SUS How-To Guides

HOW TO: Configure and Use Automatic Updates in Windows XP
http://support.microsoft.com/default.aspx?…kb;EN-US;306525

HOW TO: Schedule Automatic Updates in Windows XP and Windows 2000
http://support.microsoft.com/default.aspx?…kb;EN-US;327838

HOW TO: Configure Automatic Updates to Prompt You Before You Download Updates in Windows XP
http://support.microsoft.com/default.aspx?…b;en-us;Q283629

HOW TO: Force Automatic Updates 2.2 to Perform a Detection Cycle
http://support.microsoft.com/default.aspx?…b;en-us;Q326693

HOW TO: Configure Automatic Updates by Using Group Policy or Registry Settings
http://support.microsoft.com/default.aspx?…kb;EN-US;328010

HOW TO: Configure and use Automatic Updates in Windows 2000
http://support.microsoft.com/default.aspx?…kb;EN-US;327850

Disabling Auto Update Service in Control Panel Does Not Shut Down the Service
http://support.microsoft.com/default.aspx?…b;en-us;Q283151

Description of the Automatic Update Feature in Windows XP
http://support.microsoft.com/default.aspx?…b;en-us;Q294871

Automatic Updates 2.2 Client Does Not Detect Approved Updates from Software Update Services
http://support.microsoft.com/default.aspx?…b;en-us;Q323184

Software Update Services Resources

Software Update Services Interactive Simulation:
http://www.microsoft.com/windowsserver2003/evaluation/demos/sims/sus/viewer.htm

Download SUS software:
http://www.microsoft.com/downloads/details.aspx?FamilyId=A7AA96E4-6E41-4F54-972C-AE66A4E4BF6C&displaylang=en

Download Automatic Updates Client:
http://www.microsoft.com/windows2000/downloads/recommended/susclient/default.asp

Software Update Services 1.0 ADM File for Service Pack 1:
http://www.microsoft.com/downloads/details.aspx?familyid=d26a0aea-d274-42e6-8025-8c667b4c94e9&displaylang=en

SUS Deployment Guide:
http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/xpsp2sus.mspx

SUS white Paper:
http://www.microsoft.com/windowsserversystem/sus/susoverview.mspx

Sign Up for the SUS Newsletter:
https://register.microsoft.com/regsys/ValueProp.asp?FU=https%3A%2F%2Fregister%2Emicrosoft%2Ecom%2Fregsys%2Fregsys%2Easp%3Fsl%253D10%2526wizid%253D4897%2526lcid%253D1033&LCID=1033&WizID=4897&sl=10

More Information:
http://www.microsoft.com/windowsserversystem/sus/default.mspx

If you have any questions/ doubts/ queries, feel free to post on

Microsoft SUS Discussion Groups Home:
http://www.microsoft.com/windowsserver2003/community/newsgroups/dgbrowser/en-us/default.mspx?dg=microsoft.public.softwareupdatesvcs

You can access MS SUS News Group from Google;
http://groups.google.com/groups?hl=en&lr=&ie=UTF-8&group=microsoft.public.softwareupdatesvcs

SUSSERVER.COM
http://forums.susserver.com

FAQSHOP.COM
http://www.faqshop.com/forums/viewforum.php?f=4

Software Update Services (SUS) Limitations

Like any piece of software, SUS Server does have some limitations that you should be aware of:

SUS only distributes critical patches – it will not download any driver updates.

SUS only delivers patches for the Windows 2000, XP and 2003 operating systems. It will never download patches for Windows 9x and Windows NT 4

SUS will not deliver patches for Office, ISA, SQL, and Exchange.

SUS will not deliver patches for Non-Microsoft operating systems.

With SUS you cannot roll out patches from the clients, you can only Un-approve, which will restrict future installations, but it will not un-install those from the clients.

SUS lacks reporting features, its tough to know the patches installed at the clients.

With SUS you cannot target the clients; it’s automatically targeted to all those computers configured with AU for local SUS.

