Jeff's Connected Corner

Windows Server System news and real-world info

First Impressions: WSUS 3.0 Beta 2

Welcome to the first post in a series on WSUS 3.0 Beta 2.  You can link to the second part of this post here... or jump to a review of the RC1 build here.  Enjoy!

First Impressions:

Not counting installation, the first change you’ll notice in WSUS 3.0 is the shift from a web-based interface to one built on top of the Microsoft Management Console (MMC).  In addition to bringing the product in line with other Microsoft products, the MMC enables some rich functionality.  For instance, many objects in the MMC hierarchy have useful home pages with relevant status and reporting information.  Here’s a screen shot of the top-level WSUS home page showing the status of my lab server ‘WSUS3’.

Moreover, you can right-click almost anywhere in the UI and find all kinds of useful tools.  A perfect example is the ability to add/remove columns from the Updates list.  In WSUS 2.0 you were limited to a hard-coded set of columns (Title, Classification, Release Date, and Approval).  But what if you wanted to group items by MSRC Severity, or sort them by KB Article Number?  These scenarios and more are possible with WSUS 3.0.  Take a look at these customized Updates views and see for yourself.

Updates Sorted by MSRC Number

Updates Grouped by Classification

Hey, this ain’t your father’s WSUS.  And we’re not talking about superfluous changes just for the sake of ‘oohs and ahhs’ (sorry Vista team).  The new UI will improve your productivity right out of the gate.  Like Office 2007, it may take some getting used to – but in the end it’s a huge win for WSUS admins.  Bravo WSUS team!

‘Big Ticket’ Items:

Several other WSUS 3.0 features are worth mentioning in this initial post.  We’ll delve into some of them in more detail later this week.

  • ‘WSUS Reporters’ Delegated Administration: A frequent request from medium and large organizations is the ability to provide users with view-only access to WSUS reports.  This is often required for internal and external auditors.  However, up to this point WSUS reporting was an all or nothing proposition.  If you could run reports, you could just as easily approve updates or delete entire computer groups.  Not exactly an optimal solution.  WSUS 3.0 solves this problem with the addition of a ‘WSUS Reporters’ security group, which restricts group members to reporting functionality only.  While this is a step in the right direction, many of you have been asking for an even more robust delegated admin model.  Unfortunately delegated reporting is as far as the product team decided to go in v3.  But hey, its free… and there’s always room for improvement in v4.
  • Clients in Multiple Target Groups: WSUS 2.0 targeting was limited in the sense that a computer could only belong to one group.  Furthermore, there was no nesting hierarchy, which resulted in a long list of computer groups for some large WSUS deployments.  Both issues have been addressed in WSUS 3.0.  Computers can now belong to more than one group (e.g. Test PCs & Prod PCs) and admins can create a logical computer group hierarchy to match their testing and deployment needs.
  • Reporting Improvements: It’s almost not fair to call the reporting changes ‘improvements’.  We’re talking about a complete overhaul.  The WSUS product group decided to scrap the current reporting infrastructure and instead take advantage of the Visual Studio Report Viewer.  In addition to a much friendlier and customizable UI, the new report viewer offers something many WSUS administrators have long clamored for – the ability to export report data to either PDF or Excel formats.  That should make the CxO-types happy!
  • Simplified Configuration: All the new functionality in WSUS 3.0 is worthless if the out-of-the-box experience (OOBE) stinks.  Once again the team has done everything but reach through the computer and set it up for you.  And for once, the WSUS OOBE Wizard is one that I can actually live with (unlike many others that raise my blood pressure).  For instance, the WSUS OOBE ensures that you get the right update languages, the right products and update classifications, and even sets up an initial synchronization schedule.  Obviously you can go back and change these settings at any time – but having a fairly intelligent UI wrapper around the initial setup process should cut down on support calls and ensure a positive end-user experience.

Prerequisites:

Unlike its predecessor, WSUS 3.0 cannot be installed on Windows 2000 Server.  This doesn’t mean it won’t deliver updates to Windows 2000 machines – just that the WSUS server itself must run Windows Server 2003 SP1.  I’m guessing this prerequisite will upset a few of you, and I can understand your situation.  Not everyone has budget for software upgrades right now… but then again we aren’t looking at public availability until sometime next year anyway.  So now would be an excellent time to put in a few grand for a new server and a copy of Windows Server 2003.

