I'm a hard-core believer in keeping all computers in my environment updated with the latest patches, bug fixes, and security modifications. Every time Microsoft releases another service pack, a major patch, or a security or bug-fix rollup, you'll find me installing it on the systems under my direct control and writing about what the release will do to improve the security, performance, and reliability of your Windows computers.

I've been somewhat puritanical in my approach to all this patching. Systems administrators who won't keep the computers under their control updated with the most recent fixes seem foolhardy to me. I've never gone so far as to suggest that you should immediately update every system—I still believe in the necessity of testing computer changes before rolling them out to your enterprise—but I haven't been able to imagine why every IT administrator doesn't share my zeal for keeping computers healthy and current.

The Problem with Automatic Software Updates
But one day, I heard a comment from a senior IT manager that put the situation into perspective: "Every time Microsoft releases a new required software update, it costs me $20,000." That remark stopped me in my tracks; obviously, even this manager's large company can't afford to implement every patch that comes out. But many patches exist that he can't afford not to apply—one rogue virus attack that brings down his network for a day will cost far more than $20,000. When I asked this manager—and a few other IT managers—about this dilemma, the common response was that they trust their antivirus software and good firewall management to keep viruses out of their networks. They emphasized that they don't neglect to apply the patches Microsoft releases; they simply try to apply patches no more than once per quarter (or as long as they can stretch the interval between patches). The situation is an ugly catch-22: Everyone wants to be able to spend the money to keep every system updated, but no one wants to actually spend the money.

My conversations with these IT managers led to discussions about antivirus software and keeping it updated. Because of all the attention that automated updating technology such as that available in Windows XP is receiving, I asked specifically about the automatic update services that antivirus software vendors provide. Everyone I talked with in large enterprises reported that they experienced problems with running unattended automatic software updates. IT folks in smaller environments (i.e., fewer than 100 users) seem to have fewer problems. In the larger environments, the problems were enough to cause IT managers to stop using external automation services.

After hearing too many horror stories about client machines that stopped working after what appeared to be a simple antivirus software update, I became convinced that these IT managers were correct to be concerned. A rash of reader email messages about this subject provided me with additional verification of the problem. Although automatic update services produce savings by reducing direct IT staff intervention in software updates, they incur greater cost when they cause problems that require a hands-on fix. The IT managers in large environments that I talked with almost universally prefer having on their network a local server that provides antivirus updates to local users.

Introducing SUS
These IT administrators' solution fits well with Microsoft's automated deployment product, Microsoft Software Update Services (SUS), which the company released in June. SUS brings XP's automated update technology to Windows 2000 under the network administrator's local control. As I write this column, the SUS technology is just making its way into general availability. The IT managers I've talked with are enthusiastic about SUS. Granted, these managers' shops exclusively run Win2K Server and XP or Win2K on the desktop (the target audience for SUS) and so represent a limited subset of all corporate computer users, but they're excited about the cost savings they believe SUS will bring about.

SUS isn't intended as a complete automation solution. The IT managers I've talked with plan to set up a single SUS server that will pull down updates to their test networks. They plan to install the SUS client on a couple of test servers and client computers, then configure the systems to pull updates from the local SUS server. At this stage in SUS's development, these managers are concerned that the SUS client software might cause problems on the machines on which it's loaded, and they want to make sure that the downloaded updates are safe to distribute further. Once the managers are satisfied that the SUS client is safe, they plan to bring SUS into general distribution, at least for client computers. Feelings are mixed about whether automatically updating servers is safe.

After deploying the SUS software to all client computers, the next step is to download updates to test servers, deploy the updates to test clients, and if it's safe to continue, make the updates available on SUS servers that are accessible to the general client base. SUS servers can handle manual and automated updates; the public server updates only on command and pulls its updates from the server in the test environment.

Even in environments with large numbers of clients, the updating process should be fairly unobtrusive; you can schedule updates to run on clients during times when the computers aren't in use. If your computers aren't left running 24 * 7, updating can take place during work hours, with or without user interaction. You don't need to worry about network traffic. The local automated update uses the Background Intelligent Transfer Service (BITS) technology that XP uses; the SUS client adds this functionality to Win2K.

Check Out SUS
Microsoft doesn't recommend that Systems Management Server (SMS) customers use SUS at this time. (The company plans to release a security patch­deployment mechanism for SMS sometime in third quarter 2002.) Neither does Microsoft recommend that you replace an existing deployment mechanism that you're happy with. But beyond these recommendations, SUS is available as a free download and can get you started with a deployment mechanism that simplifies the task of delivering frequent patches to all your client systems and helps you keep all your XP and Win2K computers at an identical patch level—of prime importance when you need to troubleshoot. To learn more about SUS, go to http://www.microsoft.com/windows2000/windowsupdate/sus/default.asp.