As many engineers who have worked in a Windows Domain environment will tell you, administration of WSUS can be a pain. The UI is not intuitive and can take many months to familiarize with, and with that familiarity comes a plethora of tedious administrative tasks that are required in order to properly administer updates to your domain. That said, there are definitely benefits WSUS provides, of which front and center is the ability to locally cache update files in your domain. Local caching is integral as it allows administrators to save bandwidth on their internet connection by ensuring that updates only need to be downloaded once. So what do you do when you want a better user experience, but want to preserve the functionality of local caching? Luckily, Automox can work directly with WSUS to accomplish just that.
Why Integrate with Automox?
Automox provides you with a user experience that is, above and beyond, better than the WSUS UI. With Automox, all those tedious administrative tasks can be automated. Once you get everything configured properly, all you have to do is sit back and watch. You can also rest easy knowing that Automox accurately reports compliance within your environment. As an added bonus, we are continuously looking for new and innovative ways to improve your ability to administer your environment.
Configuring WSUS
Great! So, now what? The first step is to ensure that your WSUS environment is configured in a way that allows you to never have to touch it again. This involves configuring your desired products and classifications, languages, synchronization schedule, and Automatic approvals. Most of these settings will be specific to your environment, however, there are a few which will be required in order to properly integrate with Automox as described below. Remember, the goal here is to have WSUS locally cache any update files that may be needed, administration of these updates will be done in the Automox console.
Update Files and Languages (Local Caching)
The “Update Languages” tab of this wizard will be specific to your environment, however, the “Update Files” tab should be configured as seen below:
Automatic Approvals
This section will require multiple steps to configure. The first part will require you to configure your Automatic approval rule and will be specific to your environment. The goal here is to have WSUS automatically approve any update it finds, as such, this rule should mirror the products and classifications which you have configured on your WSUS server. Don’t worry, proper administration of these updates will be handled in the Automox console.
The second part of this configuration is found on the “Advanced” tab and should be set as shown below:
Pay special attention to the third checkbox. This will be an integral part of keeping your WSUS environment clean.
Maintaining your WSUS Environment
If you are automatically approving and downloading all updates, you can run out of storage space quickly. As such, it is important to remove any update files that are no longer needed. The downside is that this normally requires manual intervention in the WSUS UI. Fortunately, there is a PowerShell cmdlet that will easily allow you to automate this:
- Invoke-WsusServerCleanup -CleanupObsoleteComputers -CleanupUnneededContentFiles -CompressUpdates -CleanupObsoleteUpdates -DeclineExpiredUpdates -DeclineSupersededUpdates
We recommend putting this into a scheduled task to run at least once a month. The output of this cmdlet is fairly useful and can be piped to an output file/log as desired. Additional documentation on this cmdlet lives here.
Configuring Automox
Ready for some good news? Automox will natively work with your WSUS configuration out of the box. That said, we do recommend ensuring that Automatic Updates are disabled on your endpoints in order to prevent updates from automatically installing from WSUS. This can be accomplished via GPOs. However, we do provide some tools in the Automox console to help you with this, as well as tools to help with configuring your endpoints to communicate with your WSUS server.
What’s Next?
That’s it! Automox is now configured to work with your existing WSUS infrastructure. You can now manage updates in your environment directly in the Automox console and not have to worry about the tedium of WSUS administration. Now that you have all that spare time, make sure to checkout out the rest of the Automox blog for more tips and tricks on how to make the management of your environment easier!
About Automox
Facing growing threats and a rapidly expanding attack surface, understaffed and alert-fatigued organizations need more efficient ways to eliminate their exposure to vulnerabilities. Automox is a modern cyber hygiene platform that closes the aperture of attack by more than 80% with just half the effort of traditional solutions.
Cloud-native and globally available, Automox enforces OS & third-party patch management, security configurations, and custom scripting across Windows, Mac, and Linux from a single intuitive console. IT and SecOps can quickly gain control and share visibility of on-prem, remote and virtual endpoints without the need to deploy costly infrastructure.
Experience modern, cloud-native patch management today with a 15-day free trial of Automox and start recapturing more than half the time you're currently spending on managing your attack surface. Automox dramatically reduces corporate risk while raising operational efficiency to deliver best-in-class security outcomes, faster and with fewer resources.
