Keeping client systems updated with all the current Microsoft system and security patches is turning into a full-time job for systems administrators. Even if you let your client systems use the Windows Update Web site, which downloads an ActiveX control that evaluates what patches the client system needs and offers you the option to download and install the patches, you still don't really know the configuration of every system on your network at any given moment.
In the past, I've written about the Windows Update Corporate Site, which lets a systems administrator download the updates for any supported Microsoft applications and OSs and keep the update packages handy on the local network. This method lets systems administrators know which patches have been applied to all of the supported computers, but administrators still don't have a way to keep track of the state of each computer.
By now, Windows XP users and supporters are familiar with the automated delivery mechanism for system updates that this latest OS supports. Automated delivery gives the user quite a bit of control over how the updates are installed and alerts clients when new updates are available. But even automated updates don't let you decide which updates are made available to each client, so you still don't know what's happening on the individual clients.
Almost since the original announcement of automated updates in the Windows 9x days, Microsoft has promised corporate control over the process and a mechanism to let clients be pointed at an internal corporate update server that the local IT staff runs. Our long wait for Microsoft to act on this promise is almost over. Microsoft announced that the Microsoft Software Update Service (SUS) will be available in the second half of 2002. The beta program is well underway.
After you install the SUS on a server on your corporate LAN, the SUS will automatically synchronize with the Microsoft Update sites. You'll then be able to test and evaluate new patches and updates and decide which ones you want to deploy in your enterprise. SUS servers will also be able to synchronize with other SUS servers, so you'll be able to build a distribution network within your enterprise and still allow only one contact with the Microsoft Update sites, regardless of the size of your enterprise.
SUS will also include an automated update client for Windows 2000, which means that XP and Win2K clients will have the same update mechanism. A soon-to-be-released update to the automated update piece of XP, which will also apply to the automated update client in SUS, will let you use Group Policy to control the automated update client, giving you detailed control over what updates are installed on the client systems. Between the updated client and SUS, you'll finally get a real tool directly from Microsoft that will help you maintain client OSs and that won't require installing a global software management system such as Microsoft Systems Management Server (SMS).
I really have only one thing to say about the entire concept of the SUS: It's about time. You can find complete details on all the announced update changes at the Microsoft Windows 2000 server site.
