Windows Patch System Closing Gap

By Andrew Garcia  |  Posted 2005-05-02 Print this article Print

Microsoft's no-cost WSUS gains important features and a better interface.

Windows Server Update Services represents a gargantuan leap forward for Microsoft Corp.s no-cost patching solution. WSUS overall feature set falls short of many competing for-cost solutions from third-party patch management companies. However, its dramatically improved management interface, bandwidth controls and new reporting capabilities have narrowed the gap.

eWEEK Labs believes that WSUS will likely be the first choice for many organizations and will force competitors to continue to innovate to justify their place in enterprise networks.

We tested WSUS Release Candidate 1, which is downloadable at

WSUS leverages Microsofts forthcoming Microsoft Update Web site to provide patches not only for the Windows 2000 (Service Pack 3 or later), Windows XP and Windows 2003 operating system versions but also for Microsoft applications including Office XP, Office 2003, SQL Server 2000, Exchange 2000 and Exchange 2003. However, many Microsoft applications are still unsupported, and patching support for third-party applications remains nonexistent.

Read Labs review of Windows Server 2003 SP1 here. Gold versions of WSUS and the Microsoft Update Web site are expected to be available early this summer.

SUS (Software Update Services) 1.1, Microsofts previous no-cost entry, was not a patch management platform per se but, rather, little more than an internal patch repository. Administrators using SUS could not target patch installations at specific clients—once a patch was approved on an SUS server, all clients configured to check the server would download and install the patch.

SUS had no internal reporting capabilities to report clients missing patches or verify which clients successfully installed patches. Instead, administrators had to use a separate tool, such as MBSA (Microsoft Baseline Security Analyzer), to verify patch levels.

WSUS, in conjunction with the Microsoft Update site and the latest version of Microsofts Automatic Updates clients, addresses these shortcomings. The Automatic Updates agent performs scans on the local host according to policy defined on the WSUS server. The client then reports findings to the server, where administrators can take action and monitor reports.

WSUS also offers new computer grouping capabilities. A default policy is applied to the All Computers group, but we could define different actions on a per-group basis. Groups can be defined manually in the WSUS console or automatically via a GPO (Group Policy Object) applied to the client. The differential policy controls also allow administrators to control separate policies for desktops and servers from the same WSUS server.

The console dashboard shows high-level-status findings for the server, and filterable reports are available per patch or per computer for more specific information. However, the reporting features dont match the wide variety of high-level and drill-down reports weve seen from competing products such as Shavlik Technologies LLCs HFNetChkPro 5 Plus.

Click here to read a review of HFNetChkPro 5 Plus. WSUS also has several features to control bandwidth utilization to the Internet and within the corporate network. Where SUS necessitated a massive initial download at first synchronization, WSUS instead could be configured to download patches only after we approved them, and WSUS server replication capability allowed us to avoid duplicating downloads to multiple servers.

WSUS configures server replicas in a parent-child relationship. Patch metadata, patch files and group information are automatically synchronized among multiple servers to lessen administration over multiple locations.

Next page: Automatic updates.

Andrew cut his teeth as a systems administrator at the University of California, learning the ins and outs of server migration, Windows desktop management, Unix and Novell administration. After a tour of duty as a team leader for PC Magazine's Labs, Andrew turned to system integration - providing network, server, and desktop consulting services for small businesses throughout the Bay Area. With eWEEK Labs since 2003, Andrew concentrates on wireless networking technologies while moonlighting with Microsoft Windows, mobile devices and management, and unified communications. He produces product reviews, technology analysis and opinion pieces for, eWEEK magazine, and the Labs' Release Notes blog. Follow Andrew on Twitter at andrewrgarcia, or reach him by email at

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel