Otto  background

Pros & Cons of Patching with Microsoft WSUS

Connect With Us

Start now, and patch, configure, and control all your endpoints in just 15 minutes.

Windows Server Update Services (WSUS) is a widely used tool that helps administrators with centralized patch management. Distributed by Microsoft, WSUS was designed to alleviate the pain and difficulty of patching manually.

For Windows environments, WSUS seemed like a simple solution to the patching process. However, the solution’s been plagued with usability issues since it was introduced.

As organizations grow more complex with staff working from home and accessing cloud networks and as there are more functionality needs from their patching solutions, WSUS presents itself as an outdated solution.

So what are the pros and cons of patching with WSUS?

Pros of WSUS

Cost of WSUS

WSUS is a free tool installed as a role on Windows Server. Technically, businesses of any size can take advantage of its features. For smaller companies who aren’t able to utilize Microsoft’s System Center Configuration Manager (SCCM), WSUS provides some patching capabilities at no upfront cost.

However, companies evaluating WSUS should keep in mind the hidden costs of the system, such as time spent on troubleshooting and maintaining infrastructure as well as the cost of acquiring and using other tools for non-Windows operating systems and third-party applications.

WSUS Works with Windows Systems

Since WSUS is built by Microsoft, it works with Windows systems and can patch them when configured and maintained correctly. For those with Microsoft-only infrastructure, tracks updates so SysAdmins can see what updates have been applied to each machine.

Cons of WSUS

WSUS is difficult to set up and configure

The initial setup of WSUS can be time-consuming. There are multiple system requirements that have to be met before it is installed. And configuring the system to automatically check for and apply updates can be both time-consuming and complex. WSUS sometimes fails to sync on certain machines, leaving technicians to spend hours identifying the root cause of the problem and resolving it.

WSUS has update issues

There have been long-standing reports of WSUS failing to properly update on patch status for all workstations and servers. Updates may not be installed consistently across your infrastructure, and some machines will report being 100% up to date on patches when they are still missing critical updates. If SysAdmins are not vigilant in tracking patch status and failed updates, WSUS will leave you vulnerable when you think you’re patched.

WSUS doesn’t work with mixed-OS environments

WSUS is by design a Windows-only solution, which limits its usefulness as infrastructures increasingly include non-Windows operating systems.

Limited ability to patch third-party applications

Third-party software, such as Java, Chrome, and Adobe are popular targets for hackers as they often include vulnerabilities that have not been patched. WSUS only allows for patching of these applications through complex workarounds, and the update catalogs are not intuitive.

Lack of adequate reporting

Infrastructure visibility is increasingly important as attacks become more costly and compliance becomes stricter. WSUS fails to provide adequate reporting on network-wide vulnerabilities, leaving SysAdmins to patch together reports from several sources and hope they have accounted for everything. This lack of reporting can lead to unpatched vulnerabilities going unnoticed and failed audits.

Affordable WSUS Alternatives

Automated cloud-native patch management solutions like Automox can replace the complex management, reliability issues, and lack of modern features that WSUS provides.

Our patch management solution installs in minutes and provides full system visibility to workstations and servers, configuration management, and software deployment. For more on this topic, check out the following:

Dive deeper into this topic

loading...