Hello – I’m Joseph Dadzie, group program manager for Software Distribution technologies in the Windows Server team. My team is currently responsible for the infrastructure behind Windows Update and Microsoft Update, the Windows Server Update Services product, the Automatics feature in Windows, Group Policy and the Background Intelligent Transfer Service (BITS). I’m going to spend most of this blog talking about WSUS [YES!!! it is available today] and the cool things it does to help ease the patch management pain. But before that, a little background about myself.
I joined Microsoft almost 10 years ago to work on NT 4.0 after a stint as an intern in 1994 working on NT 3.51. During my first 5 years in the company, I focused on Windows OS deployment and OEM preinstall technologies. If you’ve ever installed NT 4 or Windows 2000 using the CD, unattended install or Sysprep, you’ve seen and used some of the technologies I was responsible for. For NT 3.51 veterans, do you remember CPS? Anyway, after Windows 2000 shipped I joined the Windows Update team to use Internet technologies to broadly distribute software and keep PCs always up to date.
Now to WSUS – How did the project start, why is it important, and other stuff?
In 2000, we had a Windows Update site but it was only focused on consumers. The primary corporate solution was SMS but it was targeted at larger enterprises, so small and medium size organizations didn’t really have a solution for managing patches. Some of my colleagues and I made a proposal to build a corporate version of Windows Update with the ultimate goal of making update and software distribution ubiquitous and easy to use, i.e., essentially expanding the Windows Update content and federating it into corporations. We called the concept “Industry Update.” The Code Red and Nimda viruses that came out in early 2001 made the need for this federated solution even more apparent. The patches for the vulnerabilities that got exploited had been out for a year but lots of customers hadn’t deployed it. A small team of the Windows Update team was put together to go build this solution in July 2001 – Software Update Services (SUS) 1.0 was born. At various stages, we called it Federated WU, Corporate WU, WU Corporate Edition, etc. The goal was to get Windows patching under control and then extend to all of Microsoft. The timelines were quite tight, but the customer value was great so the small team spent some good quality time in our offices, including long nights and weekends, working on SUS 1.0. We shipped the first beta in December 2001, second beta in February 2002 and released it live in May 2002. To date, we’ve had over 1.6 million downloads of SUS 1.0, with over 200,000 installations across a wide range of customers – small, medium, large and have built a great community of experts and enthusiasts out there. If you haven’t seen it, check it out. Pretty nice.
Right after that we kicked off the SUS 2.0 project with goals to address some of the shortcomings in SUS 1.0, like reporting and the inability to patch key applications like Office. This was a particularly challenging effort since it required re-design and re-writing of key components of the infrastructure while at the same time maintaining the simplicity and “it just works” model of SUS 1.0. Most SUS 1.0 customers tell us they spend less than 1hr a week managing their SUS server! We also had to align multiple internal product groups around the goals and coordinate timelines, schedules, etc. which increased the challenges but we were up to it. We were hoping to ship the product by early 2004. However some key events occured in 2003 that caused us to re-set those schedules – the Slammer virus in February and Blaster in August.
A patch management taskforce (that I got the luck to lead) was set up in February that year to look at how to address patch management from a holistic perspective. You can see the results here. One of the key recommendations was to unify the patch management toolset on a common infrastructure and have a range of solutions leveraging the infrastructure for all customer segments. WSUS addresses that key recommendation and is personally an exciting milestone for me and the other folks who have been working on this project in one form or the other since 2000.
WSUS provides both a solution and an infrastructure. It enables the Microsoft Update (MU) service to cover one stop patching for consumers. If you haven’t tried it yet, go here and set it up now. Do it for all your PCs at home, your relatives’ and neighbors’ PCs. It will save you “tech support” calls. WSUS enables corporations to have an easy to use patch management solution for Microsoft software. We don’t have all the Microsoft products yet but they will be coming soon. Office and Exchange patches are available now. SQL is also supported. It provides SMS and MBSA to have a consistent scan engine for patching – the days of one Microsoft tool telling you, “you need a patch” when the other says “you don’t” are gone. The MBSA and SMS releases will be out within the next month or so. This is just awesome!
WSUS is great for the following reasons:
- Ease of use – The UI is simple but yet functional and you can automate the tasks of getting patches and deploying them to PCs.
- Flexibility – You can group PCs into specific groups and target specific updates at those PCs. You can approve updates by group and if you just want to jam updates, set a deadline. You can run the server on port 80 or any other port you want in case some application doesn’t play well with other applications running on port 80.
- Extensibility – There are APIs on both the client and server side to extend the functionality. Say you want to patch a server but you need to orchestrate the install during a maintenance window – just write a little VB script that automates this. If you need to report patch status to executives but you don’t like our reports – use the server API (did I say it is .NET?) to export the reporting data to XML and create your own web reports. We have samples in our SDK that can help you get started.
- Secure – You can secure all communications using SSL. I highly recommend you do this even within the firewall.
There is so much more that I can talk about. However, the best way for you to experience it is to try it out yourself.
I’m at TechEd in Orlando right now and the buzz about the product is just cool – Steveb mentioned it in his keynote on Monday and the sessions are packed. We made 12,000 CDs to distribute and they are gone. Thousands of customers have already downloaded it and are using it. It was front cover of Windows IT Pro magazine and press reviews and comments have been positive. In fact, this morning Windows IT Pro Magazine hosted chat on WSUS with 127 guests.
If you have questions, don’t hesitate to comment or participate in any of our communities or use the WIKI.
Last, don’t forget to configure all your PCs to patch themselves using Automatic Updates and Microsoft Update.