In-Depth

WSUS: Better Name, Better Product

Readers report that Microsoft's Windows Server Update Services (WSUS) tool is a vast improvement over its predecessor SUS.

In its latest incarnation, Microsoft's free patch management and update tool is on its third acronym. It started out as SUS (Software Update Services). It then bore the unfortunate acronym WUS (Windows Update Services). The new version is called WSUS (Windows Software Update Services). More importantly, it also resolves many of the shortcomings of the earlier version.

WSUS officially debuted in June, but has been embraced by final beta users. "This latest version is as close to perfect as I've seen," says Jason Stanke, a senior consultant at MindGent LLC, an IT consultancy in Indianapolis, Ind. Stanke uses WSUS internally and to support several customer sites. "We haven't encountered one bug. The performance is a lot quicker. It doesn't break other things. It simply works, which makes my life easier."

A key WSUS improvement is the expanded menu of product updates. It now handles updates for Exchange Server, SQL Server and Office, as well as Windows. It also improves on the performance, testing and reporting capabilities of its predecessors.

The expanded application support is a definite plus. "The main reason I like it is because it supports more platforms, like Office and Exchange," says Clyde Graham, manager of information systems for the City of Ridgeland, Miss. "It's not as full-featured as SMS [Systems Management Server], but it bridges the gap a little better."

Windows Server Update Services (WSUS)

Free
Microsoft Corp.
800-426-9400
www.microsoft.com
Graham manages nearly 120 computers and 11 servers--all running different versions of Windows and various Microsoft applications--for the city's police department, fire department and city offices. He also appreciates the greater degree of control he gets with WSUS. "I can control what's going out instead of just doing automatic updates on each individual machine," he says. "And I can force updates down [to client computers] now. With SUS, I couldn't do that."

Reboot This
WSUS provides much more control over the patching process than its predecessors. You can schedule patch deployment and require users to reboot after patches are installed. You can even give them the option to reboot later, although there are concerns with this feature. "That's great if they're in the middle of something and they don't want to reboot right away," says Jim Burtoft, senior consultant at Blair Technology Group in Altoona, Pa. "But actually the prompting for restart is my biggest complaint right now."

If a user doesn't reboot right away, WSUS prompts them at approximately five-minute intervals, says Burtoft. "It's annoying. It would be nice if you could tell it to never prompt a user for a restart, but you can't. You can tell it to not restart automatically, you can tell it to only install the updates at certain times, and you can give it a delay between restarts, but there's no way you can tell it to not prompt the user for restarts."

Jason Stanke, Senior Consultant

"This latest version is as close to perfect as I've seen."

Jason Stanke,
Senior Consultant, MindGent LLC

For most, that's a small price to pay for greater patching control. "The constant restart thing can be a pain," says Jason Griffith, information systems specialist and assistant network administrator for the state of West Virginia's Department of Agriculture in Charleston, W.V. "But if you just set it to automatically reboot, you don't have to worry. It's not a real show-stopper."

Test Drive Those Patches
The biggest advantage that WSUS has over SUS is that you can now set up group policies and test patches before deploying them across the enterprise. "We liked SUS, but the disadvantage was the lack of testing," Burtoft says. "If you approved a patch with SUS, it went out to everybody. The nice thing with WSUS is that you can set up a test group and apply your patches [to that group] first. After they've been deployed and you haven't had any problems, then you can roll it out to everybody."

Burtoft says setting up Group Policies is fairly straightforward. "You can make your test group as big or as small as you like," he says. "We set up a series of test groups. First, we'll set up a basic alpha test group to make sure the patch doesn't blue screen anything or break anything obvious. Then if it works there, we'll roll it out to a more widespread test group of machines in different departments. If it works there, we'll roll it out companywide. It makes the whole process much easier to manage."

V8 Performance
Performance is also better with WSUS because it uses a new technology called Background Intelligent Transfer Service (BITS). It determines how much bandwidth is available on the local network before sending patches to target machines.

"SUS didn't use BITS, so if you pushed a big update, there'd be some lag time with the clients and people complained about that," explains MindGent's Stanke. "The problem was that it would hit the update server and if you had a lot of updates, it would suck them all down at once. If you were trying to do something else at the same time, there was a visible difference in performance. Now with WSUS, it's all done in the background and nobody even notices. There are no performance issues."

That's not always the case, though--especially when using it across a wide area network. "BITS is great, but we had trouble using it across the WAN," Burtoft says. "It listens on the network and gauges how much traffic there is so that it will use only a portion of the bandwidth. But the problem is that it can only look at the local network, which could be running at 10MB or 100MB. If you're downloading the patch over a 128K WAN link, it doesn't figure that out. It only sees the LAN side and says, 'Hey, I have a 100MB connection and I'm only using 1 percent, so I can download 1MB and nobody will even notice.' Well, if it uses 1MB over a 128K link, it's a problem."

