If you've managed Windows patches for any length of time, you've dealt with WSUS. It's been the default choice for nearly 20 years. It's free. It works. And in September 2024, Microsoft deprecated it.
This guide covers what WSUS does, the problems you've probably already encountered, what deprecation means in practice, and how to think about your options going forward.
What is WSUS?
Windows Server Update Services (WSUS) is a free patch management tool built into Windows Server. It downloads updates from Microsoft, stores them locally, and distributes them to Windows devices on your network. For a focused introduction to the platform, see our WSUS overview.
Think of WSUS as a middleman between Microsoft Update and your endpoints. Instead of every device downloading patches directly from the internet, they pull updates from your WSUS server. This reduces bandwidth usage and gives you control over which updates get deployed.
How WSUS works
The patch management process in WSUS follows four steps:
Your WSUS server syncs with Microsoft Update and downloads available patches
You review available updates and approve them for deployment
Devices on your network check in with the WSUS server on a schedule
Approved updates download from the WSUS server and install
You can set up automatic approval rules if you don't want to manually approve everything, though plenty of administrators prefer to review updates before pushing them out.
What does WSUS patch?
WSUS handles updates for:
Windows 10 and Windows 11
Windows Server (2016, 2019, 2022, 2025)
Microsoft 365 Apps
Other Microsoft products like SQL Server, Exchange, and Visual Studio
What WSUS cannot patch
This is where things get complicated. WSUS has significant gaps that have become more problematic as IT environments have changed:
macOS and Linux - No support. If you have Macs or Linux servers, you need a separate tool.
Third-party applications - Technically possible through local publishing, but Microsoft's documentation describes it as "best performed by organizations that have dedicated development and testing resources." Most organizations don't bother.
Remote devices - Endpoints must connect to the corporate network or VPN to receive updates. Devices that rarely connect fall out of compliance.
These limitations matter more now than they did when WSUS launched. Remote work is common, mixed-OS environments are the norm, and third-party application vulnerabilities are just as dangerous as OS vulnerabilities.
Is WSUS deprecated?
Yes. Microsoft officially deprecated WSUS in September 2024. Deprecation means Microsoft will no longer develop new features or invest in the product. Security updates will continue, and WSUS will keep functioning for the foreseeable future, but no enhancements are planned.
Microsoft now recommends Intune, Windows Autopatch, and Azure Update Manager as replacement solutions.
What does WSUS deprecation mean for IT teams?
Deprecation doesn't require immediate action. Your existing WSUS infrastructure will continue working. But it does change the calculus for long-term planning:
No new features - WSUS won't gain capabilities to address its current limitations
Declining support - Microsoft's focus shifts to cloud-based alternatives
Technical debt - Continuing to build on WSUS means investing in a platform with no future development
Planning required - Organizations should evaluate migration options on their own timeline
You don't need to panic. You do need to think about what comes next.
What is the difference between WSUS and SCCM?
WSUS and System Center Configuration Manager (SCCM) are both Microsoft tools for managing Windows updates, but they serve different purposes. For a detailed comparison, see our WSUS vs SCCM breakdown.
WSUS focuses specifically on patch distribution. It's free with Windows Server, has basic reporting, requires manual configuration and maintenance, and only handles Windows.
SCCM (now called Microsoft Endpoint Configuration Manager) is an enterprise management platform that includes patch management. It actually uses WSUS under the hood to check for and deploy updates. SCCM adds granular deployment control, advanced reporting dashboards, hardware and software inventory, operating system deployment, and some macOS support (though Microsoft has reduced this over time).
The tradeoff is complexity and cost. SCCM licensing is expensive, typically bundled with Enterprise Agreements, and the platform requires dedicated expertise to deploy and maintain.
When to use WSUS vs SCCM
WSUS makes sense if you only need Windows patch management, your budget is tight, and you're willing to handle the maintenance yourself. It's a reasonable choice for simpler environments where the limitations don't cause problems.
SCCM makes sense if you need more than just patching - inventory, OS deployment, compliance reporting - and you're already paying for Microsoft enterprise licensing. The platform requires dedicated expertise, so it fits better in organizations with staff who can focus on it.
The bigger question is whether either tool fits your actual environment. Both assume devices connect to your network regularly. Both struggle with third-party applications. If your challenges are remote workers or non-Microsoft software, moving from WSUS to SCCM doesn't solve the underlying problem.
What is Windows Autopatch?
Windows Autopatch is Microsoft's cloud-based patch management service for Windows 10 and Windows 11. Released in July 2022, it automates Windows update deployment using deployment rings. For more details on Microsoft's cloud patching solution, read our Windows Autopatch guide.
How Windows Autopatch works
Autopatch automatically groups devices into deployment rings:
| Ring | Percentage | Purpose |
|---|---|---|
| Test | Minimal | Early validation with IT-owned devices |
| First | 1% | Broader validation before wide deployment |
| Fast | 9% | Catch issues before majority deployment |
| Broad | 90% | Production deployment |
Updates progress through rings automatically. Microsoft manages timing and rollback if issues are detected.
