Hack 89 Software Update Services FAQ

figs/beginner.gif figs/hack89.gif

Rod Trent of myITforum.com shares his answers to some frequently asked questions regarding Software Update Services (SUS).

Software Update Services (SUS) is a free patch-management product you can download from Microsoft's web site (http://www.microsoft.com/windowsserversystem/sus/). SUS is an excellent solution for keeping small and mid-sized corporate networks up-to-date with patches released by Microsoft. For large enterprise networks, I recommend using Systems Management Server (SMS) as a complete solution.

Here are some common SUS questions and my answers. For more entries from the Software Update Services FAQ, search for "Software Update Services" at myITforum.com (http://www.myitforum.com).

Operating System Support

Which operating systems are supported under SUS?

SUS is supported on the following Microsoft Windows platforms:

Microsoft Windows 2000 Professional (with SP2 or later)
Microsoft Windows 2000 Server (with SP2 or later)
Microsoft Windows 2000 Advanced Server (with SP2 or later)
Microsoft Windows XP Professional
Microsoft Windows XP Home Edition
Microsoft Windows Server 2003
Older versions of Microsoft Windows, including 95, 98, NT, and ME, are not supported by SUS.

Active Directory Support

Q: Is Active Directory required for SUS to work?

A: No, it's not required. However, SUS works well with Active Directory.

Separating Workstations and Servers

Q: How can you approve different update lists for workstations and servers?

A: If you need different approved lists for workstations and servers, install two different SUS servers in your environment: one specifically for workstations and one just for servers.

Control Panel Icon

Q: My Automatic Updates service is running in Services. But in Control Panel, there is no Automatic Updates icon. I am running Windows XP SP1.

A:Windows XP Automatic Updates is not available in the Control Panel. Instead, it has its own tab in My Computer Properties.

Approving Updates After First Synchronization

Q: I just installed SUS and downloaded the horde of old updates. How do I handle these? Is there some way to remove them? Or do I need to approve them all?

A: Go ahead and approve all updates. If the computers already have the specific updates installed, they will ignore them. This allows you to put all old updates into the list of already approved updates so that you can filter them out.

Downloading and Testing Updates

Q: I see the downloaded updates in the SUS\Content\Cabs directory, but how can I install a specific update for testing without knowing the Q-number associated with a bulletin?

A: Instead of spending a lot of time trying to associate a Q-number with the downloaded filename, use SUSAdmin to download the specific update you want. Simply open SUSAdmin by using the URL http://SUSServerName/SUSAdmin and click the Approve Updates link. Locate the update you want to test and click the Details link. When the Details windows displays, click on the filename link. This downloads the update executable to your computer, where you can test the installation.

Order of Updates

Q: Do I need to worry about patching out of order through SUS?

A: The installation is done on the client side (Automatic Updates) and there is no particular order enforced, but it should work correctly in whatever order the installs are done. The functionality of the old qchain.exe is built into the current update.exe that is used to install patches, and it is supposed to be smart enough to not overwrite newer binaries with older ones.

Detecting Connection

Q: How can I tell if my system is connecting to the SUS server?

A: Check the SUS log file on your system, at %systemroot%\Windows Update.log.

Knowing When the Server Is Synching

Q: How do I know if my SUS server is synching?

A: Open Task Manager and switch to the Processes tab. Locate a process called WUSyncSvc.exe. If your SUS server is currently synching updates, this process will be loaded and active. Also, the Software Update Services Synchronization Service will be started and running in the list of computer services.

Cleaning the Updates Directory

Q: I have uninstalled SUS due to a full hard drive, but the drive remains full. Is there something else I need to delete?

A: SUS does not remove the synchronized updates during the uninstall. You'll need to remove the files located in the SUS\Content\Cabs directory manually.

Modifying SUS IIS Rights

Q: I modified the rights for the SUS and SUS\Content\Cabs folders and now clients cannot download updates. What should these rights be set to?

A: Set anonymous access on the IIS root of the SUS server and give access to the Everyone group.

Analyzing the SUS Log Files

Q: Is there a tool/utility that can parse the SUS IIS log file and create any sort of readable report?

A: There is a standalone SUS Reporting Utility tool you can use. An online version is located at http://www.susserver.com/Software/SUSreporting/.


Q: Have you seen the following line in the patchinstall.log file when you send multiple security patches in the same package?

TimeExpire: Sending Command1 message, CurrentTime = (14900746),

StartTime = (14879725)

A: This is not an error. It means that the countdown timer expired without the user selecting any option and the system is now taking the default action (reboot, install, or postpone). Entries before or after this line should shed more light as to what was done.

SUS and Name-Resolution Issues

The clients connect OK, and they receive notification that updates are ready to download. I then click the icon to receive a list of updates that are needed. When I click the "Start Download" button, the window disappears and nothing happens. Any ideas?

This particular issue is because a result of a name-resolution problem. Create an LMHOST file entry pointing to the SUS server. Then, the downloads and installations should proceed as expected.

SUS Feedback

Q: Is there an email alias for submitting comments, suggestions, and requests for SUS directly to Microsoft?

A: Yes. You can email cwufdbk@microsoft.com. You might not receive a direct response, but Microsoft does monitor this mailbox.

?Rod Trent