Endpoint Management Tooling Series: What is WSUS?

What is WSUS?

Basically, Windows Server Update Services (WSUS) was created to help administrators with centralized patch management.

How does WSUS work?

At the highest level, WSUS is simply a role set on any Windows Server. The WSUS server downloads patches and updates from Windows Update via the internet.

Once patches are downloaded to WSUS, administrators approve them for deployment. To avoid manual work in this step, administrators can also configure rules to automatically approve updates from deployment once they are downloaded from Windows Update.

For requiring updates, administrators can require an update deadline for a particular update, this will install the update at that time. This can be bad, as updates that require reboots will also automatically reboot regardless of what the computer is doing at that time.

What OSes are covered under WSUS?

Windows Workstations (e.g. Win 7, 8.1, 10, 11, etc.) and Windows Servers (e.g. Server 2019, 2016, 2022, etc.) are covered under WSUS.

What can WSUS do?

The key capability of WSUS is centralized patch management. However, there are certain drawbacks to using the tool. Some such drawbacks are as follows:

  • WSUS maintenance can be cumbersome for administrators, especially if you’re using an SQL database to store patches. You’ll likely need to become knowledgeable in SQL database administration in addition to WSUS to be successful.

  • There are limited options for patching deadlines, notifying end users, and reboots if a patch requires them. These factors all contribute to end user and business disruption.

  • Other operating systems like Linux or macOS are not covered.

Can WSUS update third-party software?

Third-party patching with WSUS is difficult and work-intensive:

  • If you want to patch third-party apps like Zoom or Adobe products with WSUS, you need to do what’s known as local publishing.

  • Local Publishing means you can create and publish custom updates, applications, and device drivers through the WSUS API. According to Microsoft, this is “best performed by organizations that have dedicated development and testing resources, since the planning, implementation, testing, and deployment, of custom updates is a complex and time-consuming process.”

  • Most organizations might buy a product that works in conjunction with WSUS to make this easier, or just hope that end users patch their third-parties themselves.

What are the deployment requirements for WSUS?

The first thing you’ll have to do when deploying WSUS is make a few essential decisions. Based on the size and needs of your organization, you’ll need to determine if multiple WSUS servers are required, what database they use, and how you will prepare computers to be updated by WSUS.

WSUS licensing requirements

Overall, licensing cost isn’t as large of an issue with WSUS as with other management solutions since the WSUS license comes free with Windows Server licenses. As we’ve already touched on, there are many additional and hidden costs that must be factored into your budgeting and planning if you are considering WSUS.

Larger organizations may choose to run multiple WSUS servers in a hierarchy in order to support multiple, distributed locations with unique corporate networks.

WSUS database requirements

Another factor for organizations both large and small is the underlying database to support your WSUS installation. When updates are downloaded from Windows Update, WSUS has to store them before they are distributed to your devices. This can be done via Windows Internal Database (WID) or with an SQL server.

Now, WID is included for free, but you’ll sacrifice performance, especially at scale. Furthermore, if your org grows, you’ll probably need to migrate to SQL to handle it. The SQL database is more expensive but does tend to perform better than WID.

VPN requirements

As you implement WSUS, you must also prepare your users and their computers to update via WSUS. Devices on the same network as the WSUS server – let’s call this the intranet – will get updates from WSUS (assuming you’ve configured them too).

However, devices outside of the intranet – aka remote or distributed employees – will need to connect to the intranet with a VPN, or their devices will need to get updates from another service, like Windows Update, which means their devices will access the internet directly to get updates. This means you must either have a VPN service for remote users to connect to the intranet or configure their computers to update via Windows Update, which may sacrifice visibility and control over patching intervals.

Active Directory for configuration

Whatever you choose for remote and on-prem users, you will need to configure their devices to point to WSUS or Windows Update for patching. You can configure these settings via Group Policy Objects (GPOs) if you use Active Directory. While Active Directory isn't required for WSUS to work, it will make configuring these settings easier. If you don’t have Active Directory, you need a way to configure each client (computer) to look to the WSUS server for updates.

Should you use WSUS? A few takeaways

At the end of the day, WSUS is a decent option for organizations heavy in the Microsoft space. But your org needs to be okay with spending extra administrator time on routine tasks instead of license fees and potentially purchasing additional products to support third-parties as well as other operating systems.

But, to be clear, I wouldn’t really recommend WSUS as the sole tool for patching in your org – even if you are Microsoft-heavy.

If you’re a company with little IT spend, it might make sense to look for a zero-infrastructure patching product. Now, the licensing fee will be higher, but you’ll save a ton of money throughout your contract with less infrastructure, no maintenance, and a simpler end user experience for your admins.

Endpoint Management Tooling Series

This series is designed to give you a primer on what tools are available from Microsoft and to help you understand where they work well or where they may fall short.

This series covers the following tools:

  • Windows Server Update System (WSUS) for patching

  • Intune for mobile devices

  • Endpoint Manager for Unified Endpoint Management (UEM)

Dig in to learn how these tools intertwine, and how they’re used in an enterprise setting.

Automox for Easy IT Operations

Automox is the cloud-native IT operations platform for modern organizations. It makes it easy to keep every endpoint automatically configured, patched, and secured – anywhere in the world. With the push of a button, IT admins can fix critical vulnerabilities faster, slash cost and complexity, and win back hours in their day.

Demo Automox and join thousands of companies transforming IT operations into a strategic business driver.

Dive deeper into this topic