 1MB and nobody will even notice.' Well,
if it uses 1MB over a 128K link, it's a problem."
| 5
Ways WSUS Is Better Than SUS |
| Besides bearing a less-unfortunate
acronym (thankfully, it was never called Patch Update Services),
WSUS packs several notable improvements over its earlier incarnations:
1. Reporting: You no longer need a separate reporting
tool, and can sort and sift through reports easier and quicker
than with SUS.
2. Testing: You can now test patches before deploying
them across the enterprise, and set a variety of test groups
using Group Policies.
3. Application Support: While SUS just supported
Windows patches, WSUS also handles Exchange Server, SQL
Server and Office, plus more applications are promised down
the road.
4. Performance: WSUS uses BITS technology to gauge
available bandwidth and to ensure that patch downloads don't
negatively affect network performance.
5. Control: Administrators can schedule patch deployment,
and force patches down to client machines.
— J.C. |
|
|
Burtoft searched the Internet for a fix and found that Microsoft offered a
BITS template on its TechNet site that let him set the BITS parameters to accommodate
the tighter WAN link. "You can limit it to 2K, which is the minimum, or 5K or
10K, whatever," he says. "Hopefully, they're adding that to the regular templates
in the final version."
Real Reporting
Another big improvement in WSUS, according to early users, is reporting. In
fact, West Virginia's Griffith says he had to use a third-party reporting tool
for SUS. He sees no need for that with WSUS. "I think the reporting built into
this is as good as my third-party tool, maybe even a little bit more in-depth,"
he says. "I'm basically looking to see who needs patches, who doesn't, and then
the success rate of the patches and things like that. WSUS fulfills that need
perfectly."
Other users agree the reporting has been vastly improved. "The reporting features
are phenomenal," says Stanke. "I can tell it to give me a status report of all
my computers and tell me what updates are needed across them, and I can find
out what patches are still needed across my whole environment within 60 seconds.
I can sort by failed installs, I can search by patches not needed and I can
see which ones are already deployed. It's flexible and very fast."
 |
"If you're managing
more than 20 machines, [WSUS] will pay for itself in two or three months.
You will more than earn back the time you invested in spades."
Chris Munger,
Senior IT Manager,
American Academy
of Periodontology |
WSUS also provides a greater level of detail than SUS. "If I click on a computer,
it can tell me what OS and service pack it has, when it last talked to Active
Directory, and what make of the hardware and processor it has," he explains. "We
actually use that as a very basic inventory."
WSUS doesn't require much in terms of computer resources. The only platform
caveat would be to avoid running WSUS on a server with other Internet applications.
"We found that it doesn't play well with SharePoint Portal Services," Burtoft
says. "Microsoft has a guide to show you how to get it to run with other Internet
apps, but it's definitely a bad idea."
Waiting for Rollback
The only thing that's really missing from WSUS, users say, is an automated way
to roll back or uninstall patches. This is especially important as the patching
process becomes faster and more automated. "We've had situations where we had
three or four machines where the patch just messed things up. It worked fine
on about 90 percent of them, but there were a couple with problems," says Griffith.
"If you could roll back per machine, that would be nice."
Rollback would have saved Stanke a lot of headaches when he rolled out a patch
that locked up his entire development team's computers for a day. "Microsoft
has some key software pieces that allow clients to use the Windows Update Services
much more efficiently, and one of those updates was the Microsoft Windows Installer
3.1 beta," he says.
"If you're using the update service like we are here, Microsoft pushes that
out to clients. I didn't approve that, but Microsoft did it by default."
Stanke's entire development staff had difficulties. "Their computers would
go ahead and try and install it, but about halfway through it would freeze and
lock up. So people would turn off the computer and reboot it, and it would lock
up again."
After spending a day reading through newsgroups trying to figure it out, he
found a workaround. "A lot of people had the exact same issue because Microsoft
installed it by default," he says. "I ended up having to download the exact
patch, put it on a USB drive, reboot all the development team's computers into
Safe Mode, install it through Safe Mode, reboot, and then it worked."
The workaround did the trick, but at a cost. "The whole time, the development
group is just sitting there," says Stanke, "and they're completely billable
so we had a whole day of wasted money. In a case like that, a rollback feature
would be really great."
A Serious Timesaver
Beyond the few glitches, the best part of WSUS is that it's free, although it
still requires some time to get set up and working properly. Chris Munger, senior
IT manager at the American Academy of Periodontology in Chicago, says he had
to take time to sit down with the documentation to make sure he wasn't missing
anything important.
"You also have to set up the server that will be doing the downloading of the
updates and adjust your group policies so that you're rolling them out in the
controlled way you want," he says. "It's an afternoon, and sometimes it's hard
to find an afternoon when you're getting all your other calls from your end
users."
It's well worth the time investment, he says. "If you're managing more than
20 machines, it will pay for itself in two or three months. You will more than
earn back the time you invested in spades."