Make sure to peruse the WSUS 3.0 Readme for a full list of prerequisites and known issues.  And don’t forget this is still beta software.  Even though I’ve given the product mostly praise in this post, there are still a few loose ends that need to be ironed out before RTM.  I recommend limiting WSUS 3.0 deployments to the test lab, or possibly a limited pilot deployment within your IT department.  Please don’t unleash this on your end-user population quite yet ;)

What’s Next?

Stay tuned to WindowsConnected for more information on WSUS 3.0 Beta 2.  And if you’re one of those ‘picture is worth a thousand words’ people, don’t forget to visit the screen shot gallery.

Only published comments... Aug 14 2006, 11:35 PM by Jeff
Filed under: ,

Comments

 

Asela Pilapitiya said:

Agreed, the UI wrapper is well written to get you started off the bat. especially liked the idea of the option to select the data repositary, i.e. SQLServer location and credentials.
August 25, 2006 8:16 AM
 

Jules said:

Please! WSUS/Automatic Updates team!  Include the ability to enforce a "start time" as well as the deadline.    WSUS would be a great patching solution for servers, but unfortunately, most environments have very strict maintenance windows.  WSUS can schedule updates with a deadline, but there is no way to actually force patch installation in a certain window.   If this could be done with WSUS, then SMS (yuk) and other such products would be a thing of the past.

October 31, 2006 8:18 AM
 

checking out said:

What happened to the column where you could see the date the update was downloaded. Now you need to scroll down to see the date - very annoying. Also, with wsus 2 you could easily arrange the updates from newest to oldest - you cant do that with the new version. i have downloaded the newest update and i need to look for them or create a different view - this takes more time than before - extremelly annoying.

still the problem with sids -

November 29, 2006 3:58 PM
 

John Smith said:

- Please add an option where you can see the computer and the updates it needs and then click the update to do a forced installation of that update on the computer instead of having to wait for the update cycle to complete.

- Please add an option to locate the updates and then copy them to a computer so you can do a manual installation of specific updates

December 18, 2006 3:33 AM
 

Tony said:

Can I have WSUS 3 install on the same machine as SMS? or SMS v4 will have something similar as WSUS? It is easier to work with WSUS than the upgrade process in SMS

December 26, 2006 7:32 PM
 

Nathan said:

Anyone have any idea when the product will come out of Beta? Is it being set to align with Longhorn?

Cheers

Nathan

January 17, 2007 8:56 PM
 

Jeff said:

I see I missed responding to a few comments... sorry guys :(

Checking out -- these features are in the current release, and will also be in RC1.  Maybe you need to right-click and make sure 'Release Date' and/or 'Arrival Date' are selected.  Plus, if you click on the column it will sort like you'd expect.

John Smith -- nice ideas, but I wouldn't hold your breath.

Tony -- Yes, WSUS 3 is actually the patch management 'engine' for the next version of SMS (now SCCM 2007).  Many people feel the same way re: WSUS being easier to use than SMS 2003.  MS is listening on this one :)

Nathan -- Technically, the next stop is RC1.  Final version should be after that.  If I had to guess, I'd say sometime at the end of 1H07.

January 17, 2007 10:11 PM
 

Tom said:

It would be nice if you made it so that if the client clicks on the windows update site it would force them to get the updates from the WSUS server and not the internet. This would prevent end users from downloading non approved patches.

January 22, 2007 3:29 PM
 

Jeff said:

Tom -- This is actually possible today w/ WSUS 2.0... although it isn't as much a function of WSUS as it is the client-side Automatic Updates (AU) interface.  Here's the trick: Fire up 'gpedit.msc' and navigate to User Configuration --> Admin Templates --> Windows Components --> Windows Update.  In the right window you will see an option titled 'Remove access to use all Windows Update features'.  Set that to 'Enabled' and you're good to go.  This will prevent users from launching the WU/MU site... and it has the side benefit of treating local Admins as regular users (so they don't get the opportunity to prevent reboots, etc.).  Now, if you're trying to take this a step further and want to redirect their IE browser WU/MU experience to feed off an internal WSUS box... that isn't possible.  AU talks to WSUS... not the browser (browser can only talk to the online WU/MU).  Make sense?  Did I use enough acronyms for ya :P

Thanks for posting, and let me know if the above suggestion is helpful.

