Keeping up with the patching process has become one of administrators' biggest headaches, rivaled solely by the dangers of not keeping system patches up-to-date. Microsoft's first serious attempt to tackle the problem of patch deployment by providing centralized control and management of software updates was Microsoft Software Update Services (SUS). Although SUS was a big step in the right direction, it didn't address some difficulties of the patch deployment process, such as managing application updates as well as OS patches. Microsoft soon followed up the SUS release with Windows Server Update Services (WSUS—formerly called Windows Update Services—WUS). WSUS is essentially SUS 2.0 and, like SUS, will likely be a free download. As I write this, WSUS is in beta and is available for download from the Microsoft Web site at

10. Client integration with Windows Update—Like SUS, WSUS provides seamless integration for client systems via Windows Update. For updates that don't require a system reboot, networked clients can silently install patches without notifying end users.

9. Scalable infrastructure—WSUS supports a scalable architecture, enabling enterprises to install multiple WSUS servers. Remote WSUS servers can synchronize their patches with the central WSUS server and provide better performance and bandwidth utilization for remote updates.

8. Time-controlled patch installations—WSUS can force the installation of deployed updates at a time that you specify. This useful feature lets you ensure that crucial updates are applied throughout the organization in a timely manner.

7. Web management interface—WSUS management uses a zero-footprint Web interface. You connect to the interface through the URL http://server/WusAdmin, where server is the name of your WSUS server system. The Web management interface lets you view patches and approve updates as well as classify systems into groups for ease of management and to simplify patch deployments, as I explain later.

6. Built-in status reports—WSUS's built-in reports are another handy feature. WSUS uses a Microsoft SQL Server back end that's hosted either on an existing SQL Server system or on Microsoft SQL Server Desktop Engine (MSDE). WSUS uses this database for reporting such information as where patches have been deployed and the success or failure of the deployments.

5. The ability to uninstall patches—In a nice improvement over SUS, WSUS has the ability to uninstall patches. Although not all patches can be uninstalled, most can, and WSUS's uninstall capability lets you automatically remove any patches that cause a problem after deployment. When a patch can be uninstalled, the Web management interface displays a Remove option next to the patch.

4. Advanced network optimization—Using Microsoft's Background Intelligent Transfer Service (BITS) technology, WSUS can regulate the bandwidth consumption of downloaded patches. BITS also enables WSUS to automatically handle network interrupts of downloads and restart a failed download from the point at which it was interrupted.

3. Flexible patch storage—WSUS lets you choose where to store patches to be deployed. If you choose to store them on your local WSUS server, Microsoft recommends reserving 8GB of disk space. Alternatively, you can have your clients access patches that are stored on Microsoft's site. This option is a boon for small businesses that are short of disk space.

2. Classification groups—WSUS can take advantage of Active Directory (AD) organizational units (OUs) to target the deployment of patches. This approach lets you easily deploy updates to a test environment as well as target specific groups of systems for early patch deployment.

1. Expanded server patching—Without a doubt, the most significant new feature in WSUS is the ability to deliver application patches. In addition to deploying patches for the Windows OS, WSUS can deploy patches to Microsoft Exchange Server, Office, and SQL Server.