5 Ways WSUS Is Better Than SUS

Besides bearing a less-unfortunate acronym (thankfully, it was never called Patch Update Services), WSUS packs several notable improvements over its earlier incarnations:

1. Reporting: You no longer need a separate reporting tool, and can sort and sift through reports easier and quicker than with SUS.

2. Testing: You can now test patches before deploying them across the enterprise, and set a variety of test groups using Group Policies.

3. Application Support: While SUS just supported Windows patches, WSUS also handles Exchange Server, SQL Server and Office, plus more applications are promised down the road.

4. Performance: WSUS uses BITS technology to gauge available bandwidth and to ensure that patch downloads don't negatively affect network performance.

5. Control: Administrators can schedule patch deployment, and force patches down to client machines.

— J.C.

Burtoft searched the Internet for a fix and found that Microsoft offered a BITS template on its TechNet site that let him set the BITS parameters to accommodate the tighter WAN link. "You can limit it to 2K, which is the minimum, or 5K or 10K, whatever," he says. "Hopefully, they're adding that to the regular templates in the final version."

Real Reporting
Another big improvement in WSUS, according to early users, is reporting. In fact, West Virginia's Griffith says he had to use a third-party reporting tool for SUS. He sees no need for that with WSUS. "I think the reporting built into this is as good as my third-party tool, maybe even a little bit more in-depth," he says. "I'm basically looking to see who needs patches, who doesn't, and then the success rate of the patches and things like that. WSUS fulfills that need perfectly."

Other users agree the reporting has been vastly improved. "The reporting features are phenomenal," says Stanke. "I can tell it to give me a status report of all my computers and tell me what updates are needed across them, and I can find out what patches are still needed across my whole environment within 60 seconds. I can sort by failed installs, I can search by patches not needed and I can see which ones are already deployed. It's flexible and very fast."

Chris Munger, Senior IT Manager

"If you're managing more than 20 machines, [WSUS] will pay for itself in two or three months. You will more than earn back the time you invested in spades."

Chris Munger,
Senior IT Manager, American Academy of Periodontology

WSUS also provides a greater level of detail than SUS. "If I click on a computer, it can tell me what OS and service pack it has, when it last talked to Active Directory, and what make of the hardware and processor it has," he explains. "We actually use that as a very basic inventory."

WSUS doesn't require much in terms of computer resources. The only platform caveat would be to avoid running WSUS on a server with other Internet applications. "We found that it doesn't play well with SharePoint Portal Services," Burtoft says. "Microsoft has a guide to show you how to get it to run with other Internet apps, but it's definitely a bad idea."

Waiting for Rollback
The only thing that's really missing from WSUS, users say, is an automated way to roll back or uninstall patches. This is especially important as the patching process becomes faster and more automated. "We've had situations where we had three or four machines where the patch just messed things up. It worked fine on about 90 percent of them, but there were a couple with problems," says Griffith. "If you could roll back per machine, that would be nice."

Rollback would have saved Stanke a lot of headaches when he rolled out a patch that locked up his entire development team's computers for a day. "Microsoft has some key software pieces that allow clients to use the Windows Update Services much more efficiently, and one of those updates was the Microsoft Windows Installer 3.1 beta," he says.

"If you're using the update service like we are here, Microsoft pushes that out to clients. I didn't approve that, but Microsoft did it by default."

Stanke's entire development staff had difficulties. "Their computers would go ahead and try and install it, but about halfway through it would freeze and lock up. So people would turn off the computer and reboot it, and it would lock up again."

After spending a day reading through newsgroups trying to figure it out, he found a workaround. "A lot of people had the exact same issue because Microsoft installed it by default," he says. "I ended up having to download the exact patch, put it on a USB drive, reboot all the development team's computers into Safe Mode, install it through Safe Mode, reboot, and then it worked."

The workaround did the trick, but at a cost. "The whole time, the development group is just sitting there," says Stanke, "and they're completely billable so we had a whole day of wasted money. In a case like that, a rollback feature would be really great."

A Serious Timesaver
Beyond the few glitches, the best part of WSUS is that it's free, although it still requires some time to get set up and working properly. Chris Munger, senior IT manager at the American Academy of Periodontology in Chicago, says he had to take time to sit down with the documentation to make sure he wasn't missing anything important.

"You also have to set up the server that will be doing the downloading of the updates and adjust your group policies so that you're rolling them out in the controlled way you want," he says. "It's an afternoon, and sometimes it's hard to find an afternoon when you're getting all your other calls from your end users."

It's well worth the time investment, he says. "If you're managing more than 20 machines, it will pay for itself in two or three months. You will more than earn back the time you invested in spades."

Featured

comments powered by Disqus

Subscribe on YouTube