There are few things I love more than getting something for "free" and having it turn out to be valuable. That's certainly true with Microsoft's latest attempt at easing patch management pain, WSUS (Windows Server Update Services).

WSUS is a marked improvement over the earlier Software Update Services. Instead of just providing so-called "critical and security" patches for Internet Explorer, Outlook Express, and Windows, WSUS allows support teams to maintain an internal host that provides the same content available through Microsoft's Office Update and Windows Update support sites. WSUS even goes one better by including patches and updates for server applications such as Exchange 2000/2003 and SQL Server 2000.

WSUS also contains notable improvements in its management and reporting capabilities. WSUS admins can now group WSUS clients -- which can be desktops, laptops, or servers -- as desired and apply patches to each group on a priority basis, or merely flag the device as requiring a patch without installing it. Installation deadlines can now be set. New reports allow line support staff and managers a client-based or patch-based view of devices needing attention, while the WSUS server's management page presents a top-down look at server activity and, more importantly, which clients need attention.

These enhancements would constitute a major overhaul by themselves, but there's more. WSUS adds support for SSL-based communications between clients and the WSUS server, although this requires an en masse implementation of PKI. WSUS also can manage the removal of patches -- at least when that's possible.

Whether WSUS is truly free is debatable. After all, there's still the cost of hardware and a CAL (client access licence) for a Windows server OS, from either the 2000 or 2003 vintages. With Microsoft having matured Windows 2000 support, one might ask what the point was in supporting the obsolescent OS.

Hardware requirements and setup
The hardware requirements for WSUS aren't terribly stringent: A server with a 1GHz CPU and 1GB of RAM can comfortably support more than 500 clients; dual 3GHz processors are recommended when supporting more than 10,000 clients. Nevertheless, I'd recommend throwing the best machine one can afford at the job because a minimal server is slow to respond during management operations. Because WSUS servers can be clustered and tiered, WSUS scales across even the largest enterprise.

Setting up WSUS isn't terribly difficult. I started with a machine running Windows Server 2003 and made sure it had the IIS Web Server package installed. The WSUS installer includes a run-time version of MSDE 2000 (Microsoft SQL Server 2000 Desktop Engine) for Windows Server 2003 as a repository manager; one can also configure WSUS to store its data on another machine running SQL Server 2000.

If one has -- as I did -- a current SUS installation, the new WSUS server can import content from the SUS box to save time and speed up the installation. Because WSUS can support a wider array of applications, however, there will still be data to download from Microsoft, especially if the full list of patches, driver updates, and service packs is selected for distribution.

After the WSUS server is up, running, and downloading its content, the WSUS admin chooses whether to classify WSUS clients through Group Policy -- which requires access to an Active Directory domain -- or manually through the WSUS console.

Although WSUS is not a comprehensive solution to patch management, it will prove a significant help for companies that stick to Microsoft products and mainstream desktop hardware. Even shops large enough to justify using Microsoft Systems Management Server and similar products may find that WSUS is a good solution in cases where remote sites are simply too difficult to manage using the heavyweight tools.


Microsoft's quasi-free patch management software expands its coverage to include "the rest of Windows," the Office family, and a limited number of server software packages. Reporting is decidedly improved over the original incarnation, and clients are easily grouped for greater manageability. WSUS can even be used to roll back patches -- if the patch supports removal.