Software Update Services Overview

Microsoft Corporation
Published: June 2002

Abstract

This white paper contains an overview of Software Update Services, a tool for management, and
distribution of critical Windows patches. These patches resolve known security vulnerabilities and
stability issues in Microsoft Windows® 2000, Windows XP, and Windows .NET Server operating
systems. Software Update Services leverages the successful public Microsoft Windows Update
service. Information technology professionals use Software Update Services to configure a virtual
Windows Update server in their own Windows-based intranets to service corporate servers and
clients.

This white paper is intended for information technology managers who want to understand how
Software Update Services works. This overview presents customer scenarios in which Software
Update Services provides solutions for information technology professionals, as well as an
overview of the client and server-side components. System administrators who want to configure
or deploy Software Update Services should read Software Update Services companion white
paper on deployment.
Microsoft® Windows® Server White Paper

The information contained in this document represents the current view of

Microsoft Corporation on the issues discussed as of the date of
publication. Because Microsoft must respond to changing market
conditions, it should not be interpreted to be a commitment on the part of
Microsoft, and Microsoft cannot guarantee the accuracy of any
information presented after the date of publication.
This document is for informational purposes only. MICROSOFT MAKES
NO WARRANTIES, EXPRESS OR IMPLIED, AS TO THE
INFORMATION IN THIS DOCUMENT.
Complying with all applicable copyright laws is the responsibility of the
user. Without limiting the rights under copyright, no part of this document
may be reproduced, stored in or introduced into a retrieval system, or
transmitted in any form or by any means (electronic, mechanical,
photocopying, recording, or otherwise), or for any purpose, without the
express written permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights,
or other intellectual property rights covering subject matter in this
document. Except as expressly provided in any written license
agreement from Microsoft, the furnishing of this document does not give
you any license to these patents, trademarks, copyrights, or other
intellectual property.
The example companies, organizations, products, people and events
depicted herein are fictitious. No association with any real company,
organization, product, person or event is intended or should be inferred.
© 2002 Microsoft Corporation. All rights reserved.
Microsoft, Windows, Windows Media, and Active Directory are either
registered trademarks or trademarks of Microsoft Corporation in the
United States and/or other countries/regions.

The names of actual companies and products mentioned herein may be

the trademarks of their respective owners.

This document is best viewed onscreen in Microsoft Word 2000 or

Microsoft Word XP in Print or Web Layout View.
 Microsoft® Windows® Server White Paper

Contents
Contents.......................................................................................................................................iii

Introduction...................................................................................................................................1

Software Update Services or Systems Management Server.......................................................2

Choosing a Solution.................................................................................................................2

The Software Update Services Solution.....................................................................................3

Client-side Features....................................................................................................................3

Server-side Features...................................................................................................................3

Customer Scenarios.....................................................................................................................5
Client-side Scenarios:..................................................................................................................5

Managed desktop ...................................................................................................................5

Managed server ......................................................................................................................5

Managed data center server ...................................................................................................5

Automatic Updates Client interaction ......................................................................................5

Non-admin user.......................................................................................................................6

Server-side Scenarios.................................................................................................................6

Review, test, and approve updates..........................................................................................6

Automatic synchronization.......................................................................................................6

Client-Side: Automatic Updates..................................................................................................7

Supported Platforms....................................................................................................................7

User Experience..........................................................................................................................7

Configuration options...............................................................................................................7

Download behavior..................................................................................................................8

Installation behavior.................................................................................................................9

Installation notification..............................................................................................................9

Scheduled installation............................................................................................................10

Administrator Control via Policies..............................................................................................11

Configuring Automatic Updates setting..................................................................................11

Configuring your server running Software Update Services..................................................12

Policy templates.....................................................................................................................13

Configuration options in a non-Active Directory environment....................................................14

 Microsoft® Windows® Server White Paper

System Events..........................................................................................................................14

Server-Side: Software Update Services....................................................................................16

Supported Platforms..................................................................................................................16

Installation and Configuration....................................................................................................16

Installation..............................................................................................................................16

Configuration.........................................................................................................................16

Administrative Experience.........................................................................................................16

Home page ...........................................................................................................................17

Synchronizing the server.......................................................................................................17

Synchronization options.........................................................................................................18
Synchronization process........................................................................................................19

Approving updates.................................................................................................................19

Package information..............................................................................................................20

Approval process...................................................................................................................21

Reviewing server history and activity.....................................................................................21

Synchronization log................................................................................................................21

Approval log...........................................................................................................................22

Server health.........................................................................................................................22

E-mail notification...................................................................................................................22

Related Links...............................................................................................................................23

Feedback...................................................................................................................................23
 Microsoft® Windows® Server White Paper

Introduction
Software Update Services, a component of the Strategic Technology Protection Program (STPP),
builds on the success of Windows Update to provide a solution for medium- sized enterprises to
manage and distribute critical Windows patches. These patches resolve known security vulnerabilities
and stability issues with Microsoft Windows operating systems. This solution updates Windows 2000
and higher Windows operating systems and is a particularly powerful update-management tool for
Microsoft Active Directory® service-based networks. Although Software Update Services is well suited
to an Active Directory environment, it is not a requirement.

