What is WSUS?

WSUS – Windows Server Update Service – is a software tool provided by Microsoft that allows administrators to manage the distribution of updates and patches for Microsoft software products to computers on their network. WSUS analyzes the current system and identifies the required updates and helps users manage downloads in an enterprise environment.

Windows Server Update Service (WSUS) is fully supported by a wide range of Microsoft products and is integrated into the operating system as a server role in 

  • Windows Server 2022
  • Windows Server 2019
  • Windows Server 2016
  • Windows Server 2012 R2
  • Windows Server 2012
 

WSUS is especially useful for small and medium-sized businesses (SMBs) because it is an intermediate step between the more straightforward Windows Update for individual PCs and the more robust Systems Management Server for larger enterprises.

Among other features, WSUS provides the following:

  • Bandwidth management and network resource optimization
  • Automatic download of Windows updates and category-based downloads
  • Targeted download of Windows updates for specific computers or groups of computers
  • Improved reporting capabilities
  • Multilingual support
 

The updates provided by WSUS include critical updates, definition updates, drivers, feature packs, security updates, service packs, tools, update rollups, and periodic enhancements.

WSUS’s group policy allows administrators to direct workstations connected on their network to the WSUS server and restrict end-user access to Windows Update, giving administrators full control over the network. The automated downloads are enabled using BITS and will help in optimizing bandwidth usage.

WSUS uses .NET Framework, Microsoft Management Console and Internet Information Service for its operations.

How to start with WSUS

WSUS is installed as a server role on the Windows server using Microsoft Windows Server Manager. Once the role is activated, it can be used. As mentioned earlier, some prerequisites are required to work with WSUS, including .NET, Microsoft Report Viewer, Internet Information Services (IIS), and a database such as Windows Internal Database (WID) or SQL. All of these prerequisites are freely available on Windows Server.

Depending on the size of the network, WSUS can be a single server or multiple servers working together. WSUS servers can retrieve update content and configurations from each other. This means that even very large networks and offices with multiple locations can each have their own server.

Companies can also use WSUS without connecting to the Internet. This allows highly secure networks to receive regular patches without the entire network being connected to the Internet.

If you are a system administrator, you can install the WSUS Management Console using PowerShell

However, it is not enough to simply set up a WSUS server on a network. Clients must be configured to actually connect to that server rather than to Microsoft Update. System administrators often configure the client using Group Policy, but it can also be set up through System Center Configuration Manager (SCCM), Mobile Device Management (MDM), or manually using registry keys. Administrators can specify how clients install updates, whether they reboot after installation and how users are informed when updates are available.

The Windows Update Agent (WUA) performs the actions on the client to install updates. It connects to the WSUS server, checks for needed updates, and then downloads and installs them. The download uses Background Intelligent Transfer Service (BITS) to optimize bandwidth usage.

In order for WSUS to run, some network ports must be open. The server must be able to communicate with Windows update servers via the Internet on ports 80 and 443 to be able to receive the update packets. You can read in detail how to configure the firewall between the WSUS server and the Internet here. By default, clients connect to the WSUS server through ports 8530 and 8531, although these can be altered later.

Why use WSUS?

  • Cost: WSUS is a free tool that installs as a role on the Windows Server, so organizations of all sizes can take advantage of its features. For smaller organizations that are not able to use Microsoft’s System Center Configuration Manager (SCCM), WSUS provides some patch automation functionality without charging for it. Still, companies who are considering using WSUS should be mindful of hidden costs of the system, such as time spent troubleshooting and the cost of acquiring and using other tools for non-Windows operating systems and third-party applications.
  • Works with Windows systems: Because WSUS was developed by Microsoft, it does not conflict on Windows systems, and with proper configuration, it can patch those systems semi-automatically. For anyone working with a Microsoft-only infrastructure, WSUS reduces the need for manual patching and tracks updates so SysAdmins can easily see which updates have been deployed to each machine.
  • Reduces Network usage: WSUS reduces network usage. Each update is downloaded only once. From a certain size of the company you always need it, so it is easiest to use WSUS right from the beginning, since the functions will be needed later anyway.
  • Testing patches: Windows Server Update Service (WSUS) lets you set policies and selectively choose what to apply. If you’re running bespoke, mission-critical software, WSUS is an absolute must so that you can withhold patches in order to test them.
  • Reporting Mechanism: WSUS provides you with a centralized reporting mechanism that allows you to determine which machines have been properly updated. With this capability it is possible to avoid making serious mistakes.
  • Multi-OS support: WSUS is compatible with Service Pack 3, later versions of Windows 2000 Server, Windows 2000 Professional, Windows XP Professional, Windows Server 2003 Family, Windows Server Datacenter Editions, Windows XP Family (64-bit).
  • Multi-app support: WSUS supports Microsoft Exchange 2003, Microsoft Exchange 2000, Microsoft Office 2003, Office XP Service Pack 2.
  • Multi-patch type support: The list includes security updates, non-security updates, feature packs, critical driver updates, connectors, drivers, and more

