Microsoft's WUS delivers on patch promises

We tested the first public beta of Windows Update Services and found that it's a definite improvement over Software Update Services, the product it replaces. And it presents a credible alternative to existing patch management products such as BigFix and PatchLink for cost-conscious, Windows-only shops.

The software, slated to ship in the first half of this year, includes a brand-new reporting module. It lets administrators configure patch profiles based on groups of computers. It also lets administrators patch additional Microsoft programs, such as Office, Exchange, SQL Server and Microsoft Data Engine, running on Windows machines.

The agent software required for WUS to function properly is included in Windows 2000 (starting in SP3), XP and 2003. This relieves the administrator from having to deploy and manage a separate agent.

However, Microsoft needs to push patch support for third-party products - with Adobe Acrobat and RealPlayer being prime examples - and custom patch deployments into WUS to compete even more directly with other patching products on the market.

One of the most common complaints about SUS was that it didn't include any reporting capabilities. WUS's reporting module offers basic functionality, such as the ability to view and print reports on update status, synchronization results and configuration settings. Update status reports list information by patch and can be generated based on the approved action for a patch (install, detect, remove) and by computer group.

We tested how well WUS could report on the status of installed updates in our Infrastructure Server group (see "How we did it"), but found it difficult to quickly identify which patches were deployed to each computer. We would like to see the reporting module expanded with additional options, such as the ability to generate reports by computer, by updates that have been installed/removed in a selected time period and by updates that have been installed/removed for each product group.

WUS also adds grouping functionality. Computers now can be assigned to groups, providing the ability to define different patch baseline and deployment policies for different sets of computers. For example, you now can have different policies for your servers and your end-user workstations all administered from one WUS server. In the past, you needed two separate SUS servers.

Computers easily can be assigned to groups manually through the WUS Administration interface or automatically using the "enable client-side targeting" group policy setting. We used the automatic assignment functionality in our testing and didn't encounter any issues. We simply assigned computers to a group defined in Active Directory, and they automatically registered with the corresponding group in WUS. But computers only can be assigned to one group, and we would like to have the ability to assign computers to multiple groups.

	Microsoft Windows Update Services (public beta) Company: Microsoft Cost: Free Pros: Agent support built-in to current Windows operating systems; Can’t beat the cost. Cons: Limited reporting functionality; no support for third-party products.

Click to see:

WUS also includes a number of smaller feature improvements. Patches now can be rolled back, or uninstalled, in the event a deployment causes problems and needs to be taken out of production. Microsoft has made a lot of minor changes in how patch information is displayed for the better.