Today corporations have to frequently check the Windows Update site or the Microsoft Security Web
site for patches. Then they have to manually download patches that have been made available since
they last visited the site, test the patches, and then distribute the patches manually or by using their
traditional software-distribution tools. Software Update Services solves these problems by providing
dynamic notification of critical updates to Windows computers as well as automatic distribution of those
updates to your corporate Windows desktops and servers. For Software Update Services to function,
only one corporate intranet computer requires access to the public Internet.

Software Update Services offers the following features:

• An administrator-controlled content synchronization service within the intranet. The
synchronization service is a server-side component that retrieves the latest critical updates from
Windows Update. As new updates are added to Windows Update, the server running Software
Update Services automatically downloads and stores them, based on an administrator-defined
schedule. If an administrator does not wish to set a schedule, they can manual synchronize their
server running Software Update Services with Windows Update.

• An intranet-hosted Windows Update server. This easy-to-use server acts as the virtual Windows
Update server for client computers. It contains the synchronization service and administrative tools
for managing updates. It services requests for approved updates by the client computers connected
to it using the HTTP protocol. This server can also host critical updates downloaded from the
synchronization service and refer client computers to those updates.

• Administrator control over updates. The administrator can test and approve updates from the
public Windows Update site before deployment on the corporate intranet. Deployment takes place
on a schedule created by the administrator. If multiple servers are running Software Update
Services, the administrator controls which computers access particular servers running Software
Update Services. Administrators enable this level of control with Group Policy in an Active Directory
environment, or through registry keys.

• Automatic Updates on computers (desktops or servers). Automatic Updates is a Windows

feature that can be setup to automatically check for updates published on Windows Update.
Software Update Services uses this Windows feature to publish administrator approved updates on
an intranet. You can configure Windows to install updates on a schedule.

Software Update Services Overview 1

 Microsoft® Windows® Server White Paper

Software Update Services or Systems Management Server

The Microsoft Software Update Service is focused on obtaining critical updates for Windows 2000 and
Windows XP inside your corporate firewall as quickly as possible. Many customers today are
successfully using enterprise software distribution solutions like Systems Management Server for
complete software management, including responding to security and virus issues. These customers
should continue using these solutions.

To improve the Systems Management Server experience, Microsoft will be adding security-patch
improvements to Systems Management Server in the third quarter of 2002. These improvements
enable you to determine which computers need system updates. For more information, see the white
paper, “Systems Management Server 2.0 for Getting and Staying Secure.”

Choosing a Solution
Here is the recommended process for evaluating your options:
• If you are currently using a solution that is successful in distributing patches, continue using that
solution. Microsoft’s primary goal is keep Windows secure.

• If you are currently an SMS customer, you should wait and use the SMS security patch extensions
that will also be released in the third quarter of 2002.

• If you are a medium-sized enterprise in need of a solution for managing your security updating
needs, you should evaluate and deploy Microsoft Software Update Services. Its functionality and
ease of usage will help solve your business needs by keeping Windows 2000 and Windows XP
platforms safe and secure.

• If you are a larger organization that needs a solution for managing your security updating needs,
you should evaluate and deploy Microsoft Systems Management Server 2.0 with the free SMS
Value Pack, available in the third quarter of 2002. Larger organizations need greater platform
support and greater control for their security updates, and SMS is best positioned to solve these
unique needs.

Software Update Services Overview 2

 Microsoft® Windows® Server White Paper

The Software Update Services Solution

The Software Update Services solution consists of both client-side and server-side components to
provide a basic solution to critical patch management.

The solution is supported only on Microsoft Windows 2000 Professional, Server, Advanced Server
(each with Service Pack 2), Microsoft Windows XP Professional, Home Edition, and the Microsoft
Windows .NET Server family (on release).

Client-side Features
The client is based on the Windows Automatic Updates technology that was significantly updated for
Windows XP. Automatic Updates is a proactive pull service that enables users with administrative
privileges to automatically download and install Windows updates such as critical operating-system
fixes and Windows security patches. The features include:
• Built-in security: Only users with local administrative privileges can interact with Automatic
Updates. This prevents unauthorized users from tampering with the installation of critical updates.
Before installing a downloaded update, Automatic Updates verifies that Microsoft has digitally
signed the files.