January 22, 2007 4:00 PM
 

Nick said:

It would be nice if there was an option to burn cds with selected update for high security networks, standalones, DMZ, .....

January 23, 2007 11:43 AM
 

Brian said:

Any chance you could let me know which connect program it is?

March 2, 2007 10:04 AM
 

Jeff said:

Interesting… the WSUS 3.0 program has disappeared from ‘Available Connections’ on Connect (although I still have access since I’m already in the program).  This is probably a temporary issue w/ Connect, but I’ll ping the Program Manager just in case.  Thanks for the heads-up.

March 3, 2007 7:41 AM
 

Sadiq said:

So I was looking for the WSUS 3.0 program and I couldn't find it.  Any idea on whne it will be back on the list?

March 5, 2007 10:18 AM
 

Jeff said:

Sadiq & Brian - I spoke w/ Microsoft and this should be fixed now.  If you still can't see the program, give it some time to propogate throughout Connect (couple hours maybe).  Otherwise, post back and I'll ping them again.  Thanks.

March 5, 2007 10:42 AM
 

John said:

What would be nice is... When you browsing your queue and it says a specific server needs 20 updates. that it actually tells you what updates it needs by KB number.  

March 19, 2007 12:01 PM
 

Jeff said:

John - You can already do this (sort of).  Go to the Updates:All Updates node on the left... make sure your status view is filtered to 'Failed or Needed' and right-click the column headers to add 'KB Articles'.  One of my favorite features is being able to tweak which columns are displayed.  You can also choose to make this your default view by selecting 'Apply to all views' using the same right-click trick.

Enjoy!

March 19, 2007 1:05 PM
 

Jeff said:

How about the Malicious Software Removal Tool sent through WSUS? Auditors don't like seeing that is not run every month.

March 30, 2007 12:00 PM
 

Al said:

My server is unable to connect to windows update since the upgrade to 3.0 any ideas the error is:

WebException: The request failed with HTTP status 404: Not Found.

at System. Web. Services. Protocols. SoapHttpClientProtocol . ReadResponse(SoapClientMessage, WebResponse response, Stream responseStream, Boolean asyncCall) at System. Web. Services. Protocols. SoapHttpClientProtocol . Invoke(String methodName, ObjectU parameters)

at Microsoft. UpdateServices . ServerSyncWebServices. ServerSync. ServerSyncProxy. GetAuthConfig

at Microsoft. UpdateServices . ServerSync. ServerSyricLib . InternetGetServerAuthConfig(ServerSyncProxy proxy, WebServiceCommunicabonHelper webServiceHelper)

at Microsoft. UpdateServices . ServerSync. ServerSyncLib . Authenticate(AuthorizationManager authorizabonManager, Boolean checkExpirabon, ServerSyncProxy proxy, Cookie cookie, WebServiceCommunicationHelper webServiceHelper)

at Microsoft. UpdateServices . ServerSync. CatalogSyncAgentCore. SyncConfigUpdatesFromUSS

at Microsoft. UpdateServices . ServerSync. CatalogSyncAgentCore . ExecuteSyncProtocol(Boolean allowRedirect)

April 9, 2007 9:17 AM
 

Rechtsanwalt Strafrecht said:

Microsoft fixed it. I called a friend at Microsoft yesterday and he told me that they fixed it.

April 18, 2007 5:01 PM
 

Prese Arrampicata said:

Yes, Microsoft fixed it now in Italian also, but only ater i told them.

Prese Arrampicata

November 4, 2007 4:25 AM
 

parke said:

thank youu

September 1, 2008 8:47 AM

Leave a Comment

(required)  
(optional)
(required)  
Add

About Jeff

Jeff Centimano is a Windows Server MVP based in Fairway, KS (USA). In addition to blogging and freelance technical writing for Microsoft, Jeff leads the KC-MEC User Group (kcmec.org) and assists with various site duties here at WindowsConnected.com. Jeff has been in the IT industry since 1994 and is currently a Solutions Architect at EMC Global Services.
Windows is a registered trademark of Microsoft Corporation.
Powered by Community Server (Non-Commercial Edition), by Telligent Systems Themed By nb development