Difficulties while using WSUS

  • Workflows: WSUS does not allow IT workflows with complex logic to be automated, which is why system administrators have to do more manual work to properly organize security processes. As threats continue to evolve, automation becomes increasingly important for IT departments.
  • Reporting: WSUS does not provide sufficient reporting on network-wide vulnerabilities, forcing IT security specialists to piece together reports from various sources and hope that everything has been accounted for. In addition, WSUS does not provide export of reports in various file formats. The lack of reports can cause unpatched vulnerabilities to go unnoticed and audits to fail.
  • Device discovery: Device discovery with WSUS is a very time-consuming process. The discovery takes place only once in certain time periods and cannot be performed more often depending on your needs.
  • Patching: WSUS does not push a specific patch immediately. All agents must first log in and approve the patch installation on the workstation, which depending on the environment can take several days.
  • Third-Party Applications: WSUS is inefficient at working with third-party applications, like Oracle or Mozilla. In order to patch such software, you need to design a complex workaround, and yet you don’t get an intuitive catalog that you can easily work with. Given that third-party applications increasingly serve as a backdoor for cybercriminals to gain access to corporate systems, this is one of the biggest drawbacks of WSUS.
  • Patch Status: WSUS does not properly update the patch status for all devices. Notifications about the reason for the failed updates are also not being sent. While you might believe that you have patched your system, but there could still be critical vulnerabilities that have not been fixed. This leaves your company vulnerable against cyber-attacks.

Our take on WSUS

Windows Server Update Service (WSUS) requires an existing large infrastructure on site, many different workarounds for remote employees, and additional to all this complex implementations. This increases costs and creates vulnerabilities that could be potentially exploited.

Despite the many good features of WSUS, it also has its weaknesses. Microsoft’s WSUS is good at keeping Microsoft products up to date, however it was never designed to be a comprehensive solution for all patch management needs of a large company. Organizations that need centralized support for patching applications from multiple vendors on a regular basis are much better served with a third-party patch management solution.


Solution for Microsoft's WSUS shortcomings

What is an RMM Tool?

Remote Monitoring Management (RMM) is a platform designed to help IT service providers (MSPs) to monitor client endpoints, networks and computers remotely and proactively. This is also referred to as remote IT management.

When an RMM is deployed, a small footprint, often referred to as an “agent,” is installed on the client workstations, servers, mobile devices and other endpoints. These agents then relay information about the health and status of the machines to the MSP. In this way, the MSP gains visibility into the customer’s networks, can maintain and keep the machines up to date, and can proactively identify and remotely fix problems – without having to visit the customer’s office.

With a simple infrastructure, streamlined and intuitive workflow, XEOX makes patch management simpler, boosts patch compliance, decreases time spent patching, and allows multi-OS maintenance from a single console.

How do XEOX and WSUS differ?

INFRASTRUCTURE
WSUS XEOX
Requires local servers and networks
Routine configuration and maintenance of servers
FULLY cloud-based
Managing outside the network without VPN
PATCH MANAGEMENT
WSUS XEOX
Windows OS Patching
Microsoft Application Patching
Non-Microsoft Windows Application Patching
Push-style patching
Pull-style patching
IT MANAGEMENT
WSUS XEOX
Software deployment
System health and performance monitoring
Custom notifications and alerts
Remote control
Remote management tools
WSUS XEOX
IT automation
IT process and credential documentation
End-user self-service IT portal
Cloud backup
Previous
Next

Why you should use WSUS & XEOX

Managing third-party patches for WSUS is a tedious and ongoing task that requires many hours of time spent researching, building, patch testing, deploying, reporting, and debugging. With XEOX, companies using WSUS can reduce the time spent dealing with WSUS patch management by supplying pre-built, fully tested, ready to use packages for popular third party applications. XEOX is designed to leverage the Microsoft WSUS infrastructure and enable successful deployment, management and reporting for third-party patches.

With XEOX, administrators can use advanced WSUS patch management capabilities to gain increased control over Microsoft WSUS. A lot of time and effort can be saved by automating various patching processes. XEOX Patch Manager makes it easy to schedule patch management tasks to run during the maintenance window, select which systems to patch, and receive relevant notifications once the process is complete. Use the immediate schedule and reboot feature to help desktops or servers prove compliance as quickly as possible. 

Another reason why you should use WSUS and XEOX together is that these two tools in combination do not interfere with the Internet at your workplace. WSUS brings the updates you want directly to your server. This means that XEOX only needs to deploy patches to the server and not download updates from the Internet. This is very helpful because it means that bandwidth is not affected and the Internet is always maintained – no possible outage.

You should also keep in mind that it is very safe to use WSUS and XEOX in combination, because the installations – updates, installation of new software – have been verified twice. First, WSUS detects that there is a possible new update. After that you can check with XEOX if the new update is wanted/necessary. If yes, you can use XEOX to install it automatically on all your computers. 

Patching with WSUS only works if the WSUS server is always up to date. In the working life, however, it can happen quickly that one forgets such a trivial thing. With the help of XEOX the updating of the WSUS server cannot happen. So I can define that I install updates only from WSUS, but still search them with XEOX. So I can see which updates are available – which I could have. So the updates are seen but they are not installed. So if you find that there are new Windows updates but they are not installed automatically you know that your WSUS server is not up to date.

However, in recent years there have been more and more problems with WSUS. There are many people who no longer want to use WSUS. Of course, if you don’t want to continue using WSUS, there is the option to replace it completely and utilize XEOX for all your tasks instead. This is especially convenient if you don’t like to use multiple tools at the same time. This works in XEOX with so-called update lists (allow or deny lists). You can create and manage these under Job Center -> Update lists. Then they can be defined in the WuInstall Actions in the Job Editor.