SUS Without the Space

Control software updates, even for remote workers.

Software Update Services is starting to catch on in more companies. Many admins now have SUS download all of Microsoft's posted updates, and they then approve the updates that they want networked users to install on their computers. Users then download updates directly from the SUS server, conserving Internet bandwidth. I have one client, though, whose users are mostly remote. Those admins wanted the control SUS provides over what updates are applied to remote clients, but they didn't want clients having to come across the VPN into the corporate network to actually download the updates.

Don't Download Updates
Fortunately, SUS does exactly what they want. First, they installed a SUS server and used a Group Policy Object to configure all client computers to use it. The GPO also disabled clients' access to the Windows Update Web site, ensuring that the SUS server was the only possible source for updates. Then, they configured the SUS server options to store updates on the Windows Update Web site (as shown in the figure). Huh?

Software Update Services
Microsoft Software Update Services accessed from the Windows Update Web site. (Click image to view larger version.)

Here's how it works: SUS downloads the complete catalog of updates, and the company can approve the ones they want their clients to have. Their clients check in with the SUS server to see what updates are approved. Those updates are downloaded, however, from the Windows Update Web site, essentially by referral from the SUS server. So the company gets complete control over what updates are deployed, and the clients make a direct connection to the Windows Update Web site to physically obtain approved updates. It's a clever trick that makes SUS a lot more workable for remote clients.

If you have a mix of local and remote clients, you can still use this technique. Put up two SUS servers: One for local clients and one for remote clients. Separate the clients by organizational unit and apply a GPO that points them to the appropriate SUS server. The SUS server for local clients can download updates from Microsoft and make them available locally, conserving WAN bandwidth; the remote users' SUS server can store updates on the Windows Update Web site, allowing clients to download the updates themselves.

Micro Tip Sheet

Want a better remote server administration experience? Install Windows 2003's AdminPak.msi on your Windows XP machine and take advantage of the Remote Desktops console. You can maintain multiple remote desktop connections within a single window and can easily connect to the new remote console connection provided by Windows 2003. Remote Desktops console can connect to any RDP-compatible server, all the way back to Windows NT 4.0 Terminal Server Edition.

More Resources
Windows Update v5 and SUS 2.0 are coming soon and will be named WUS; read the overview: http://download.microsoft.com/download/7/b/5/7b5ab54c-9b9e-46a7-9cc4-427c90122503/sus_2.0_overview.doc

SUS forums: http://forums.susserver.com/

About the Author

Don Jones is a multiple-year recipient of Microsoft’s MVP Award, and is Curriculum Director for IT Pro Content for video training company Pluralsight. Don is also a co-founder and President of PowerShell.org, a community dedicated to Microsoft’s Windows PowerShell technology. Don has more than two decades of experience in the IT industry, and specializes in the Microsoft business technology platform. He’s the author of more than 50 technology books, an accomplished IT journalist, and a sought-after speaker and instructor at conferences worldwide. Reach Don on Twitter at @concentratedDon, or on Facebook at Facebook.com/ConcentratedDon.

Featured