Reboots can affect logged in users, there is no way to say NO if a patch requires a reboot.

AU Client will check in SUS Server for Approved patches at a random time, 17-22 hours and it’s not possible to increase/decrease this time.

How Updates Deployed Via SUS Behave for Users

It’s also important to understand how the Automatic Updates client behaves for the logged in user when SUS is used to deploy updates.

Users with Local Admin Privileges:

  • AU client activity is transparent to all those users with local admin privilege.
  • They will see notification balloons.
  • They will be prompted according the configured AU option, if applicable
  • Most importantly, they can delay or postpone the reboot.

Normal Users or Users without Local Admin Privileges:

  • For normal users, all AU Client activity is hidden.
  • They won’t see notification balloons.
  • They will not be prompted of any of the AU OPTIONS, so options 2 & 3 as noted in the previous article will not.
  • They cannot postpone any required reboots, as the NO options will be grayed out.

Configuring Software Update Services (SUS) Client Settings

You can always configure AU Client settings thru Group Policy Settings, or manually via the Registry Editor; for the purpose of this illustration, we’ll focus on the configuration of update settings via a GPO.

Configuring AU Client settings via Group Policy

The simplest (and arguably the best) way of configuring Automatic Update Client settings is by use of Group Policy objects in Active Directory Environments. This method allows greater granularity and control over how the Automatic Updates Client behaves, and to apply any changes to it. You will need to configure the AU client using a GPO if you want to get updates from your Local SUS server.

At this point, you’ll want to download the WUAU.adm Template from the Microsoft web site. See the direct link in RESOURCES Section at the end of this article.

Next, you will need to identify the target clients that will use your SUS Server to obtain critical patches. Here are the steps:

1. Open Active Directory Users & Computers.

2. Open the GPO from the target OU.

3. Add a new policy & expand the Computer Configuration container.

4. Expand the Administrative Templates container

5. Right click Administrative Templates in the MMC and import the WUADM template in to the Policy from \windows\inf directory or the \winnt\inf directory, depending on your OS.

Snapshot of Add/Remove WUAU.adm Template.

6. Expand the Windows Components container

7. Click the windows updates container

8. In this container you will be able to configure

  • Configure Automatic Updates
  • Intranet Microsoft Update Service Location
  • Reschedule Automatic Updates Scheduled installations
  • No auto-restart for scheduled Automatic Updates installations.

Use the Resultant Set of Policies (RSOP), like Group Policy Management Console, GPMC, or GPRESULT.EXE to investigate if the policies are being correct applied to your client systems.

NOTE: Group policy is not the only way to deploy the AU Client Settings; you can edit the Registry manually to configure these settings on individual systems. For more information on the necessary Registry configuration changes, see Mohammed AthifKhaleel’s article Manipulating SUS Settings through the Registry.

Are your Automatic Updates working with SUS?

Once SUS is installed and AU clients are configured, you’ll want to ensure that everything is working correct. To test, follow these simple steps:

TEST SUS: First, make sure it’s synchronizing with Microsoft Update Server daily, looking at its Synchronization and Application Event logs. Isn’t that simple?

Test Automatic Updates: This is more important for Automatic Updates, as SUS will only approve updates, which then have to be “pulled” from the server by the AU client. First, you have got to make sure AU gets appropriate settings via the GPO used to deploy them. To test this, just do a simple reg query from command prompt using the Reg query “HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate” /s command, as shown below:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
WUServer REG_SZ http://Your-SUS-Server-IP/Hostname
WUStatusServer REG_SZ http://Your-SUS-Server-IP/Hostname

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
NoAutoUpdate REG_DWORD 0x0
AUOptions REG_DWORD 0x3
ScheduledInstallDay REG_DWORD 0x0
ScheduledInstallTime REG_DWORD 0x3
UseWUServer REG_DWORD 0x1
RescheduleWaitTime REG_DWORD 0x1e

This is where normal troubleshooting should always start. If you happen to find any errors, reference the E