Endpoint Management Tooling Series: What is WSUS?

Basically, Windows Server Update Services (WSUS) was created to help administrators with centralized patch management.

At the highest level, WSUS is simply a role set on any Windows Server. The WSUS server downloads patches and updates from Windows Update via the internet.

Once patches are downloaded to WSUS, administrators approve them for deployment. To avoid manual work in this step, administrators can also configure rules to automatically approve updates from deployment once they are downloaded from Windows Update.

For requiring updates, administrators can require an update deadline for a particular update, this will install the update at that time. This can be bad, as updates that require reboots will also automatically reboot regardless of what the computer is doing at that time.

What OSes are covered under WSUS?

Windows Workstations (e.g. Win 7, 8.1, 10, 11, etc.) and Windows Servers (e.g. Server 2019, 2016, 2022, etc.) are covered under WSUS.

The key capability of WSUS is centralized patch management. However, there are certain drawbacks to using the tool. Some such drawbacks are as follows:

• WSUS maintenance can be cumbersome for administrators, especially if you’re using an SQL database to store patches. You’ll likely need to become knowledgeable in SQL database administration in addition to WSUS to be successful.

• There are limited options for patching deadlines, notifying end users, and reboots if a patch requires them. These factors all contribute to end-user and business disruption.

• Other operating systems like Linux or macOS are not covered.

Third-party patching with WSUS is difficult and work-intensive:

• If you want to patch third-party apps like Zoom or Adobe products with WSUS, you need to do what’s known as local publishing.

• Local Publishing means you can create and publish custom updates, applications, and device drivers through the WSUS API. According to Microsoft, this is “best performed by organizations that have dedicated development and testing resources, since the planning, implementation, testing, and deployment, of custom updates is a complex and time-consuming process.”

• Most organizations might buy a product that works in conjunction with WSUS to make this easier, or just hope that end users patch their third-parties themselves.

The first thing you’ll have to do when deploying WSUS is make a few essential decisions. Based on the size and needs of your organization, you’ll need to determine if multiple WSUS servers are required, what database they use, and how you will prepare computers to be updated by WSUS.

Overall, licensing cost isn’t as large of an issue with WSUS as with other management solutions since the WSUS license comes free with Windows Server licenses. As we’ve already touched on, there are many additional and hidden costs that must be factored into your budgeting and planning if you are considering WSUS.

Larger organizations may choose to run multiple WSUS servers in a hierarchy in order to support multiple, distributed locations with unique corporate networks.

Another factor for organizations both large and small is the underlying database to support your WSUS installation. When updates are downloaded from Windows Update, WSUS has to store them before they are distributed to your devices. This can be done via Windows Internal Database (WID) or with an SQL server.

Now, WID is included for free, but you’ll sacrifice performance, especially at scale. Furthermore, if your org grows, you’ll probably need to migrate to SQL to handle it. The SQL database is more expensive but does tend to perform better than WID.

As you implement WSUS, you must also prepare your users and their computers to update via WSUS. Devices on the same network as the WSUS server – let’s call this the intranet – will get updates from WSUS (assuming you’ve configured them too).

However, devices outside of the intranet – aka remote or distributed employees – will need to connect to the intranet with a VPN, or their devices will need to get updates from another service, like Windows Update, which means their devices will access the internet directly to get updates. This means you must either have a VPN service for remote users to connect to the intranet or configure their computers to update via Windows Update, which may sacrifice visibility and control over patching intervals.

Whatever you choose for remote and on-prem users, you will need to configure their devices to point to WSUS or Windows Update for patching. You can configure these settings via Group Policy Objects (GPOs) if you use Active Directory. While Active Directory isn't required for WSUS to work, it will make configuring these settings easier. If you don’t have Active Directory, you need a way to configure each client (computer) to look to the WSUS server for updates.

At the end of the day, WSUS is a decent option for organizations heavy in the Microsoft space. But your org needs to be okay with spending extra administrator time on routine tasks instead of license fees and potentially purchasing additional products to support third-parties as well as other operating systems.

But, to be clear, I wouldn’t really recommend WSUS as the sole tool for patching in your org – even if you are Microsoft-heavy.

If you’re a company with little IT spend, it might make sense to look for a zero-infrastructure patching product. Now, the licensing fee will be higher, but you’ll save a ton of money throughout your contract with less infrastructure, no maintenance, and a simpler end-user experience for your admins.