Web Figure 1 (http://www.secadministrator.com, InstantDoc ID 27069) lists initialization (&A=n), self-update (&A=s), and detection (&A=d) that 10.0.0.41 reported to SUS server 10.0.0.68. The information in the wutrack.bin log is cryptic, but the deployment guide makes an effort to explain the log entries in Appendix C: "Client Status Logging." The log contains records other than wutrack.bin messages. Appendix C also shows how to configure IIS to log only wutrack.bin messages by turning off logging at the Web site level and enabling logging only on the wutrack.bin file.
You can monitor update activity by using the \%windir%\windows update.log file on each of your clients. This log file contains an easy-to-read record of update information. As Web Figure 2 (http://www.secadministrator.com, InstantDoc ID 27069) shows, the computer queried a Windows Update server for new updates, downloaded them, installed them, and rebooted. If the systems administrator configured the client to pull updates from an internal SUS server, that configuration would be reflected in the log.
Handling User Intervention
You probably want to prevent users from interfering with SUS updates and from downloading unapproved updates from a Windows Update server. You can use group policy settings to control these actions. Enable the Remove access to use all Windows Update features setting (under User Configuration, Administrative Templates, Windows Components, Windows Update) in a GPO, and any XP computers that apply the GPO will disable the AU folder on the Control Panel System applet. However, this setting doesn't affect users' ability to operate the XP Keep your computer up-to-date with Windows Update task on the Help and Support Center tool and has no effect on Win2K computers. To lock down these options, enable Remove links and access to Windows Update under User Configuration, Administrative Templates, Windows Components, Start Menu, Taskbar.
Receiving Email Notification
If you want to receive email notification whenever Microsoft issues a crucial update for your products, you can register at http://go.microsoft.com/fwlink/?linkid=6931. If you subscribe to this service, you won't have to log on to your SUS server every day to determine whether to approve new updates. The email service will prompt to you for approval when necessary. The difference between this alert service and the security bulletin service is that the security bulletin service includes notification of all security concerns for all Microsoft products. The SUS email notification service covers only security concerns that affect SUS-supported products (XP, Win2K, and IE 5.0 and later) and problems for which Microsoft has issued a crucial update that you can install using SUS. The advantage to subscribing to both services is that you can track which updates SUS will handle and which ones you'll handle through other means.
SUS isn't a total solution for keeping systems up-to-date; it doesn't address other Microsoft Office or Microsoft BackOffice products. But the combination of SUS and group policy's Software Installation features lets you automatically keep the OS up-to-date with service packs and hotfixes and eliminates most of the work involved in patching your computers. Keep in mind that after you approve an update and SUS installs it, SUS doesn't include a way to uninstall the update. You must write a short startup script in group policy under Computer Configuration\Windows Settings\Scripts (Startup/Shutdown) that uninstalls the update and deploy the script to affected computers.