WSUS is used by many SysAdmins to check for and apply Windows patches in a semi-automated manner. The free tool was introduced by Microsoft over a decade ago to reduce the manual elements of patching and ensure systems are up-to-date on all workstations. However, as networks have become larger and more complex, frustrations with the tool have grown. Even discounting WSUS’ shortcomings when it comes to updates for non-Windows operating systems and 3rd party applications, the system often fails to adequately perform the main function it is designed for – to check for updates, apply them across machines, and accurately report on the patch status of connected devices.
Problems with WSUS applying updates effectively have been documented in online forums for years, and there are many tips for troubleshooting machines that appear fully patched but aren’t, client agents that won’t connect to WSUS, and updates that get stuck while processing. Missing patches sometimes date back several years, and machines which have been reporting 100% patch status often have hundreds of updates available once they are reconfigured to report correctly.
These issues stem from a myriad of problems, from patches containing bugs which do not allow them to be installed by WSUS, to WSUS itself not being on the most up-to-date version. Recently, Microsoft released an update which inadvertently wiped the “Update History” list from many WSUS instances, leaving admins to find workarounds to compile a list of patches that had been applied.
SysAdmins often spend hours searching for a fix, and yet WSUS’ inability to accurately report on update status persists. Due to these inconsistencies, they must then spend additional time with external reporting tools to assure themselves that all devices have been fully patched.
WSUS update issues are not only an inconvenience, they can also be extremely dangerous. Microsoft issues an average of five critical vulnerability updates per week, not to mention all of their recommended and optional updates. And because of their strong market share these vulnerabilities are often exploited. Without complete and accurate visibility into patch status, Sysadmins may falsely believe their system is patched against a vulnerability that is being actively exploited. If companies are relying on WSUS for their Windows patching needs, they are putting their entire network at risk.
Cloud Based Automated Patching
To avoid security being compromised while using WSUS, SysAdmins should at the very least deploy an external vulnerability scanner that will identify updates that WSUS may have skipped. However, this method is not a long-term solution as it requires manual effort to perform scans and assess how to force WSUS to apply missed patches. For a more sustainable solution, companies should turn away from WSUS entirely and look to a cloud based automated patch solution.
While WSUS alternatives have historically been expensive and burdensome to maintain, newer cloud based solutions are available at a lower price point. Given the resources that need to be dedicated to troubleshooting WSUS, a reasonably priced alternative solution like Automox saves you time, money, and resources.
Automox scans for, installs, and verifies patches automatically and will re-try those that have not been successful. In addition to Windows systems, Automox patches Linux, Mac, and 3rd party applications including Adobe, Java, Chrome, Firefox, and others. You no longer need to cobble together multiple tools to ensure your infrastructure is patched and secure. By bringing reporting for all systems into one easy-to-use dashboard, Automox enables SysAdmins to immediately view the patch status of their entire infrastructure.
Another Automox benefit is its simplicity. Unlike WSUS, visibility, reporting, patching, policy creation, and configuration management are straight forward, intuitive tasks. If you want to learn more about Automox, drop us a note. Or to try it out, sign up for our 15-day free trial, no credit card required.