• Just-in-time validation: Automatic Updates uses the Windows Update service technologies to
scan the system and determine which updates are applicable to a particular computer.

• Background downloads: Automatic Updates uses the Background Intelligent Transfer Service
(BITS), an innovative bandwidth-throttling technology built into Windows XP and newer operating
systems, to download updates to the computer. This bandwidth-throttling technology uses only idle
bandwidth so that downloads do not interfere with or slow down other network activity, such as
Internet browsing.

• Chained installation: Automatic Updates uses the Windows Update technologies to install
downloaded updates. If multiple updates are being installed and one of them requires a restart,
Automatic Updates installs them all together and then requests a single restart.

• Multi-user awareness: Automatic Updates is multi-user aware, which means that it displays
different UI depending on which administrative user is logged on.

• Manageability: In an Active Directory environment, an administrator can configure the behavior of

Automatic Updates using Group Policy. Otherwise, an administrator can remotely configure
Automatic Updates using registry keys through the use of a logon script or similar mechanism.

• Multi-language support: The client is supported on localized versions of Windows.

Server-side Features
Software Update Services is based on the same back-end technology used on the public Windows
Update site that has been servicing Windows customers since mid-1998. It runs on Windows 2000
Server with Service Pack 2 or later. Internet Information Services (IIS) must be enabled on the server.

Important: Make sure the server is already running the most up-to-date Windows security patches before
setting it up as the server running Software Update Services.

Software Update Services Overview 3

 Microsoft® Windows® Server White Paper

The server features include:

• Built-in security. The administrative pages are restricted to local administrators on the computer
that hosts the updates. The synchronization validates the digital certificates on any downloads to
the update server. If the certificates are not from Microsoft, the packages are deleted.

• Selective content approval. Updates synchronized to your server running Software Update
Services are not made automatically available to the computers that have been configured to get
updates from that server. The administrator approves the updates before they are made available
for download. This allows the administrator to test the packages being deploying them.

• Content synchronization. The server is synchronized with the public Windows Update service
either manually or automatically. The administrator can set a schedule or have the synchronization
component of the server do it automatically at preset times. Alternatively, the administrator can use
the Synchronize Now button to manually synchronize.

• Server-to-server synchronization. Because you may need multiple servers running Microsoft
SUS inside your corporation in order to bring the updates closer to your desktops and servers for
downloading, Microsoft SUS will allow you to point to another server running Microsoft SUS instead
of Windows Update, allowing these critical software updates to be distributed around your
enterprise.

• Update package hosting flexibility. Administrators have the flexibility of downloading the actual
updates to their intranet, or pointing computers to a worldwide network of download servers
maintained by Microsoft. Downloading updates might appeal to an administrator with a network
closed to the Internet. Large networks spread over geographically disparate sites might find it more
beneficial to use the Microsoft maintained download servers. These are the actual Windows Update
download servers. In a scenario like this, an administrator would download and test updates at a
central site, then point computers requiring updates to one of the Windows Update download
servers. Microsoft maintains a worldwide network of these type servers.

• Multi-language support. Although the Software Update Services administrative interface is

available only in English or Japanese, the server supports the publishing of updates to multiple
operating-system language versions. Administrators can configure the list of languages for which
they want updates downloaded.

• Remote administration via HTTP or HTTPS. The administrative interface is Web-based and
therefore allows for remote (internal) administration using Internet Explorer 5.5 or higher.

• Update status logging. You can specify the address of a Web server where the Automatic
Updates client should send statistics about updates that have been downloaded, and whether the
updates have been installed. These statistics are sent using the HTTP protocol and appear in the
log file of the Web server.

Software Update Services Overview 4

 Microsoft® Windows® Server White Paper

Customer Scenarios
Client-side Scenarios:
An IT administrator can configure machines running Automatic Updates differently based upon the
machine’s role in the organization. This allows an IT administrator to update all desktops in an
organization as soon as possible yet still minimize the down time of data center servers. The first three
client-side scenarios describe three basic machine roles and how each might be best managed.

Managed desktop
The IT administrator has set the Automatic Updates policy so that Automatic Updates performs a
scheduled installation every day at 3 A.M. When an update has been successfully downloaded,
Automatic Updates logs an event that an update is ready to install at the next scheduled day and time.
Prior to installation, Automatic Updates displays a countdown dialog box to the first found local
administrator for a five-minute duration. If a local administrator is logged on to the system, the local
administrator can stop the installation, and Automatic Updates schedules the installation for the next
day at 3 A.M. Automatic Updates only displays this countdown to local administrators. If no local
administrator logs on, or if no local administrator stops the countdown, the installation proceeds.

Managed server
The IT administrator has set the Automatic Updates policy so that Automatic Updates performs a
scheduled installation every Saturday at 3 A.M. When an update has been successfully downloaded,
Automatic Updates logs an event that an update is ready to install at the next scheduled day and time.
Automatic Updates then adds an icon to the notification area and displays a balloon to the first found
local administrator explaining that there are updates ready to install. Since the IT administrator used the
policy to configure Automatic Updates, the local administrator cannot deselect any updates. The local
administrator chooses not to install at this time and closes the balloon. The Automatic Updates icon
remains in the notification area to allow the local administrator access to install the updates any time
prior to the scheduled installation time. Provided the installation has not occurred, on Saturday at 3 AM,
Automatic Updates displays the countdown dialog box to the first found local administrator. If no local
administrator logs on, or if no local administrator stops the countdown, the installation proceeds.

Managed data center server

The IT administrator has set Automatic Updates to notify when updates are ready to install. When an
update has been successfully downloaded, Automatic Updates logs an event that an update is ready to
install. The event also indicates that the local administrator must manually install the update. An IT
administrator remotely checks the system events on the data center server and sees an event stating
that an update is ready to install. The IT administrator determines the next available planned system
maintenance window and then executes their change notification plan. On the day and time of the
scheduled maintenance, the local administrator logs on to the server and manually installs the critical
update using Automatic Updates.

Automatic Updates Client interaction

The customer has set Automatic Updates to perform scheduled installations every Saturday at 3 A.M.
On Thursday at 1 P.M., a critical update is ready to install. Automatic Updates then adds an icon to the
notification area and displays a balloon explaining that updates are ready to install. The customer clicks

Software Update Services Overview 5

 Microsoft® Windows® Server White Paper

the balloon to see the available updates. The customer reviews the updates and sees the ability to
immediately perform the installation. Because a scheduled day and time is set, the Remind me later
button is unavailable so that the reminder time is not confused with the scheduled time. The customer
decides to install the updates by clicking the Install button. Automatic Updates immediately installs the
updates.

Non-admin user
The IT administrator has set Automatic Updates to perform a scheduled installation every day at 3 A.M.
An update completed its download and is ready to install during the day. The non-admin local user does
not get an Automatic Updates icon in the notification area stating that the installation is ready. The user
then turns the computer off for the night. In the morning, Automatic Updates detects that the scheduled
installation time has passed and reschedules the installation for the next day at 3 A.M. This time, the
computer is still on at 3 A.M and a local user is using the computer. Because this user is not a member
of the local administrators group, there is no notification to the user that the installation is about to
occur. If the update requires the system to be restarted the non-administrative user will be notified and
allowed five minutes to save their work and log off before the automated computer restart.

Server-side Scenarios

Review, test, and approve updates

An IT administrator wants to test all critical updates published on Windows Update before deploying
any updates to client computers on the network. In this scenario, the IT administrator has two servers
running Software Update Services. The IT administrator sets an Automatic Updates policy so that a
small number of computers designated to test updates point to the test server running Software Update
Services. Another Automatic Update policy has the rest of the computers on the network pointed to the
production server running Software Update Services. The IT administrator uses the synchronization
feature of Software Update Services to download updates from Windows Update. The IT administrator
uses the test server to approve a number of updates for testing. When testing of the updates has
successfully completed, the administrator approves the updates on the production server

Automatic synchronization
An IT administrator who always wants all users to be up-to-date with the fixes from Microsoft as soon
as they are available can set up a synchronization schedule to check the Windows Update server for
new updates every day at, for example, 5 PM. Before going home at 6 PM, the IT administrator tests
and approves newly downloaded updates on the servers. The next time the client computers connect to
the server, they are able to download the latest updates.

Software Update Services Overview 6

 Microsoft® Windows® Server White Paper

Client-Side: Automatic Updates

Supported Platforms
Client computers using Windows 2000 Professional, Windows 2000 Server, or Windows 2000
Advanced Server (each with Service Pack 2), or Windows XP Professional or Windows XP Home
Edition must update their operating system to use Automatic Updates with Software Update Services.
The update for these platforms comes with the Software Update Services installation program. For
installation instructions, see the white paper, “Software Update Services Deployment Guide” available
at: http://go.microsoft.com/fwlink/?LinkId=6928.

Note: Microsoft includes the update required for the operating systems listed above in Windows 2000
Service Pack 3 and Windows XP Service Pack 1.

User Experience

Configuration options
A local administrator can configure Automatic Updates using a wizard that is displayed 24 hours after
connectivity to the update service is established on a computer, or by using the Automatic Updates
configuration page in Control Panel (in Windows XP, go to System Properties; in Windows 2000, go to
Automatic Updates Properties). The local System Properties configuration options are shown in
Figure 1. Alternatively an IT administrator can configure Automatic Updates using Group Policy in an
Active Directory environment or by configuring registry entries.

Software Update Services Overview 7

 Microsoft® Windows® Server White Paper

Figure 1. Automatic Updates control panel with options

These options give the local administrator control over how they want updates downloaded and
installed on their computer. They can select:
• To be notified before downloading updates, and notified again before installing the downloaded
updates.

• To have updates automatically downloaded, and notify an administrative user before installing
updates.

• To have updates automatically downloaded and installed based upon a specified schedule.

Notification is through a notification-area icon and balloon. Figure 2 depicts an installation notification
icon and balloon. The download notification is similar to the installation notification. All notification
events are logged in the system event log.

Download behavior
Automatic Updates downloads updates based on the configuration options that the local administrator
selected. It uses the Background Intelligent Transfer Service (BITS) in Windows to perform the
download by using idle network bandwidth. If Automatic Updates is configured to notify when updates
that are ready to download, Automatic Updates sends the notification to a logged-on local administrator.

Software Update Services Overview 8

 Microsoft® Windows® Server White Paper

If no local administrator is logged on, Automatic Updates waits for local administrator to log on before
offering the notification that updates are ready to be downloaded.

Note BITS is included in Windows XP. To provide the same functionality on Windows 2000, the Automatic
Update installer provides BITS for Windows 2000 SP2 machines.

Installation behavior
Automatic Updates installs updates based on the configuration options that the local administrator
selected.

Installation notification
If Automatic Updates is configured to notify when updates are ready to install, the notification is sent to
the system event log and to the notification area as shown in Figure 2.

Figure 2. Notification area display

When a local administrator clicks the balloon or notification area icon, Automatic Updates displays the
available updates to install as shown in Figure 3. The local administrator must then click the Install
button to allow the installation to proceed. If the update requires a restart of the computer to complete
the installation, a message is displayed stating that a restart is required. Until the system is restarted,
Automatic Updates cannot detect any additional updates that might be applicable to the computer.

Software Update Services Overview 9

 Microsoft® Windows® Server White Paper

Figure 3. Automatic Updates Ready to Install dialog box

The Remind Me Later button provides a way for the installation to be deferred. The options are: 30
minutes, 1 hour, 2 hours, 4 hours, tomorrow, and 3 days.

Scheduled installation
If Automatic Updates is configured to install on a set schedule, updates are automatically downloaded
and marked as ready to install. If a local administrator is logged on, Automatic Updates notification is
sent to the system event log and to the notification area as shown in Figure 2.. If the icon or balloon is
clicked, the local administrator sees a dialog box similar to Figure 3 but with the Remind Me Later
button disabled. Installation can be done at any time prior to the scheduled install time by clicking the
Install button.

At the scheduled day and time, Automatic Updates installs any updates marked as ready to install and
restarts the computer (if necessary), even if there is no local administrator logged on. If a local
administrator is logged on, Automatic Updates displays a warning that an installation is about to begin,
as shown in Figure 4.

Software Update Services Overview 10

 Microsoft® Windows® Server White Paper

Figure 4. Automatic Updates pre-install countdown dialog

If a restart is required and a user is logged on, a similar countdown dialog box is displayed, warning the
user about the impending restart.

Administrator Control via Policies

The Automatic Updates behavior can be driven by configuring Group Policy settings in an Active
Directory environment. Administrator-defined configuration options driven by Group Policy always take
precedence over user-defined options. In addition, Automatic Updates Control Panel options are
disabled on the target computer when administrative policies have been set.

Configuring Automatic Updates setting

This Group Policy setting (located in Computer Configuration\Administrative Templates\Windows
Components\Windows Update) specifies whether this computer receives security updates and other
important downloads through Automatic Updates. When enabled, it also specifies the download and
installation behavior, just like the user options in Control Panel. See Figure 5.
Figure 5. Group Policy setting to configure Automatic Updates service

If the Automatic Updates service is enabled via this Group Policy setting, one of the following three
options must be set (in the drop-down menu below Configure automatic updating):

Software Update Services Overview 11

 Microsoft® Windows® Server White Paper

• Notify for download and notify for install, This option notifies a logged-on administrative user
prior to the download and prior to the installation of the updates.

• Auto download and notify for install. This option automatically begins downloading updates and
then notifies a logged-on administrative user prior to installing the updates.

• Auto download and schedule the install. Typically, if Automatic Updates is configured to perform
a scheduled installation, the recurring scheduled installation day and time is also set.

Possible options for scheduled installation days and times are:

• Day: “Every day”, and “Every Sunday” to “Every Saturday”

• Time: 12 A.M. to 11 P.M. in 24-hour format (00:00 to 23:00)

Note: Setting the policy to perform scheduled installations disables the Remind Me Later button in the
Ready to Install Update dialog box.

If this policy is disabled, Automatic Updates does not perform any system updating, and any available
updates must be downloaded and installed manually by going to the Windows Update site at
http://windowsupdate.microsoft.com.

Important: If the “Remove access to use all Windows Update features” Group Policy setting (located in
User Configuration\Administrative Templates\Windows Components\Windows Update) is enabled,
Automatic Updates is disabled for that logged-on user. Because this is a user-based value, it makes a local
administrator appear as a non-administrator so that user will not be able to install updates. With this policy
enabled, Automatic Updates still runs and, if configured as such, a scheduled installation can still occur.

Configuring your server running Software Update Services

Administrators can use Group Policy in an Active Directory environment or can configure registry keys
to specify a server running Software Update Services. Computers running Automatic Updates then use
this specified server to get updates. Administrators can also use a Web server to log statistical
information from Automatic Updates about updates that have been downloaded and their installation
status. These statistics are sent using the HTTP protocol, so the Web server can collect this information
in its logs. The statistics server must be a computer running IIS 5.0 or greater with logging enabled.

Software Update Services Overview 12

 Microsoft® Windows® Server White Paper

Figure 6. Group Policy setting to specify your server running Software Update Services

If you specify a server running Software Updates Services, computers running Automatic Updates use
that server for updates. If you do not specify a server running Software Update Services, Automatic
Updates gets updates from the public Windows Update service.

If you specify a server running Software Update Services and specify a Web server for collecting
statistics, computers running Automatic Updates send success or failure information about the
download and installation status to the log files of the Web server.

Note: Both the server running Software Update Services and the statistics server can be the same
computer.

Policy templates
The Software Update Services installation package includes a policy template file, Wuau.adm, which
contains the Group Policy settings described earlier in this paper. These settings can be loaded into
Group Policy Editor for deployment. These policies are also included in the System.adm file in
Windows 2000 Service Pack 3, and will be included in the Windows .NET Server family, and
Windows XP Service Pack 1 when they are made available.

Software Update Services Overview 13

 Microsoft® Windows® Server White Paper

Configuration options in a non-Active Directory environment

In a non–Active Directory environment, an administrator can set registry settings to configure Automatic
Updates. The following settings are added to the registry of each Windows client at this location:
HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU
• NoAutoUpdate

Range = 0|1. 0 = Automatic Updates is enabled (default), 1 = Automatic Updates is disabled.

• AUOptions

Range = 2|3|4. 2 = notify of download and installation, 3 = auto download and notify of installation,
and 4 = auto download and scheduled installation. All options notify the local administrator.

• ScheduledInstallDay

Range = 0|1|2|3|4|5|6|7. 0 = Every day; 1 through 7 = the days of the week from Sunday (1) to
Saturday (7).
• ScheduledInstallTime

Range = n; where n = the time of day in 24-hour format (0-23).

• UseWUServer

Set this to 1 to enable Automatic Updates to use the Software Update Services server as specified
in the WUServer value.

To determine which server running Software Update Services your clients and servers go to for their
updates, place the following two settings in the registry at this location:
HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate
• WUServer
Sets the Windows Update intranet server by HTTP name (for example, http://intranetSUS).

• WUStatusServer
Sets the Windows Update intranet statistics server by HTTP name (for example, http://intranetSUS).

System Events
Automatic Updates writes events to the system event log to notify users of operations being performed.
These events can be collected and analyzed by other event-log monitoring tools. The events cover the
following scenarios:
• Unable to connect. Automatic Updates is unable to connect to the update service (Windows
Update or the server running Software Update Services) and therefore cannot download and install
updates according to the set schedule. Windows will continue to try to establish a connection.

• Install ready – no recurring schedule. Downloaded updates that are ready to install are listed in
the event. To install the updates, an administrator needs to log on to the computer, where they see
the notification area icon and install the updates.

• Install ready – recurring schedule. Downloaded updates that are ready to install are listed in the
event. Additionally, the date and time for the scheduled installation of those updates is listed.

Software Update Services Overview 14

 Microsoft® Windows® Server White Paper

• Install Success. Successfully installed updates are listed.

• Install Failure. Updates that failed to install are listed.

• Restart required – no recurring schedule. To complete the installation of the listed updates, the
computer must be restarted. Until the computer has been restarted, Windows cannot search for or
download new updates.

• Restart required –recurring schedule. To complete the installation of the listed updates, the
computer will be restarted within five minutes. Until the computer has been restarted, Windows
cannot search for or download new updates.

Software Update Services Overview 15

 Microsoft® Windows® Server White Paper

Server-Side: Software Update Services

Software Update Services is an intranet-hosted version of the Windows Update service specifically
designed to service computers running the Automatic Updates client within an intranet. It does this by
downloading updates from the public Windows Update service and making them available under
administrator control.

Supported Platforms
Software Update Services runs on Windows 2000 Server with Service Pack 2 or later, and on the
Windows .NET Server family.

Software Update Services is only available in English and Japanese language versions. The English
version runs on other localized Windows 2000 Server releases.

Installation and Configuration

This paper presents an overview of the server-side components Software Update Services. System
administrators who want detailed information on how to configure or deploy Software Update Services
should read Software Update Services companion white paper, “Software Update Services Deployment
guide” available at: http://go.microsoft.com/fwlink/?LinkId=6928.

Installation
The installation process for the Software Update Services is through a Windows Installer package that
installs the necessary server files and configures Internet Information Services.

The recommended minimum hardware to run Software Update Services is a Pentium III 733 MHz
computer with 512 MB of RAM. This hardware configuration can support 15,000 client machines.

Configuration
Configuration options include the following:
• Choice of whether the update files are hosted on the Internet Windows Update service or locally on
your server running Software Update Services.

• Proxy-server information for the server to access the Internet.

• Options for handling previously approved content. This is important if previously approved content
gets changed on the Windows Update service.

• The list of client languages you would like to support.

Administrative Experience
The four main administrative tasks for Software Update Services are:
• Server configuration after initial installation.

• Synchronization (manual and automatic) of content between the public Windows Update service
and the server running Software Update Services.

• Selection and approval of synchronized content to be published to computers running the

Automatic Updates client.

Software Update Services Overview 16

 Microsoft® Windows® Server White Paper

• Monitoring of server status and logs.

These administrative tasks are performed via a series of Web pages hosted on the server running
Software Update Services itself that can be accessed over a corporate intranet using a version of
Internet Explorer 5.5 or newer. See Figure 7. For this version of Software Update Services, there is no
UI for managing multiple servers as a set.

Figure 7. Software Update Services server administration

Home page
The home page for the administrative tools displays dynamically generated information deemed
interesting to Software Update Services server administrators. Some of the information presented
includes:
• Bulletins about new or updated security updates

• Information on released service packs

• Information about updates available for the Software Update Services

Synchronizing the server

There are two types of content that can be synchronized from the Windows Update server. These are:
• Update meta-data

• Update files

Software Update Services Overview 17

 Microsoft® Windows® Server White Paper

The update metadata contains the descriptions of available updates and the applicability rules that are
used to apply them to a target computer. This metadata is always downloaded during a synchronization
process.

The update files contain the files that are installed when an update is approved. They are referenced in
the update metadata, and an administrator can choose to have these files hosted on the server running
Software Update Services or on the public Windows Update servers.

Figure 8. Synchronization page

Synchronization options
There are two main options:

Synchronize Now (manual synchronization)

Synchronization schedule

The manual synchronization option allows administrators to synchronize immediately at any time,
whereas the scheduled option allows administrators to preset a day and time for synchronizing the
server with the Windows Update service on the Internet. The two options are intended to give
administrators flexibility in how their servers access the Internet. See Figure 8.

If the server configuration specifies that the update files be hosted on the intranet, those files are
synchronized together with the update metadata during synchronization.

Software Update Services Overview 18

 Microsoft® Windows® Server White Paper

Synchronization process
During synchronization, your server running Software Update Services does the following:

Connects over the Internet to the public Microsoft Windows Update service and downloads the latest
content-update metadata as a compressed package.

Validates downloaded package contains a Microsoft digital certificate. If the validation succeeds, the
package is opened. If the validation fails, the package is deleted.

Compares the new meta-data with the local copy, and notes the new and updated files.

If a previously available update has been removed from the public Windows Update service, the
synchronization process revokes that update from the server running Software Update Services. When
Windows Update revokes an update, client machines connecting to that server are no longer offered a
previously approved update.

If a previously available update has had its files updated, the synchronization process automatically
updates it on the server. If it has already been approved, it may be auto-approved or unapproved
depending on the server configuration settings that the administrator pre-set.

If the server configuration includes the synchronization of update files, new files are downloaded to the
pre-specified location on the server.

If a previously downloaded file is missing from the intranet location, a new copy is downloaded.

If a file specified by the meta-data cannot be downloaded, the associated meta-data is removed from
the list of updates that can be approved.

If a manual synchronization fails, it is logged to the synchronization log. If a scheduled synchronization

fails, it will attempt to re-synchronize 30 minutes later. By default it will retry 3 times. The administrator
can configure the number of re-tries.

A synchronization log is always updated during synchronization. This log records all of the events listed
here and is accessible in the administrative interface.

Approving updates
All updates downloaded to your server running Software Update Services need to be approved by a
server administrator before the server makes them available to computers running the Automatic
Updates client that are connected to that server.
The approval process is done through the Approve Updates page. See Figure 9.

Software Update Services Overview 19

 Microsoft® Windows® Server White Paper

Figure 9. Approving updates

Package information
The Approve Updates page list all the updates available on the server and includes the following
details: name, date the update was released, size, status of each package (Currently Approved, Not
Approved, Updated, New), brief description, a link to get more details, a note if the package requires
the computer to restart after installation, a note if the package is dependent on any other packages, and
a list of Windows platforms to which the package applies.

This list can be sorted by Date, Status (New, Approved, Not Approved, Updated, etc.), the Windows
platform it applies to, and the title of the update.

The Details link provides additional information such as:

• Name and path to the actual package (.cab/.exe) with the installation bits for the update.

• Installation parameters to pass at the command line when installing the package. Using these
parameters, administrators can manually install the package independent of Automatic Updates if
they want.

• Languages that the package supports.

• A link to a local copy of the Read This First page that exists on your server running Software
Update Services to read more information about the update. Already-approved updates have the
check boxes next to them already selected.

Software Update Services Overview 20

 Microsoft® Windows® Server White Paper

Approval process
To approve a package or packages, the administrator must:
1. Select the checkbox beside the package(s) to be approved.

2. Click the Approve button at the bottom of the page.

This two-step process makes the update(s) available to any computers running the Automatic Updates
client that are connected to that server for updates. The new list of approved updates replaces any
previous ones. Update files currently being downloaded are not impacted by this change.

In order not to approve updates, the administrator must:

1. Clear the checkbox beside the package(s) they do not want to approve.

2. Click the Approve button at the bottom of the page.

Sometimes, one or more updates are dependent upon other updates; for example, an update to
Windows Media™ Player depends on an Internet Explorer update. In those scenarios, the dependent
updates must be approved together. These dependencies are displayed in the UI.

If an update that has a dependency is approved or disapproved, the approval process displays a
warning message to the administrator to that effect. The warning message includes the names of the
dependent updates. If the administrator chooses to continue with the approval or disapproval of the
updates, the dependents are approved or disapproved respectively.

Approved updates are made available to client computers immediately, even though these computers
might not pick them up until their next server polling cycle.

Disapproved updates are not made available to computers that connect to the server after the
disapproval process. There is, however, no uninstall feature to remove updates from computers that
have already downloaded the removed updates, or which are in the process of downloading those
updates.

All approval and disapproval tasks are logged to an approval log that is accessible from the left pane in
the administrator's Software Update Services UI.

Reviewing server history and activity

Because most Software Update Services tasks involve the synchronization and approval of updates,
two logs (synchronization and approval) are provided to the administrator. These logs are stored in
XML files in an administrator-accessible folder on the server. New information is always appended to
these files. The administrator can use the administrative interface to clear these files when they become
too large.

Synchronization log
This log contains the following synchronization information:
• Time that the last synchronization was performed.

• Time of the next sync if scheduled synchronization is enabled.

• The update packages that have been downloaded and/or updated since the last synchronization.

• The update packages that failed synchronization and an associated error message to detail why the
update failed to download.

Software Update Services Overview 21

 Microsoft® Windows® Server White Paper

The log can be accessed from the left navigation pane of the administrator's Software Update Services
UI.

Approval log
This log contains the following information:
• A record of each time the list of approved packages was changed.

• The list of items that changed.

• The new list of approved items.

• A record of who made this change; that is, the name of the administrator or the synchronization
service.

The log can be accessed from the left navigation pane in the administrative UI.

Server health
The health of the server running Software Update Services, with respect to providing updates to client
computers, can be reviewed through the Monitor Server page accessible via the left navigation pane in
the administrative UI.

E-mail notification
An e-mail notification service is provided to notify Software Update Services server administrators of
new updates, revised previous updates, and so on.

Software Update Services Overview 22

 Microsoft® Windows® Server White Paper

Related Links
For more information, see the following resources:
• Software Update Services website at http://go.microsoft.com/fwlink/?LinkId=6930.

• Microsoft Security at http://www.microsoft.com/security/.

• Microsoft Windows Update at http://www.windowsupdate.microsoft.com.

• Understanding Group Policy white paper:

http://www.microsoft.com/windows2000/techinfo/howitworks/management/grouppolwp.asp.

Feedback
To provide feedback about Microsoft Software Update Services or this white paper, write to Software
Update Services Feedback at: [email protected].

Software Update Services Overview 23