Skip navigation

WSUS Serves the Enterprise

Get your updates here!

Keeping your systems up-to-date just got easier. Windows Server Update Services (WSUS), the long-awaited update to Microsoft Software Update Services (SUS), has finally arrived. WSUS takes SUS's basic update- distribution functionality and enhances it in several important ways—most significantly scope: WSUS distributes updates for products other than the Windows OS, namely Microsoft Exchange Server, SQL Server, and Office, with support for more products coming in the future. WSUS also provides more reporting and management functionality and supports targeted approval of updates for computer groups you define. Let's look at WSUS in its most basic implementation then at the factors that will drive how you implement WSUS.

The simplest WSUS implementation is a single WSUS server installed on a Windows Server 2003 or Windows 2000 Server machine. WSUS creates a SQL Server database to store information about available updates and regularly synchronizes the database with Microsoft servers. (Note that you don't need to purchase SQL Server; WSUS can use Microsoft SQL Server Desktop Engine—MSDE). WSUS downloads the actual updates from Microsoft and stores them on the local server, as Figure 1 shows.

On the client side, you must configure each machine to obtain its updates from WSUS instead of downloading them from Microsoft's servers via the Internet. You can use Group Policy to automate and centrally manage this client configuration. Each client requires the latest version of Automatic Updates and Windows Installer.

After you configure the WSUS server and clients, you can begin approving updates. To do so, use a browser to access the WSUS administration Web pages. When you approve an update, clients will begin downloading and applying the update as they check in with WSUS. An update should be fully deployed to clients connected to the LAN within 24 hours.

That's an overview of a simple WSUS implementation. Now let's look at some more advanced WSUS functionality, which you might require depending on the topology of your network, number of computers, variety of systems, and other factors.

To minimize instability risks and system restarts, you might prefer to install only the updates you judge to be necessary for a given system. Or you might want to initially roll out updates to a set of test computers before extending the rollout to your production environment. With SUS you had to create a separate SUS server for each group of computers that you wanted to handle differently. WSUS lets you create computer groups, then assign updates appropriate for each group. WSUS computer groups are specific to WSUS and have nothing to do with domain or local Windows groups.

Implementing WSUS computer groups is simple. You first create the group in the WSUS administrative console, then assign the appropriate computers to the group. WSUS includes two predefined groups: All Computers and Unassigned Computers. All computers that you've configured to use this WSUS server are members of the All Computers group, and you can't remove computers from All Computers. Initially, each of these computers is also a member of Unassigned Computers, but as soon as you assign a computer to some other group, it's removed from Unassigned Computers. A computer can be a member of only one WSUS group other than All Computers, so if you subsequently assign a computer in Group A to Group B, it will no longer be in Group A.

You have two options for assigning computers to groups. If you have a small number of computers, you can assign computers to groups manually via the WSUS console. If you have many computers or if you want to base membership on policy rules so that new computers will automatically be added to the appropriate group, you can use Group Policy. WSUS provides an administrative template that includes a setting to specify the WSUS computer group. You can load the template into any Group Policy Object (GPO). Group Policy lets you assign WSUS computer group membership based on organizational unit (OU) or any other criteria with which you can set the scope of Group Policy application. When you deploy a new computer, it will automatically be assigned to the appropriate group according to the Group Policy it receives.

Do you have multiple locations connected by a VPN or WAN or computers that connect only occasionally through a remote access VPN? If so, you might not want to push updates (which can be quite large) over such connections to branch offices and remote users. WSUS provides functionality to handle such situations. The service lets you set up a hierarchy of WSUS servers that passes updates and approvals from upstream servers to downstream servers at another site. Then the downstream servers distribute the updates to local clients over the LAN at the local site, as the New York and Dallas sites in Figure 2 show. Thus, if your organization has 30 servers or workstations at a site, a given update traverses the WAN once instead of 30 times.

If you don't have enough clients at a site to warrant setting up a downstream WSUS server but you still need to conserve WAN bandwidth, you can configure the site's clients to use your main WSUS server to determine which updates to apply but have the clients download the updates from Microsoft's servers via their local Internet connection, as the Podunk site in Figure 2 illustrates. This scenario also works well for mobile users whose connection to the network is limited to remote access VPN connections.

When you combine WSUS server hierarchies and computer groups, an interesting thing happens. Downstream WSUS servers inherit the groups created on the upstream server but not the membership. So if you create a Servers group and a Workstations group on the root WSUS server, downstream servers will inherit the two group names but will maintain their own membership lists. You can then use Group Policy or manual methods to assign computers at a given site to the appropriate group on the site's local WSUS server. Then when you approve an update for the Servers group, all servers will receive the update no matter where they reside.

Do you already have SUS implemented on your network, and you don't want to start over with WSUS? Good news: WSUS supports migrating your approvals and updates from SUS to WSUS and lets you consolidate multiple SUS servers. To migrate, simply install WSUS (either on the same computer as the SUS implementation or on a different one), then use Wsusutil to migrate the approvals and updates from SUS to WSUS. (You'll find Wsusutil under Program Files, Update Services, Tools.) If you're consolidating multiple SUS servers into one WSUS server, you can specify a different computer group on the WSUS server to receive the approvals of each SUS server you migrate.

When you perform same-server or remote-server migrations, you need to take some specific steps to enable WSUS to access the information in SUS and to prevent SUS and WSUS from colliding. Refer to the migration scenario that fits your needs in the "Deploying Windows Server Update Services" operations guide at

The Automatic Updates client on each computer verifies the digital signature of each update before applying it so you're protected from malicious or corrupted updates being introduced by an attacker who compromises a WSUS server or modifies the update as it travels over the network. Therefore the risk of attacks on WSUS is, for the most part, limited to interruption of the update process. Nevertheless, you can implement authentication between WSUS servers and implement Secure Sockets Layer (SSL) between WSUS servers and between WSUS servers and clients. The operations guide outlines these and other methods to secure WSUS servers from network-based attacks.

WSUS is a more mature version of SUS that will help you keep your systems up-to-date and hardened against the latest threats. I encourage you to download WSUS today and begin testing it. You can install WSUS alongside SUS without affecting your current update process. The sooner you get WSUS going the sooner you can rest assured that your systems are current, not only with core Windows updates but with Office, SQL Server (including MSDE versions), and Exchange Server updates, as well, with more supported products to come.

TAGS: Security
Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.