Windows Patch System Closing Gap

By Andrew Garcia  |  Posted 2005-05-02

Windows Patch System Closing Gap

Windows Server Update Services represents a gargantuan leap forward for Microsoft Corp.s no-cost patching solution. WSUS overall feature set falls short of many competing for-cost solutions from third-party patch management companies. However, its dramatically improved management interface, bandwidth controls and new reporting capabilities have narrowed the gap.

eWEEK Labs believes that WSUS will likely be the first choice for many organizations and will force competitors to continue to innovate to justify their place in enterprise networks.

We tested WSUS Release Candidate 1, which is downloadable at

WSUS leverages Microsofts forthcoming Microsoft Update Web site to provide patches not only for the Windows 2000 (Service Pack 3 or later), Windows XP and Windows 2003 operating system versions but also for Microsoft applications including Office XP, Office 2003, SQL Server 2000, Exchange 2000 and Exchange 2003. However, many Microsoft applications are still unsupported, and patching support for third-party applications remains nonexistent.

Read Labs review of Windows Server 2003 SP1 here.

Gold versions of WSUS and the Microsoft Update Web site are expected to be available early this summer.

SUS (Software Update Services) 1.1, Microsofts previous no-cost entry, was not a patch management platform per se but, rather, little more than an internal patch repository. Administrators using SUS could not target patch installations at specific clients—once a patch was approved on an SUS server, all clients configured to check the server would download and install the patch.

SUS had no internal reporting capabilities to report clients missing patches or verify which clients successfully installed patches. Instead, administrators had to use a separate tool, such as MBSA (Microsoft Baseline Security Analyzer), to verify patch levels.

WSUS, in conjunction with the Microsoft Update site and the latest version of Microsofts Automatic Updates clients, addresses these shortcomings. The Automatic Updates agent performs scans on the local host according to policy defined on the WSUS server. The client then reports findings to the server, where administrators can take action and monitor reports.

WSUS also offers new computer grouping capabilities. A default policy is applied to the All Computers group, but we could define different actions on a per-group basis. Groups can be defined manually in the WSUS console or automatically via a GPO (Group Policy Object) applied to the client. The differential policy controls also allow administrators to control separate policies for desktops and servers from the same WSUS server.

The console dashboard shows high-level-status findings for the server, and filterable reports are available per patch or per computer for more specific information. However, the reporting features dont match the wide variety of high-level and drill-down reports weve seen from competing products such as Shavlik Technologies LLCs HFNetChkPro 5 Plus.

Click here to read a review of HFNetChkPro 5 Plus.

WSUS also has several features to control bandwidth utilization to the Internet and within the corporate network. Where SUS necessitated a massive initial download at first synchronization, WSUS instead could be configured to download patches only after we approved them, and WSUS server replication capability allowed us to avoid duplicating downloads to multiple servers.

WSUS configures server replicas in a parent-child relationship. Patch metadata, patch files and group information are automatically synchronized among multiple servers to lessen administration over multiple locations.

Next page: Automatic updates.

Page Two

The Automatic Updates clients use BITS (Background Intelligent Transfer Service) 2.0 technology for downloading patch information, which allows checkpoint restarts in case of interruption and minimizes network impact on the client when the network is being used.

We installed WSUS RC1 on Windows Server 2003 and on Windows 2000 Server, and WSUS worked effectively in both cases. Both installations required us to install IIS (Internet Information Services), BITS 2.0 and .Net Framework 1.1 Service Pack 1 prior to WSUS installation. The Windows 2000-based installation also required that we obtain and install the MSDE (Microsoft SQL Server Desktop Engine) 2000 database separately, while the Windows 2003 installation included an integrated copy of WMSDE (Windows MSDE), which is similar to MSDE without the connection limitations.

Companies that wish to support more than 500 clients per server should instead install WSUS with a SQL Server 2000 database for greater scalability.

As with SUS, WSUS leverages Active Directory GPOs to control client-agent behavior. Windows XP Service Pack 2 includes the latest version of the Windows Update Group Policy administrative template, which includes several new functions that control the behavior of each clients Automatic Updates agent.

However, to update the template to the newest version, administrators of systems running older versions of Windows XP, Windows 2000 or Windows 2003 will require a patch to administer the GPO.

Managing client behavior via GPOs has several disadvantages compared with managing third-party patching solutions agents. Where many competing patching solutions can instantly push client configurations to their agents from the primary management console, managing a WSUS environment requires access to two management interfaces: the WSUS policy and patch approval Web interface and the Group Policy snap-in. Larger organizations may find that desktop administrators responsible for maintaining patch levels dont have access to configure GPOs and will require special permissions to edit the objects.

In addition, because the Windows Update template is a machine-based GPO, reconfigurations will require each client machine to be rebooted to enable the changes or will need to wait for the policy to automatically refresh (which occurs every 90 minutes by default).

With these limitations, WSUS is not the best choice when patches need to be installed immediately. We found GPOs accommodated scheduled installs easily, but, according to Microsoft representatives, an immediate patch job requires fooling the Automatic Updates client into thinking it missed a scheduled install with the help of Visual Basic script.

While WSUS has some shortcomings, it nonetheless warrants serious evaluation because it is a free add-on to Windows Server systems.

Labs Jason Brooks says Windows patch management is still a work in progress. Click here to read more.

Third-party patch management vendors such as Citadel Security Software Inc., BigFix Inc. and PatchLink Corp. must continue to innovate to stay relevant. Weve seen dramatic improvements in these systems abilities to address non-patch-related vulnerabilities, integrate with third-party vulnerability scanners and deliver patches for non-Microsoft operating systems.

These companies also perform additional testing of patches before releasing them to clients, although this should never replace in-house testing on a companys own machines and applications.

In the future, wed like to see development toward integrating patch management systems with wider desktop lifecycle management platforms and improved integration with the various automated network admissions and quarantine protocols that are quickly gaining steam.

Technical Analyst Andrew Garcia can be reached at

Check out eWEEK.coms for Microsoft and Windows news, views and analysis.

Rocket Fuel