Page Two

By Andrew Garcia  |  Posted 2005-05-02 Print this article Print

The Automatic Updates clients use BITS (Background Intelligent Transfer Service) 2.0 technology for downloading patch information, which allows checkpoint restarts in case of interruption and minimizes network impact on the client when the network is being used.

We installed WSUS RC1 on Windows Server 2003 and on Windows 2000 Server, and WSUS worked effectively in both cases. Both installations required us to install IIS (Internet Information Services), BITS 2.0 and .Net Framework 1.1 Service Pack 1 prior to WSUS installation. The Windows 2000-based installation also required that we obtain and install the MSDE (Microsoft SQL Server Desktop Engine) 2000 database separately, while the Windows 2003 installation included an integrated copy of WMSDE (Windows MSDE), which is similar to MSDE without the connection limitations.

Companies that wish to support more than 500 clients per server should instead install WSUS with a SQL Server 2000 database for greater scalability.

As with SUS, WSUS leverages Active Directory GPOs to control client-agent behavior. Windows XP Service Pack 2 includes the latest version of the Windows Update Group Policy administrative template, which includes several new functions that control the behavior of each clients Automatic Updates agent.

However, to update the template to the newest version, administrators of systems running older versions of Windows XP, Windows 2000 or Windows 2003 will require a patch to administer the GPO.

Managing client behavior via GPOs has several disadvantages compared with managing third-party patching solutions agents. Where many competing patching solutions can instantly push client configurations to their agents from the primary management console, managing a WSUS environment requires access to two management interfaces: the WSUS policy and patch approval Web interface and the Group Policy snap-in. Larger organizations may find that desktop administrators responsible for maintaining patch levels dont have access to configure GPOs and will require special permissions to edit the objects.

In addition, because the Windows Update template is a machine-based GPO, reconfigurations will require each client machine to be rebooted to enable the changes or will need to wait for the policy to automatically refresh (which occurs every 90 minutes by default).

With these limitations, WSUS is not the best choice when patches need to be installed immediately. We found GPOs accommodated scheduled installs easily, but, according to Microsoft representatives, an immediate patch job requires fooling the Automatic Updates client into thinking it missed a scheduled install with the help of Visual Basic script.

While WSUS has some shortcomings, it nonetheless warrants serious evaluation because it is a free add-on to Windows Server systems.

Labs Jason Brooks says Windows patch management is still a work in progress. Click here to read more. Third-party patch management vendors such as Citadel Security Software Inc., BigFix Inc. and PatchLink Corp. must continue to innovate to stay relevant. Weve seen dramatic improvements in these systems abilities to address non-patch-related vulnerabilities, integrate with third-party vulnerability scanners and deliver patches for non-Microsoft operating systems.

These companies also perform additional testing of patches before releasing them to clients, although this should never replace in-house testing on a companys own machines and applications.

In the future, wed like to see development toward integrating patch management systems with wider desktop lifecycle management platforms and improved integration with the various automated network admissions and quarantine protocols that are quickly gaining steam.

Technical Analyst Andrew Garcia can be reached at

Check out eWEEK.coms for Microsoft and Windows news, views and analysis.

Andrew cut his teeth as a systems administrator at the University of California, learning the ins and outs of server migration, Windows desktop management, Unix and Novell administration. After a tour of duty as a team leader for PC Magazine's Labs, Andrew turned to system integration - providing network, server, and desktop consulting services for small businesses throughout the Bay Area. With eWEEK Labs since 2003, Andrew concentrates on wireless networking technologies while moonlighting with Microsoft Windows, mobile devices and management, and unified communications. He produces product reviews, technology analysis and opinion pieces for, eWEEK magazine, and the Labs' Release Notes blog. Follow Andrew on Twitter at andrewrgarcia, or reach him by email at

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel