Microsoft Software Update Services (SUS) is like a copy of Microsoft Windows Update inside your corporate firewall for critical updates and security updates for Microsoft Windows 2000 Server, Windows 2000 Professional, Windows XP, and Windows Server™ 2003. SUS connects through your firewall to the Windows Update site and allows IT administrators to import critical updates, security updates, and service packs. Unlike the Windows Update site, however, administrators maintain control over which items will be published internally to corporate servers and desktops.

Administrators can receive e-mail notification when updates are added to their SUS pipeline. This allows administrators to prioritize installation of the most critical updates quickly and easily.

SUS consists of both client-side and server-side components to provide a basic solution to critical update management. The client-side components are included as part of the operating system in Windows 2000 SP3 and later, Windows XP SP1 and later, and Windows Server 2003.

Client-side Features

The client is based on the Windows Automatic Updates technology for Windows XP but with significant enhancements for improved manageability. Automatic Updates is a proactive “pull” service that allows for automatic detection, download, and installation of required Windows updates such as critical operating system fixes and Windows security patches. Client-side features include:

Guaranteed installation of approved updates.

IT administrators can configure Automatic Updates to automatically download updates and schedule their installation for a specified time. If the computer is turned off at that time, the updates can be installed as soon as the computer is turned on.

Scheduled installation options.

Local administrators can be allowed to download and install updates manually. Non-local administrators are prevented from downloading or installing updates. This prevents unauthorized users from tampering with the installation of updates.

Built-in security.

Before installing a downloaded update, Automatic Updates verifies that Microsoft has digitally signed the files.

Accurate detection of necessary updates.

Automatic Updates uses the same proven technologies as the Windows Update site to scan a particular system and determine which updates are applicable.

Background downloads.

Automatic Updates uses the Background Intelligent Transfer Service (BITS), an innovative bandwidth-throttling technology, to download updates. Because this bandwidth-throttling technology uses only idle bandwidth, downloads do not interfere with or slow other network activity, such as Internet browsing.

Chained installation.

Automatic Updates uses Windows Update technologies to install downloaded updates. If multiple updates are being installed and one or more of them requires a restart, Automatic Updates installs them all together and then requests a single restart.

Manageability.

In an Active Directory® directory service environment, an administrator can configure the behavior of Automatic Updates using Group Policy. Otherwise, an administrator can remotely configure Automatic Updates using registry keys through the use of a logon script or similar mechanism.

Multi-language support.

The client is supported on localized versions of Windows.

Server-side Features

Software Update Services is based on the same back-end technology used on the public Windows Update site that has been servicing Windows customers since mid-1998. It runs on Windows 2000 Server with Service Pack 2 or later. Internet Information Services (IIS) must be enabled on the server. Server-side features include:

Windows critical updates, security updates, and service packs.

SUS will include Windows critical updates, security updates, and service packs for Windows 2000, Windows XP, and Windows Server 2003.

Built-in security.

The administrative pages are restricted to local administrators on the computer that hosts the updates. The synchronization validates the digital certificates on any downloads to the update server. If the certificates are not from Microsoft, the packages are deleted.

Selective content approval.

Updates synchronized to the server running Software Update Services are not made automatically available to the computers that have been configured to receive updates from that server. The administrator approves the updates before they are made available for download. This allows the administrator to test the packages before deploying them.

Content synchronization.

The server can be automatically or manually synchronized with the public Windows Update service. The administrator can set a schedule or set the synchronization component of the server to do it automatically at preset times. Alternatively, the administrator can use the Synchronize Now button to manually synchronize.

Server-to-server synchronization.

Because administrators may need to run Microsoft SUS on multiple servers inside an organization—in order to bring the updates closer to desktops and servers for downloading, Microsoft SUS allows you to point to another server running Microsoft SUS instead of Windows Update. This allows for a single point of entry for updates into the network, without requiring that each SUS server download updates from the external Microsoft source. In this way, updates can be more easily distributed across the enterprise.

Update package hosting flexibility.

Administrators have the flexibility of downloading the actual updates to their intranet site or pointing computers to a worldwide network of download servers maintained by Microsoft. Downloading updates directly might appeal to an administrator with a network closed to the Internet. Large networks spread over geographically disparate sites might find it more beneficial to use the Microsoft-maintained download servers–in other words, the actual Microsoft Windows Update download servers. In this scenario, an administrator would download and test updates at a central site, then point computers requiring updates to one of the Windows Update download servers—all the while maintaining control over which updates are installed.

Multi-language support.

Although the Software Update Services administrative interface is available in only English or Japanese, the server supports the publishing of updates to multiple operating-system language versions. Administrators can configure the list of languages for which they want to download updates.

Remote administration via HTTP or HTTPS.

The SUS administrative interface is Web-based and therefore allows for remote (internal) administration using Internet Explorer 5.5 or later.

Update status logging.

Administrators can specify the address of a Web server where the Automatic Updates client should send statistics about updates that have been downloaded, and whether the updates have been installed. These statistics are sent using the HTTP protocol and appear in the IIS log file of the Web server.