WSUS is a widely used free program for those looking to add some automation to their Windows patching process. Distributed by Microsoft, WSUS was designed to alleviate the pain and difficulty of patching manually. For Windows networks, WSUS seemed like a simple solution to the patching process. Unfortunately, there have been issues with it, ever since it was introduced. And as environments have evolved, WSUS has become an outdated solution. So what are the pros and cons of patching with WSUS?
Pros of WSUS
Cost: WSUS is a free tool, so businesses of any size can take advantage of its features. For smaller companies who aren’t able to utilize Microsoft’s enterprise-level system, SCCM, WSUS provides some patching automation capabilities at no upfront cost. However, companies evaluating WSUS should keep in mind the hidden costs of the system, including time spent on troubleshooting and cost to acquire and use other tools for non-Windows operating systems as well as third party applications.
Works with Windows Systems: Since WSUS is built by Microsoft, it will not have conflicts with Windows systems and when configured correctly can patch these systems semi-automatically. For those with Microsoft-only infrastructure, WSUS reduces the manual labor behind patching and tracks updates so SysAdmins can see what updates have been applied to each machine.
Cons of WSUS
Difficult to setup and configure: The initial setup of WSUS can be time-consuming as there are many system requirements that have to be met before it is installed, and configuring the system to automatically check for and apply updates is tricky. WSUS sometimes fails to sync on certain machines, leaving SysAdmins to spend hours identifying the root cause of the problem and resolving it.
Update Issues: There have been long-standing reports of WSUS failing to properly report on patch status for all workstations and servers. Updates may not be installed consistently across an infrastructure, and some machines will report being 100% up-to-date on patches when they are missing critical updates. If SysAdmins are not vigilant in tracking patch status and failed updates, WSUS will leave you vulnerable when you think you’re patched.
Doesn’t work with mixed-OS environments: WSUS is by design a Windows-only solution, which limits its usefulness as infrastructures increasingly include non-Windows operating systems. In fact, Windows now accounts for less than half of operating systems. And interestingly, the next two most popular OS’s are mobile. This shouldn’t come as a surprise. Employees are accessing the network at all hours, from anywhere, and on their own devices.
Limited Ability to Patch 3rd Party Applications: 3rd party software applications including Java and Adobe are easy targets for hackers as they often include vulnerabilities which have not been patched: Studies have found that 76%1 of all vulnerabilities are not from operating systems but from 3rd party applications. WSUS only allows for patching of these applications through an API which requires additional configuration and therefore is rarely used.
Lack of reporting: Infrastructure visibility is increasingly important as attacks become more costly and compliance becomes stricter. WSUS fails to provide adequate reporting on network-wide vulnerabilities, leaving SysAdmins to patch together reports from several sources and hope they have accounted for everything. This lack of reporting can lead to unpatched vulnerabilities going unnoticed and failed audits.
Affordable WSUS Alternatives
Cloud based automated patch management solutions, like Automox, can replace WSUS and handle multi OS and 3rd party software patching. And, Automox does it at an affordable price so that businesses of any size have access to enterprise level patching features.
Automox installs in minutes, patches Windows, Mac, Linux, and 3rd party applications, and includes robust reporting, full system visibility, configuration management, and software deployment. To learn more, visit our website. Or if you’re ready to try it out, sign up for our free 15 day trial. No endpoint limit, no credit card required, and full platform features.