Patch management is an eternal pain in the neck for Windows administrators, but many have come to rely on the freebie...
tool Windows Server Update Services (WSUS) to get the job done. Bridget Botelho, senior news writer at SearchEnterpriseDesktop.com, recently spoke with Ward Ralston, senior product manager of Microsoft's Windows Server division, and Josue Fontanez, Microsoft's core infrastructure marketing manager, about some of the latest capabilities and what IT pros can do to get more out of WSUS.
WSUS Service Pack 2 (SP2) became available last year to support Windows 7 and Windows Server 2008 R2. What are some of the new capabilities from that release?
Ward Ralston: One of the most interesting features in the [WSUS] 3.0 SP2 release is the ability to use BranchCache for delivering remote updates. With BranchCache, updates don't have to be done across the WAN; they get pushed through from a company's headquarters using Windows Server 2008 R2. This is big if you imagine not having it and pushing a 200 MB service pack over a WAN.
There was a private beta for a hosted management platform that lets IT pros manage desktops from a Web-based console, which was referred to as "WSUS from the cloud." This was the beta for "Windows Intune," which was introduced at MMS 2010, correct?
Ralston: Yes. It is aimed at a much different audience than WSUS, though. WSUS is the way to go to manage and update patches, but it is a bit over the top for a small shop. That's where Intune fits in.
Now that there is a cloud version of WSUS, will Microsoft extend WSUS to support other platforms, such as Azure?
Ralston: It's too early to say where our roadmap is headed because we just released a version in August which is still very new.
What about virtual desktops? Are people using WSUS to manage VDI [virtual desktop infrastructure], and how does it handle that type of environment?
Ralston: To a WSUS infrastructure, it doesn't matter if a desktop is physical or virtual, so it's a perfectly suitable tool for virtual desktops.
More on WSUS:
There is a WSUS forum where admins post their wish lists for future versions. Microsoft refers a number of those "wishes" to third-party partner EminentWare to fill, such as the ability to run commands before a scheduled update, or after a scheduled update if the patch requires the machine to reboot. Problem is, even the small-business version [for up to 250 devices] of EminentWare's WSUS extension pack costs $3,000; the enterprise edition costs $5,000 [for up to 500 devices] -- plus annual maintenance fees. This is too expensive for a lot of WSUS users.
Will Microsoft continue to rely on third-party vendors, which your customers have to pay for, or will you eventually fill some of those gaps?
Ralston: Here is how we look at it: We consider our free tools the Toyota Corolla of our product line, and as you look for more functionality, you can invest in upgrades through third parties. Or if you want the Cadillac, you can get Systems Center. But for free, we are just delivering the core fundamentals for patch management and updates.
Josue Fontanez: Let me add to that. Typically, customers get to a point -- either through maturity or size -- where WSUS doesn't cut it anymore. If they do get Systems Center and Configuration Manager, they don't have to throw WSUS away; it integrates for some patching and infrastructure. So with Systems Center, they get richer features, and with WSUS, they can do things like remote patch management.
At what point does WSUS no longer cut it?
Fontanez: There really is no hard and fast rule on when it is better to upgrade to Systems Center or stay on the free version. If you have 300 desktops and a mature IT organization that does deployments quickly, and you want a full suite of management technologies, then Configuration Manager and Systems Center may be better for you.
I know you aren't allowed to tell me anything about what is coming in future versions WSUS. Is there anything you can tell Windows admins about what to expect, so they can plan ahead?
Ralston: (Laughs) It's too early to say, because we don't have any betas that are mature enough to discuss. But I will suggest users take advantage of the WSUS forum, because the WSUS team actively listens to that feedback and takes action based on comments posted there. We'll continue building on WSUS based on those user requests.