Patch Management Tool: Goodbye SUS, Hello WSUS

We have used Microsoft's Software Update Services (SUS) for desktop patch management since 2003. According to statistics, the number of desktop computers with missing patches has been under control, making our campus network more secure. However, SUS mainly supports Microsoft's operating systems while other popular Microsoft software products are not covered. (See Network Computing, Issue 45 - September 2005 for details.)

Windows Server Update Services (WSUS) is Microsoft's new tool for patch management, replacing the existing SUS. There is not much difference between the patch management process of SUS and WSUS. It enables the management of individual PCs as well as groups of PCs, performs tests before approval, and controls the timing of when a patch is going to be applied to the PCs.

With extended capabilities, WSUS can now automatically deliver security patches/updates for SQL Server, Office, Visio, Project and the like to the clients. In addition, it has some favourable features that facilitate administrative productivity and efficiency, including advanced network optimization using Background Intelligent Transfer Service (BITS), flexible update management, and comprehensive status reports. The new "detect only" feature of WSUS also enables us to better plan the software update deployments.

After testing WSUS in selected departments for some time, it was formally deployed for the whole campus on 22 March. The deployment is successful and smooth. WSUS now manages more than 3,500 domain PCs and has become an important part of the security management process at the University. As the Internet is turbulent today and users may face zero-day attacks, WSUS can surely help us protect our Windows-based machines which have joined the CITYUMD domain.