I've been getting a lot of email about keeping client computers updated with the latest security patches and bug fixes, so I think it's time to discuss Microsoft Software Update Services. SUS is a server-side application that lets network administrators configure local Update Servers to be used in lieu of Microsoft's Automatic Updates service. The SUS software is easy to set up. In an Active Directory (AD) environment, you can use a Group Policy Object (GPO) to configure SUS for your client computers. In a domain or workgroup environment, you'll need to make a client-side registry edit to configure SUS.

The SUS download is a little larger than 32MB and is available from Microsoft's Software Update Services Web site: http://www.microsoft.com/windows2000/windowsupdate/sus/default.asp . SUS runs on Windows 2003 Server or Windows 2000. (I run SUS on a Windows 2003 server in my small office/home office--SOHO--network.) Running the executable download installs SUS and launches the Web configuration console.

If you're familiar with basic networking concepts and how Automatic Updates works, you can easily walk through SUS's configuration steps. You handle all configuration through a Web browser interface. You can configure SUS remotely, but the user who configures SUS must be a local administrator on the SUS server, even in a domain or AD environment.

The optimum SUS setup for most networks is configuring client computers to force updates on a regular schedule. With this configuration, all updates install automatically, and only users with local administrator rights on their client machines can stop an update from installing. Network administrators download updates from Microsoft Update servers to the local SUS server and approve the updates for distribution after making certain the update is safe to deploy. If you don't deem it necessary to test updates before releasing them to your clients, you can configure SUS to automatically make all new updates immediately available. You can configure your SUS server to automatically check for updates from Microsoft daily, on a schedule you specify, or only when you manually synchronize the SUS server with the Microsoft Update servers.

If you use Microsoft Systems Management Server (SMS), you need to use the SMS 2.0 Software Update Services Feature Pack. This version of SUS is specific to SMS 2.0 (SUS is integrated in the soon-to-be released SMS 2003) but for all intents and purposes uses the basic SUS technology to distribute software updates to client computers that have SMS agents installed.

The most troublesome aspect of SUS is the original setup. When you first configure SUS, you need to download all available updates to distribute from your SUS server. When I configured a new SUS server last week, I needed to download 164 packages that totaled almost a gigabyte of data. Although my Internet connection is capable of significant download speeds, I was able to maintain a transfer rate of only about 140Kbps when I pulled the updates from the heavily used Microsoft Update servers.

I don't think any real downside to using SUS exists, even in fairly small environments. SUS doesn't require AD or a domain, so even users in large workgroups can benefit from SUS's centralized updating capabilities.