Tips and Tricks

4-1-1 on SUS

All you wanted to know about Microsoft's update service.

The Windows side of the IT industry has certainly seen its share of viral outbreaks in recent years. Attacks from SoBig and Blaster, to name just a couple, have caused plenty of downtime, cost plenty of dollars and earned plenty of airtime on the local news. Hundreds of other less-spotlighted viruses affect businesses everyday. Unfortunately, most of it’s preventable, and the old maxim, “An ounce of prevention is worth a pound of cure,” is true in our industry. Blaster, for example, exploited a vulnerability that had been patched over a month prior. The problem was that nobody bothered to deploy the patches. Patch management in the Microsoft world hasn’t always been easy; but Microsoft keeps trying, and there is an easier way available these days: SUS, the Software Update Services.

SUS is basically your own in-house version of Windows Update. Sure, you could use Automatic Updates and let your servers download patches willy-nilly from Microsoft, but that doesn’t exactly place you in a position of control, not to mention the WAN bandwidth that a hundred servers will use when a new patch comes out. SUS is more efficient and more controllable, and it’s incredibly easy to deploy.

You can install SUS on any Windows 2000 or Windows 2003 server computer, including (as of SP1) domain controllers and Small Business Server installations. You’ll configure SUS to download updates for all available operating systems, Internet Explorer and other packages, directly from Windows Update. SUS caches the updates locally, so they’re more readily available to clients and other server computers across your WAN. And, contrary to common belief, SUS downloads most types of updates offered on Windows Update, not just “critical” updates. The catch: SUS won’t retrieve or deploy service packs for you. You’re still on your own with those. And some products (such as Office and SQL Server) do not yet make their updates available via SUS.

Once SUS downloads an update, it sits on it. Clients (and other server computers count as “clients” in this discussion) can’t download updates until you specifically approve them in SUS’ administrative interface. That way, you’ve got plenty of time to test patches in your environment before they go out to your client computers.

Speaking of your clients, they’ll need to run the SUS Client software, also called “Automatic Updates.” It’s included in Windows 2000 SP3, Windows XP SP1 and Windows Server 2003. You can also download it from

Now, by default, Automatic Updates wants to deal only with the Windows Update Web site, but you can change all that. SUS SP1 includes an updated ADM file that you can use to create group policies, forcing clients’ Automatic Updates software to retrieve updates on a schedule you designate and to use only your SUS server (or servers). In fact, you can outright disable access to Windows Update, ensuring that you have complete control over the flow of patches into your network. The ADM file even allows you to disable automatic restarts, so that server computers don’t reboot themselves after installing patches that require a restart. By the way, the updated policy file is already bundled with Windows 2003.

If you have a large, distributed network, SUS can accommodate you. SUS servers can be configured to download approved updates from other SUS servers, allowing you to deploy a hierarchy of servers that best meets your needs for deploying patches, centralizing control and conserving WAN bandwidth. Installing SUS takes about 10 minutes; configuring it perhaps another 10. With patch control and deployment this easy, there’s no reason not to nip the next Blaster in the bud while still maintaining complete control over your server and client computers. Even if you’re working in a small shop, you can easily add SUS to an existing file server or domain controller and take advantage of enterprise-class patch deployment.

About the Author

With more than fifteen years of IT experience, Don Jones is one of the world’s leading experts on the Microsoft business technology platform. He’s the author of more than 35 books, including Windows PowerShell: TFM, Windows Administrator’s Scripting Toolkit, VBScript WMI and ADSI Unleashed, PHP-Nuke Garage, Special Edition Using Commerce Server 2002, Definitive Guide to SQL Server Performance Optimization, and many more. Don is a top-rated and in-demand speaker and serves on the advisory board for TechMentor. He is an accomplished IT journalist with features and monthly columns in Microsoft TechNet Magazine, Redmond Magazine, and on Web sites such as TechTarget and Don is also a multiple-year recipient of Microsoft’s prestigious Most Valuable Professional (MVP) Award, and is the Editor-in-Chief for Realtime Publishers.

comments powered by Disqus

Reader Comments:

Tue, Nov 25, 2003 Lupe Washington

You do not need Active Directory to use SUS. My server works fine and perfectly.

Wed, Oct 1, 2003 Raeford South Africa

Latest Version downloads SP's as well. Very usefull in our patching against Blaster.

Wed, Oct 1, 2003 Anonymous Anonymous

SUS can help. Mention should have been made of MBSA which can be run in cmd line hfnetchk mode against the SUS server approved list instead of Windows Update. is a great resource.

Tue, Sep 30, 2003 John Kentucky

Too bad this requires active directory and HFNetChkPro which is a very good, slick product that has greatly simplified my life. I would reccomend it to all.

Tue, Sep 30, 2003 Prasanth A


Mon, Sep 29, 2003 Gustav Bulgaria

SUS is perfect solution for my company (100+ clients) , but where is "Tips & tricks" in this article, this is from SUS white paper .....

Mon, Sep 29, 2003 Shawn California

After working with this in the lab for about a month i found that the distribution of patches is inconsistent and The admin interface is Limited. I also would like to here about the bugs and special tweeks required to make this work consistenetly.

Mon, Sep 29, 2003 Anonymous Anonymous

I heard that SUS doesn't work consistently. This article will better if it include bugs on SUS.

Mon, Sep 29, 2003 Peter Texas

The only issue I have with this column is the statement, "The catch: SUS won’t retrieve or deploy service packs for you. You’re still on your own with those." The latest update of SUS does indeed retireve and push out SP's. It can be used to push Win2k clients up to SP4 and XP clients up to SP1.

Mon, Sep 29, 2003 Anonymous Anonymous

Good entry-level intro

Add Your Comment Now:

Your Name:(optional)
Your Email:(optional)
Your Location:(optional)
Please type the letters/numbers you see above

Redmond Tech Watch

Sign up for our newsletter.

I agree to this site's Privacy Policy.