WSUS – Windows Server Update Service – is a software tool provided by Microsoft that allows administrators to manage the distribution of updates and patches for Microsoft software products to computers on their network. WSUS analyzes the current system and identifies the required updates and helps users manage downloads in an enterprise environment.
Windows Server Update Service (WSUS) is fully supported by a wide range of Microsoft products and is integrated into the operating system as a server role in
WSUS is especially useful for small and medium-sized businesses (SMBs) because it is an intermediate step between the more straightforward Windows Update for individual PCs and the more robust Systems Management Server for larger enterprises.
Among other features, WSUS provides the following:
The updates provided by WSUS include critical updates, definition updates, drivers, feature packs, security updates, service packs, tools, update rollups, and periodic enhancements.
WSUS’s group policy allows administrators to direct workstations connected on their network to the WSUS server and restrict end-user access to Windows Update, giving administrators full control over the network. The automated downloads are enabled using BITS and will help in optimizing bandwidth usage.
WSUS uses .NET Framework, Microsoft Management Console and Internet Information Service for its operations.
WSUS is installed as a server role on the Windows server using Microsoft Windows Server Manager. Once the role is activated, it can be used. As mentioned earlier, some prerequisites are required to work with WSUS, including .NET, Microsoft Report Viewer, Internet Information Services (IIS), and a database such as Windows Internal Database (WID) or SQL. All of these prerequisites are freely available on Windows Server.
Depending on the size of the network, WSUS can be a single server or multiple servers working together. WSUS servers can retrieve update content and configurations from each other. This means that even very large networks and offices with multiple locations can each have their own server.
Companies can also use WSUS without connecting to the Internet. This allows highly secure networks to receive regular patches without the entire network being connected to the Internet.
If you are a system administrator, you can install the WSUS Management Console using PowerShell
However, it is not enough to simply set up a WSUS server on a network. Clients must be configured to actually connect to that server rather than to Microsoft Update. System administrators often configure the client using Group Policy, but it can also be set up through System Center Configuration Manager (SCCM), Mobile Device Management (MDM), or manually using registry keys. Administrators can specify how clients install updates, whether they reboot after installation and how users are informed when updates are available.
The Windows Update Agent (WUA) performs the actions on the client to install updates. It connects to the WSUS server, checks for needed updates, and then downloads and installs them. The download uses Background Intelligent Transfer Service (BITS) to optimize bandwidth usage.
In order for WSUS to run, some network ports must be open. The server must be able to communicate with Windows update servers via the Internet on ports 80 and 443 to be able to receive the update packets. You can read in detail how to configure the firewall between the WSUS server and the Internet here. By default, clients connect to the WSUS server through ports 8530 and 8531, although these can be altered later.
Windows Server Update Service (WSUS) requires an existing large infrastructure on site, many different workarounds for remote employees, and additional to all this complex implementations. This increases costs and creates vulnerabilities that could be potentially exploited.
Despite the many good features of WSUS, it also has its weaknesses. Microsoft’s WSUS is good at keeping Microsoft products up to date, however it was never designed to be a comprehensive solution for all patch management needs of a large company. Organizations that need centralized support for patching applications from multiple vendors on a regular basis are much better served with a third-party patch management solution.
Remote Monitoring Management (RMM) is a platform designed to help IT service providers (MSPs) to monitor client endpoints, networks and computers remotely and proactively. This is also referred to as remote IT management.
When an RMM is deployed, a small footprint, often referred to as an “agent,” is installed on the client workstations, servers, mobile devices and other endpoints. These agents then relay information about the health and status of the machines to the MSP. In this way, the MSP gains visibility into the customer’s networks, can maintain and keep the machines up to date, and can proactively identify and remotely fix problems – without having to visit the customer’s office.
With a simple infrastructure, streamlined and intuitive workflow, XEOX makes patch management simpler, boosts patch compliance, decreases time spent patching, and allows multi-OS maintenance from a single console.
|Requires local servers and networks||✓|
|Routine configuration and maintenance of servers||✓|
|Managing outside the network without VPN||✓|
|Windows OS Patching||✓||✓|
|Microsoft Application Patching||✓||✓|
|Non-Microsoft Windows Application Patching||✓|
|System health and performance monitoring||✓|
|Custom notifications and alerts||✓|
|Remote management tools||✓|
|IT process and credential documentation||✓|
|End-user self-service IT portal||✓|
Managing third-party patches for WSUS is a tedious and ongoing task that requires many hours of time spent researching, building, patch testing, deploying, reporting, and debugging. With XEOX, companies using WSUS can reduce the time spent dealing with WSUS patch management by supplying pre-built, fully tested, ready to use packages for popular third party applications. XEOX is designed to leverage the Microsoft WSUS infrastructure and enable successful deployment, management and reporting for third-party patches.
With XEOX, administrators can use advanced WSUS patch management capabilities to gain increased control over Microsoft WSUS. A lot of time and effort can be saved by automating various patching processes. XEOX Patch Manager makes it easy to schedule patch management tasks to run during the maintenance window, select which systems to patch, and receive relevant notifications once the process is complete. Use the immediate schedule and reboot feature to help desktops or servers prove compliance as quickly as possible.
Another reason why you should use WSUS and XEOX together is that these two tools in combination do not interfere with the Internet at your workplace. WSUS brings the updates you want directly to your server. This means that XEOX only needs to deploy patches to the server and not download updates from the Internet. This is very helpful because it means that bandwidth is not affected and the Internet is always maintained – no possible outage.
You should also keep in mind that it is very safe to use WSUS and XEOX in combination, because the installations – updates, installation of new software – have been verified twice. First, WSUS detects that there is a possible new update. After that you can check with XEOX if the new update is wanted/necessary. If yes, you can use XEOX to install it automatically on all your computers.
Patching with WSUS only works if the WSUS server is always up to date. In the working life, however, it can happen quickly that one forgets such a trivial thing. With the help of XEOX the updating of the WSUS server cannot happen. So I can define that I install updates only from WSUS, but still search them with XEOX. So I can see which updates are available – which I could have. So the updates are seen but they are not installed. So if you find that there are new Windows updates but they are not installed automatically you know that your WSUS server is not up to date.
However, in recent years there have been more and more problems with WSUS. There are many people who no longer want to use WSUS. Of course, if you don’t want to continue using WSUS, there is the option to replace it completely and utilize XEOX for all your tasks instead. This is especially convenient if you don’t like to use multiple tools at the same time. This works in XEOX with so-called update lists (allow or deny lists). You can create and manage these under Job Center -> Update lists. Then they can be defined in the WuInstall Actions in the Job Editor.