If you ask around which patch management software to use for Windows endpoints the first answer usually is: The Windows Server Update Services or short WSUS. WSUS has been around for more than a decade and is made by Microsoft, so it seems an obvious choice. But WSUS is not for everybody. Let’s have a look for which situations Microsoft’s traditional patch management solution is the right tool, where it falls short and what alternatives to WSUS exist.
What is WSUS?
WSUS was released in 2005 by Microsoft to give system administrators a way to centrally manage updates to Windows clients and servers. To set up WSUS in your environment, you need to create a dedicated WSUS server by installing Microsoft Windows Server and then adding the WSUS Server role. You can have one or multiple WSUS servers in your organization, depending on how many endpoints you need to manage and whether you want to distribute the load of downloading patches.
After setting up the server you configure your endpoints to use the WSUS server as the source for updates instead of going to Microsoft’s update servers directly. And that’s it – at least on a very high level. There are several additional steps required to get a stable and well-configured WSUS setup. For a detailed configuration guide see the Microsoft Docs page on WSUS.
What WSUS does well
After you have set up WSUS successfully you can use it to apply updates to your endpoints, either to individual systems or to groups. You can also choose to only apply specific updates, configure automatic patching and many more options. These are the things that WSUS does well:
- Fine-grained control over which patches get applied to which systems
- Good integration into other parts of a Windows-based architecture like Group Policies, Active Directory, etc.
- WSUS now also supports several PowerShell cmdlets which make automation of update tasks easier
In addition to these points there is another advantage of WSUS that makes it an attractive choice for many businesses: it is included in your normal Windows Server licensing fee and does not cost anything extra beyond that. However, although WSUS does not incur additional fees many system administrators have made the experience that it requires a lot of work to maintain. Just search for WSUS questions on Stack Overflow or Reddit to read some of the issues people have experienced. The maintenance effort of WSUS needs to be factored into the total cost of ownership. This leads us to the next section.
What WSUS does not do well
WSUS is more than 15 years old. And although Microsoft is still officially supporting it the core structure of the product has certainly not aged well. This leads to multiple problems, among them:
- It needs a lot of maintenance: WSUS contains many moving parts and after some time problems do pop up in nearly every WSUS setup – often accompanied by hard to decipher error messages. As a consequence, more and more endpoints will miss patches. If this happens to your setup it is time for the infamous WSUS clean-up. Many system administrators use custom-built scripts for these clean-up tasks and the time to write and maintain these scripts need to be factored in when assessing the costs of using WSUS.
- WSUS is Windows-only: Microsoft did build WSUS with a clear focus on pure Windows environments but this is not how many modern environments look like. Nowadays most businesses use a combination of Windows, Linux and Mac systems but everything that is not Windows is left out when it comes to patching through WSUS. If you are looking for patch management software for Linux or Mac WSUS will not help you.
- Not on the network? Not gonna be patched. The WSUS server lives on your internal network so only endpoints that are on-premise or connected via VPN can reach it. This is a challenge for companies that make extensive use of remote work and it can mean remote endpoints miss important patches.
Who should use WSUS and who shouldn’t?
Now that we have looked at the things that WSUS does well and where it falls short we can answer the question: For which type of IT environment is WSUS the right choice?
If you are a pure Windows shop where all of your devices are on the same network all the time and you have the IT resources to maintain and care for the WSUS server, then Microsoft’s solution to patch management is a good fit.
But what if you have a diverse IT environment with some endpoints running Windows, others Linux and even have some Macs around? What if your employees do not always work from the office but are sometimes traveling or working remotely? And what if your system administrators are already busy enough and don’t have the time to maintain yet another picky server? In this case you should be looking for WSUS alternatives.
What are good WSUS alternatives?
If WSUS does not meet your requirements there are several good alternatives around. Microsoft itself seems to be moving away from WSUS and towards their new service Azure Update Management. It supports patching of Windows and Linux endpoints and different forms of automation. This service is completely based in Microsoft Azure so it makes the most sense for organizations that already have a large Azure footprint. It can be used to manage patching for virtual machines inside Azure as well as on-premise systems. In the latter case, you will need to set up the Log Analytics service for these endpoints. Detailed explanations and documentation can be found on the Microsoft Docs page on Update Management.
For organizations that need advanced features and cross-platform support, the best WSUS alternative is to use a dedicated patch management solution. Most modern patch management software does support patching Windows, Linux and Mac endpoints from a single dashboard and therefore makes it easy to bring heterogeneous IT environments up-to-date quickly. These solutions often come with advanced options to configure patch policies and generate reports so you can always see the current patch status of your environment. Plus, solutions that are cloud-based let you patch every endpoint no matter if it is on-premise or moving around.
Since you are on our blog we of course recommend Patchdeck 😉 But there are many good solutions around.
Can you combine WSUS and patch management solutions?
If your organization already has a working WSUS setup but you are looking for features that WSUS cannot provide on its own, there is no need to completely burn down what is already working. WSUS can work well together with other patch management solutions. For example, you can use your WSUS server simply as a central repository for Windows patches while the process of patching, automating and reporting is offloaded to a dedicated patch management solution. This has the advantage of saving bandwidth as the Windows updates are only downloaded once to your WSUS server and from there distributed to all Windows endpoints. At the same time, you can use your dedicated patch management solution to get an overview of the patching status of your endpoints and have full control over how you organize groups and automations. You can read in our docs how Patchdeck integrates with WSUS.
WSUS has been the natural choice for Window patch management for over a decade but its age is definitely showing. It remains a good tool for organizations that are Windows-only and have all endpoints on-premise all the time. But if you don’t fall into this category Microsoft’s new cloud offering or a dedicated patch management solution are better choices. And even if you already have a WSUS setup working you can combine it with a patch management solution to get the best of both worlds.