SUS Without the Space

Control software updates, even for remote workers.

Software Update Services is starting to catch on in more companies. Many admins now have SUS download all of Microsoft's posted updates, and they then approve the updates that they want networked users to install on their computers. Users then download updates directly from the SUS server, conserving Internet bandwidth. I have one client, though, whose users are mostly remote. Those admins wanted the control SUS provides over what updates are applied to remote clients, but they didn't want clients having to come across the VPN into the corporate network to actually download the updates.

Don't Download Updates
Fortunately, SUS does exactly what they want. First, they installed a SUS server and used a Group Policy Object to configure all client computers to use it. The GPO also disabled clients' access to the Windows Update Web site, ensuring that the SUS server was the only possible source for updates. Then, they configured the SUS server options to store updates on the Windows Update Web site (as shown in the figure). Huh?

Software Update Services
Microsoft Software Update Services accessed from the Windows Update Web site. (Click image to view larger version.)

Here's how it works: SUS downloads the complete catalog of updates, and the company can approve the ones they want their clients to have. Their clients check in with the SUS server to see what updates are approved. Those updates are downloaded, however, from the Windows Update Web site, essentially by referral from the SUS server. So the company gets complete control over what updates are deployed, and the clients make a direct connection to the Windows Update Web site to physically obtain approved updates. It's a clever trick that makes SUS a lot more workable for remote clients.

If you have a mix of local and remote clients, you can still use this technique. Put up two SUS servers: One for local clients and one for remote clients. Separate the clients by organizational unit and apply a GPO that points them to the appropriate SUS server. The SUS server for local clients can download updates from Microsoft and make them available locally, conserving WAN bandwidth; the remote users' SUS server can store updates on the Windows Update Web site, allowing clients to download the updates themselves.

Micro Tip Sheet

Want a better remote server administration experience? Install Windows 2003's AdminPak.msi on your Windows XP machine and take advantage of the Remote Desktops console. You can maintain multiple remote desktop connections within a single window and can easily connect to the new remote console connection provided by Windows 2003. Remote Desktops console can connect to any RDP-compatible server, all the way back to Windows NT 4.0 Terminal Server Edition.

More Resources
Windows Update v5 and SUS 2.0 are coming soon and will be named WUS; read the overview: http://download.microsoft.com/download/7/b/5/7b5ab54c-9b9e-46a7-9cc4-427c90122503/sus_2.0_overview.doc

SUS forums: http://forums.susserver.com/

About the Author

Don Jones is a multiple-year recipient of Microsoft’s MVP Award, and is Curriculum Director for IT Pro Content for video training company Pluralsight. Don is also a co-founder and President of PowerShell.org, a community dedicated to Microsoft’s Windows PowerShell technology. Don has more than two decades of experience in the IT industry, and specializes in the Microsoft business technology platform. He’s the author of more than 50 technology books, an accomplished IT journalist, and a sought-after speaker and instructor at conferences worldwide. Reach Don on Twitter at @concentratedDon, or on Facebook at Facebook.com/ConcentratedDon.

Featured

  • Microsoft Appoints Althoff as New CEO for Commercial Business

    Microsoft CEO and chairman Satya Nadella on Wednesday announced the promotion of Judson Althoff to CEO of the company's commercial business, presenting the move as a response to the dramatic industrywide shifts caused by AI.

  • Broadcom Revamps VMware Partner Program Again

    Broadcom recently announced a significant update regarding its VMware Cloud Service Provider (VCSP) program, coinciding with the release of VMware Cloud Foundation (VCF) 9.0, a key component in Broadcom’s private cloud strategy.

  • Closeup of the new Copilot keyboard key

    Microsoft Updates Copilot To Add Context-Sensitive Agents to Teams, SharePoint

    Microsoft has rolled out a new public preview for collaborative "always on" agents in Microsoft 365 Copilot, bringing enhanced, context-aware tools into Teams channels, meetings, SharePoint sites, Planner workstreams and Viva Engage communities.

  • Windows 365 Cloud Apps Now Available for Public Preview

    Microsoft announced this week that Windows 365 Cloud Apps are now available for public preview. This aims to allow IT administrators to stream individual Windows applications from the cloud, removing the need to assign Cloud PCs to every user.