Pros And Cons Of Patching With WSUS

WSUS is a widely used free program for those looking to add some automation to their Windows patching process. Distributed by Microsoft, WSUS was designed to alleviate the pain and difficulty of patching manually. For Windows networks, WSUS seemed like a simple solution to the patching process. Unfortunately, there have been issues with it, ever since it was introduced. And as environments have evolved, WSUS has become an outdated solution. So what are the pros and cons of patching with WSUS?

Pros of WSUS

Cost: WSUS is a free tool, so businesses of any size can take advantage of its features. For smaller companies who aren’t able to utilize Microsoft’s enterprise-level system, SCCM, WSUS provides some patching automation capabilities at no upfront cost. However, companies evaluating WSUS should keep in mind the hidden costs of the system, including time spent on troubleshooting and cost to acquire and use other tools for non-Windows operating systems as well as third party applications.

Works with Windows Systems: Since WSUS is built by Microsoft, it will not have conflicts with Windows systems and when configured correctly can patch these systems semi-automatically. For those with Microsoft-only infrastructure, WSUS reduces the manual labor behind patching and tracks updates so SysAdmins can see what updates have been applied to each machine.

Cons of WSUS

Difficult to setup and configure: The initial setup of WSUS can be time-consuming as there are many system requirements that have to be met before it is installed, and configuring the system to automatically check for and apply updates is tricky. WSUS sometimes fails to sync on certain machines, leaving SysAdmins to spend hours identifying the root cause of the problem and resolving it.

Update Issues: There have been long-standing reports of WSUS failing to properly report on patch status for all workstations and servers. Updates may not be installed consistently across an infrastructure, and some machines will report being 100% up-to-date on patches when they are missing critical updates. If SysAdmins are not vigilant in tracking patch status and failed updates, WSUS will leave you vulnerable when you think you’re patched.

Doesn’t work with mixed-OS environments: WSUS is by design a Windows-only solution, which limits its usefulness as infrastructures increasingly include non-Windows operating systems.  In fact, Windows now accounts for less than half of operating systems. And interestingly, the next two most popular OS’s are mobile. This shouldn’t come as a surprise. Employees are accessing the network at all hours, from anywhere, and on their own devices.

Limited Ability to Patch 3rd Party Applications: 3rd party software applications including Java and Adobe are easy targets for hackers as they often include vulnerabilities which have not been patched: Studies have found that 76%1 of all vulnerabilities are not from operating systems but from 3rd party applications. WSUS only allows for patching of these applications through an API which requires additional configuration and therefore is rarely used.  

Lack of reporting: Infrastructure visibility is increasingly important as attacks become more costly and compliance becomes stricter. WSUS fails to provide adequate reporting on network-wide vulnerabilities, leaving SysAdmins to patch together reports from several sources and hope they have accounted for everything. This lack of reporting can lead to unpatched vulnerabilities going unnoticed and failed audits.

Affordable WSUS Alternatives

Cloud based automated patch management solutions, like Automox, can replace WSUS and handle multi OS and 3rd party software patching. And, Automox does it at an affordable price so that businesses of any size have access to enterprise level patching features.

About Automox

Facing growing threats and a rapidly expanding attack surface, understaffed and alert-fatigued organizations need more efficient ways to eliminate their exposure to vulnerabilities. Automox is a modern cyber hygiene platform that closes aperture of attack by more than 80% with just half the effort of traditional solutions.

Cloud-based and globally available, Automox enforces OS & third-party patch management, security configurations, and custom scripting across Windows, Mac, and Linux from a single intuitive console. IT and SecOps can quickly gain control and share visibility of on-prem, remote and virtual endpoints without the need to deploy costly infrastructure.

Experience modern, cloud-based patch management today with a 15-day free trial of Automox and start recapturing more than half the time you're currently spending on managing your attack surface. Automox dramatically reduces corporate risk while raising operational efficiency to deliver best-in-class security outcomes, faster and with fewer resources.

1 https://www.csoonline.com/article/2226451/microsoft-subnet/third-party-software--not-microsoft-s--blamed-for-76--of-vulnerabilities-on-average.html

Subscribe to Our Newsletter

Stay up to date on all things patch management

Reduce your threat surface by up to 80%

Make all of your corporate infrastructure more resilient by automating the basics of cyber hygiene.