Windows Patch System Closing Gap

Microsoft's no-cost WSUS gains important features and a better interface.

Windows Server Update Services represents a gargantuan leap forward for Microsoft Corp.s no-cost patching solution. WSUS overall feature set falls short of many competing for-cost solutions from third-party patch management companies. However, its dramatically improved management interface, bandwidth controls and new reporting capabilities have narrowed the gap.

eWEEK Labs believes that WSUS will likely be the first choice for many organizations and will force competitors to continue to innovate to justify their place in enterprise networks.

We tested WSUS Release Candidate 1, which is downloadable at

WSUS leverages Microsofts forthcoming Microsoft Update Web site to provide patches not only for the Windows 2000 (Service Pack 3 or later), Windows XP and Windows 2003 operating system versions but also for Microsoft applications including Office XP, Office 2003, SQL Server 2000, Exchange 2000 and Exchange 2003. However, many Microsoft applications are still unsupported, and patching support for third-party applications remains nonexistent.

/zimages/5/28571.gifRead Labs review of Windows Server 2003 SP1 here.

Gold versions of WSUS and the Microsoft Update Web site are expected to be available early this summer.

SUS (Software Update Services) 1.1, Microsofts previous no-cost entry, was not a patch management platform per se but, rather, little more than an internal patch repository. Administrators using SUS could not target patch installations at specific clients—once a patch was approved on an SUS server, all clients configured to check the server would download and install the patch.

SUS had no internal reporting capabilities to report clients missing patches or verify which clients successfully installed patches. Instead, administrators had to use a separate tool, such as MBSA (Microsoft Baseline Security Analyzer), to verify patch levels.

WSUS, in conjunction with the Microsoft Update site and the latest version of Microsofts Automatic Updates clients, addresses these shortcomings. The Automatic Updates agent performs scans on the local host according to policy defined on the WSUS server. The client then reports findings to the server, where administrators can take action and monitor reports.

WSUS also offers new computer grouping capabilities. A default policy is applied to the All Computers group, but we could define different actions on a per-group basis. Groups can be defined manually in the WSUS console or automatically via a GPO (Group Policy Object) applied to the client. The differential policy controls also allow administrators to control separate policies for desktops and servers from the same WSUS server.

The console dashboard shows high-level-status findings for the server, and filterable reports are available per patch or per computer for more specific information. However, the reporting features dont match the wide variety of high-level and drill-down reports weve seen from competing products such as Shavlik Technologies LLCs HFNetChkPro 5 Plus.

/zimages/5/28571.gifClick here to read a review of HFNetChkPro 5 Plus.

WSUS also has several features to control bandwidth utilization to the Internet and within the corporate network. Where SUS necessitated a massive initial download at first synchronization, WSUS instead could be configured to download patches only after we approved them, and WSUS server replication capability allowed us to avoid duplicating downloads to multiple servers.

WSUS configures server replicas in a parent-child relationship. Patch metadata, patch files and group information are automatically synchronized among multiple servers to lessen administration over multiple locations.

Next page: Automatic updates.