Skip to site navigation

April 2004 Addendum

Important addition to April security newsletter relating to the UCL campus SUS server

1.2 SUS server for UCL campus

Microsoft Windows Update can be used for keeping Windows systems up to date. To prevent multiple computers on the UCL network having to connect to the Microsoft Windows Update site to download identical updates, a SUS Server has been set up within the UCL campus to hold local copies of these. The server allows access from any UCL computer.

A SUS server allows the distribution of Security Fixes and Critical Updates released by Microsoft to machines running the following operating systems: Windows 2000 Professional, Windows 2000 Server, Windows 2000 Advanced Server, Windows XP Professional, Windows XP Home Edition, and the Windows Server 2003 family. The client software is included in Windows 2000 starting from Service Pack 3 and Windows XP starting from Service Pack 1. Be aware that other Windows Versions (Windows 98, ME, NT) can not use a SUS server.

UCL's SUS server is synchronised with Microsoft each day. At the moment only updates for the English locale are available; however additional locales could be made available if required.

Configuration of the client software can be done by group policy (e.g. for systems in a Windows 2000 domain), or via registry settings (e.g. for systems in an NT domain).

The following example describes how to manually configure a single system.

Two registry keys have to be edited as administrator, to enable UCL's SUS server as default Automatic Updates source:

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate]
"WUServer"="http://ms-sus.ucl.ac.uk"
"WUStatusServer"="http://ms-sus.ucl.ac.uk"

The following registry keys also have to be edited:

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU]
"UseWUServer"=dword:00000001 "NoAutoRebootWithLoggedOnUsers"=dword:00000001
"RescheduleWaitTime"=dword:00000001
"NoAutoUpdate"=dword:00000000 "ScheduledInstallDay"=dword:00000000
"ScheduledInstallTime"=dword:00000003

The following (within ---) was missing in the earlier mailing:
--- [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU]
"AUOptions"=dword:00000004

which initialises the automatic download of updates and the automatic
installation at the scheduled day time.
---

These settings represent an example where the machine automatically downloads and installs all required updates. An installation will take place every day at 3 am, as long as an update has been downloaded before. The exact time downloads take place is usually variable (but see http://www.susserver.com/FAQs/FAQ-ForcingUpdateDetection.asp on how to force an update detection). Be aware that delays of up to 24 hours between downloading and installing updates are possible. In case the update installation requires a reboot, normal users logged in when the installation time passes will be presented with a request to reboot the system.

Other settings are possible depending on the way a particular machine is used. Refer to the deployment white paper for more details.

Once registry changes have been made, the "Windows Updates" service needs to be restarted.

To find out if the client is connecting to the SUS server check the system event log on the client, where downloads and installations should be logged. Also check the file "Windows update.log" in %WINDIR% which should contain entries indicating that the client connects to ms-sus.ucl.ac.uk.

For more details and additional examples see Microsoft's "SUS Deployment White Paper" at http://go.microsoft.com/fwlink/?linkid=6928.

IS current policy is to approve all updates made available from
Microsoft immediately without further testing as it is impossible to
test and foresee all possible interactions with the variety of client
setups at UCL.