madmatt

For anyone familar with the latest version of SUS ("WSUS") from Microsoft what is your take on "Detect Only". How are you approving updates?

Are you approving the update if computers in your organization have it. Or are you only approving an update if a computer needs the update?

I've read different opinions and want more feedback.

---

Electronic Punk

Hoping to get my boss to agree that we need this at work, we are currently using SUS which won't be getting any more updates, but my boss wants to try and deploy updates using SMS (is that possible?)

How easy is it to upgrade SUS to WSUS?

---

madmatt

SMS is the big brother of WSUS. SMS can do a lot more than WSUS including software packages, cataloging software/hardware configurations, etc. But WSUS is better priced (free).

However, WSUS is a big improvement over SUS 1.0. The migration process from SUS to WSUS looks simple. I didn't do a migration, I set WSUS up on a new server.

But, as I've said a few times, finding good information is difficult on these newer products. The Internet is filled with junk and bogus information.

---

Electronic Punk

Ah ok, we are rolling out SMS, what I was worried about was each Windows update would need to be packaged, but if it can push everything out that would be great.

---

madmatt

SMS can handle any thing that can be rolled up into a MSI or MSP (as far as I know).

Even though I would love to put in an SMS server it's just not practical yet.

---

kcnychief

You are correct on the MSI and MSP. It also allows for easier hardware-level profiling for ensuring that PC's are in the proper OU

madmatt

Back to WSUS

I approved all updates that are either already installed or need to be installed. However, for some reason I doubt my own thought process.

1.) Should I approve only updates that are "needed" at the present time. Once all "needed" updates have been approved and installed should I change the approval back to "detect only".

2.) Or should I approve all updates for all products we have in our environment even if it is not needed. (i.e. not approving a security update for DirectX 7.0 because all computers have 9.0 installed or approving a cumulative update for Internet Explorer even though it is not needed).

---

Electronic Punk

Sorry to keep butting in but we are going to go with SMS as there is a comparison table here:
http://www.microsoft.com/windowsserv...n/compare.mspx
Seems to indicate that anything WUS can do do SMS can do better

Your questions do seem to be answerable tho, even tho I have never used WSUS (although now have all it's redudant files and docs here)

1.) No need to change them back to detect only, if you rebuild a machine or add a new machine to the network you don't want to keep changing all settings, it also means if this patch is incremented or updated in someway you will automatically approve the updated update, the spyware checker tool is a good example of this.

2) Can it really hurt? I guess you are keeping local copies of whatever you download from Microsoft Update, the updates won't be installed and you never know when someone might bring in a pc from home that could get a bit of updating -- strictly against our policy but to each his own.

---

madmatt

EP, of course SMS is better. I wish I could put a SMS server in, but it's not an option right now. But, WSUS is a huge improvement over SUS (the original).

1.) That's what I said (to myself).
2.) That is correct. I am keeping local copies of all patches I selected to install. However, we are on a DOMAIN so anyone who brings in a local PC would not get updated since we are using GP. I would also know if someone hooked into my network.

---

Electronic Punk

2) I don't think it will affect you either way, unless disk space is an issue which is rarely is on such a scale with servers. We are the same with our machines, ocassionally I plug my laptop in first thing monday, with the wrong hard drive, but that is pretty much exclusively wireless, so I have the copper nic disabled...

I don't really care about desktops picking up updates, that can happen whenever and these days just bug the user that a reboot is required, until the user gets so fed up that they decide to reboot.

Our servers have to stay up during the week which means the only time we can performance maintainance is weekends and they do not pick up automatic updates from sus (in a ou that doesn't allow it), with sus to pick up these updates we would have to move it into the generic computers ou and hope that the updates would come down.

With SMS and WSUS looks like you can force this with a commandline, that in itself it worth the update.

---

madmatt

With WSUS and SMS you can select a deadline for the updates to install which overrides your GP setting. Which is really nice. The new Windows Update admin template also has new configurable settings. You can install updates that don't force a reboot as soon as they are downloaded. Gotta love GP. I'll have to post some screenshots of WSUS in action. It's really nice and it's going to make my life easier.

I installed WSUS on a secondary DC and I have about 130GB of free space. Should be plenty of room.

---

Electronic Punk

Got both SUS and WSUS installed on our last grey machine on the network
Only using SUS for updates at the moment as DOBUS, the UK military version of how we get our updates isn't quite migrated to WSUS yet as alot of their people still use SUS... It is sat there discovering tho and we still have 12 months to play with SUS, before we get SMS2003SP1 working or migrate to WSUS.

---

madmatt

EP

I was under the impression that MS was discontinuing SUS support as of the end of the month. Forcing all users to migrate to WSUS.

And by discontinuing support I mean they aren't going to send the update list out to SUS when requested. If that makes sense.

---

Electronic Punk

Thats what I thought so was eager to migrate (or infact start from scratch with WSUS) but there was no support (for us) with WSUS.

It seems that while SUS is no longer available for download, it will still continue to recieve updates until July 2006, the fact is though that if you can... you should move to WSUS.

---

madmatt

That makes sense. I did read that SUS was pulled from the downloads section.

---

funky dredd

If the settings are made to "detect only", won't that be more work later? We are pretty small so we don't use detect only. Have you had a look at http://www.wsus.info/forums/
great resource!

---

Electronic Punk

Detect only is good for us at the moment, will be nice to have a good record of our machines on the network (hundreds ) before WSUS even starts to receive updates.

---

funky dredd

So I see. We have about 300 workstations, but they are all on SUS. I just built the WSUS (live) and next week i'm going to do the migration. Should be a piece of cake!

---

madmatt

Detect Only is great. In return it tells you if the update is actually needed my any workstation or server. Therefore if it is not needed then you don't need to approve it.

I left all updates as "Detect Only" (except for the ones I declined) and I only approve it for groups that need the updates (leaving All Computers as Detect Only).

See my screenshots.

---

funky dredd

How we plan on doing ours is to migrate all of our Win 2000 machines to the new WSUS, then tear the SUS down and rebuild with a WSUS and any new XP machine will be setup to use the new one. That way, the tech guys have a list of machines to upgrade to XP from the other WSUS and the others will be fresh with the new WSUS. Make sense? Unfortunately I didn't have any input on the project, otherwise it would be done differently. Our wonderfull security officer has some great scheme...pffft (i'm not bitter or anything)
I'll take some screenshots of mine tomorrow and put it up here as well...

---