News Stay informed about the latest enterprise technology news and product updates.

Admins: MS should be more flexible with patch management apps

Microsoft's patch management application may be free, but admins say they're paying with less flexibility.

Windows administrators like Microsoft's SUS for patch management on the desktop, but when it comes to servers, some customers wish the freebie application would be just a tad more flexible in terms of how it schedules updates.

Software Update Services (SUS) is a patch management application that is bundled with Windows. SUS targets customers who have relatively simple environments and need to install the latest fixes on desktops and servers, according to Microsoft. The technology is not intended to be an all- encompassing patch management tool for every customer, said Bill Anderson, who is SMS lead product manager at Microsoft.

SUS works by first notifying an administrator when a patch becomes available. The patch isn't actually downloaded unless an administrator accepts the patch from an administrative console. Once that happens, all machines pointed at the SUS server will download the patch. The system must then be restarted for the patch to be fully applied.

Anderson said SUS works best in a small company where the IT director may also be a dentist, for example. It is also useful in a medium-sized enterprise, but one where there are few applications, and certainly no complex ones.

Anderson advises large enterprise customers to use a full-featured software distribution system for patches, like System Management Server (SMS). Large companies usually have a more rigid schedule in terms of when systems can or can't be shut down, and they also have more custom applications, he said.

But experts said that since patch management is crucial to securing Windows, customers should not need to buy a full-blown Windows management platform to get their patches installed.

"SUS is a great tool in that it does exactly what it says it will do," said Bill Boswell, a principal at the Windows Consulting Group, Glendale, Ariz. Boswell said that customers don't want to pull patches and have them install automatically by restarting all the servers at a pre-scheduled time, which is the way SUS works on servers today. They want to be able to push a patch to a server, and install that patch on their own schedule, he said.

"Why not give us a push-based patch management tool?" Boswell said. "When you install Windows Server 2003, secure out of the box, you should get pull and push patch management to make sure everyone stays up to date with security."

Boswell argued that small companies don't need to use SUS to approve their updates; they can simply go to Windows Update. And mid-sized companies might still find using SUS inconvenient when updating servers.

"[The customer] might have to have a separate SUS server," he said. "He can't push the changes out to his servers. He has to log off of the console, approve changes, watch them apply and restart the machine. If he's going to do that, he may as well go to Microsoft's update site."

One customer who recently checked out SUS for the first time said that he likes SUS for desktop patch management, though he prefers to manage his servers himself.

"I wouldn't want the servers to update automatically," said Cory Hopple, network administrator at Abbott Labs, Chicago. I don't want them all rebooting at the same time."

It's hard to calculate how many companies use SUS, but by Microsoft's estimates there have been tens of thousands of downloads. SUS 2.0, which will be released later this year, will also issue updates for Office and will support some as-yet-undetermined applications -- possibly SQL Server or Exchange, Anderson said.

In addition, SUS will include improved reporting features so IT managers can get more feedback as to the status of a newly installed patch. But SUS will not offer more in the way of scheduling patch installation. Anderson said that's just not something mid-market customers are asking for yet, though he did say that Microsoft will continue looking for ways to bring more features to customers, particularly those in medium sized businesses.

"If we keep talking to medium-sized business customers, and they need more functions, we will keep identifying ways to help," he said.

As Microsoft moves toward its next-generation management architecture, many products in the portfolio will be changing. The company's long term goal for patch management is to make it as transparent as possible, Anderson said.

"Customers shouldn't have to think as much about a security patch," he said.


Pick your patch management product -- admins enjoy choices

How important is patch management?

Security push makes patch management a must

Dig Deeper on Windows Server troubleshooting

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.