Windows Autopatch requirements
Windows 10/11 Enterprise E3 or E5 licensing
Microsoft Intune enrollment
Azure Active Directory (Entra ID)
Devices must be Azure AD joined or hybrid Azure AD joined
Windows Autopatch limitations
Autopatch addresses some WSUS problems but introduces constraints:
Windows 10/11 only - No Windows Server support
No third-party patching - Still requires separate tools for non-Microsoft applications
No macOS or Linux - Microsoft platforms only
Limited control - Administrators cannot set specific deployment times or manually approve updates
Licensing requirements - E3 licensing excludes many organizations
Autopatch works well for organizations fully committed to Microsoft's cloud ecosystem with Windows 10/11 workstations only. Mixed environments need additional solutions.
How much does WSUS actually cost?
WSUS is included with Windows Server at no additional licensing cost. This makes it appear free, but the total cost of ownership is higher than the sticker price suggests.
Infrastructure costs
You need servers to run WSUS. For larger environments, you'll likely need multiple WSUS servers, and you may need to migrate from Windows Internal Database to SQL Server as your environment grows. That means:
Windows Server licensing for WSUS servers
SQL Server licensing for larger deployments
Storage for cached update files
Network infrastructure for distributed locations
Administrative overhead
Anyone who's run WSUS knows the maintenance burden:
Database maintenance - The WSUS database grows constantly as Microsoft releases updates. Without regular cleanup, performance degrades. Administrators run cleanup scripts monthly:
Invoke-WsusServerCleanup -CleanupObsoleteComputers -CleanupUnneededContentFiles -CompressUpdates -CleanupObsoleteUpdates -DeclineExpiredUpdates -DeclineSupersededUpdates
Sync troubleshooting - WSUS servers stop syncing due to network issues, proxy problems, IIS application pool crashes, or disk space constraints. Each failure requires investigation.
Client troubleshooting - Devices stop checking in, report incorrect status, or fail to install updates without clear errors. Tracking down why a specific machine isn't patching is a recurring task.
Additional tools
Organizations using WSUS typically need separate solutions for macOS patching, Linux patching, third-party application updates, and remote device management. Each tool has its own console, maintenance requirements, and learning curve.
When you factor in server costs, maintenance time, and supplementary tools, WSUS often costs more than cloud-native alternatives that consolidate these capabilities.
Common WSUS problems and solutions
IT administrators have documented WSUS issues for years. These problems help explain why many organizations seek alternatives.
WSUS clients not reporting correctly
Problem: The WSUS console shows devices as compliant, but manual scans reveal missing patches.
Causes:
Stale client records in the WSUS database
Synchronization failures between client and server
Group Policy misconfigurations
Windows Update Agent issues on endpoints
Solutions:
Run regular database cleanup
Reset the Windows Update Agent on affected clients
Verify Group Policy settings point to correct WSUS server
Check client-side logs in `C:\Windows\WindowsUpdate.log`
This is the most frustrating WSUS issue because it undermines trust in your compliance data. If you can't trust the console, you end up manually verifying patch status, which defeats the purpose of having a patch management tool.
WSUS synchronization failures
Problem: WSUS server stops syncing with Microsoft Update.
Causes:
Network connectivity or firewall issues
Proxy configuration problems
IIS application pool crashes
Database corruption
Insufficient disk space
Solutions:
Check network connectivity to Microsoft Update servers
Verify proxy settings in WSUS configuration
Restart the WsusPool application pool in IIS
Run database maintenance scripts
Free disk space for update downloads
Sync failures happen often enough to be a regular annoyance. Each one requires troubleshooting time that could be spent on other work.
WSUS database bloat
Problem: WSUS performance degrades as the database grows.
Solution: Run monthly maintenance:
# Decline superseded updates
Get-WsusUpdate -Approval AnyExceptDeclined -Status Any |
Where-Object {$_.Update.IsSuperseded} |
Deny-WsusUpdate
# Run full cleanup
Invoke-WsusServerCleanup -CleanupObsoleteComputers -CleanupUnneededContentFiles -CompressUpdates -CleanupObsoleteUpdates -DeclineExpiredUpdates -DeclineSupersededUpdates
For large environments, consider migrating from Windows Internal Database to SQL Server.
Remote devices not receiving updates
Problem: Laptops and remote workers miss updates because they rarely connect to the corporate network.
Options:
Require VPN connections (poor user experience, inconsistent compliance)
Publish WSUS to the internet (security risks, complex configuration)
Implement a cloud-native patch management solution (removes network dependency)
This problem has grown significantly as remote and hybrid work has become standard. WSUS was designed when most devices lived in the office.
When should you keep WSUS?
WSUS remains a reasonable choice in specific scenarios:
Bandwidth-constrained locations - Offices with limited internet connectivity benefit from local update caching. Downloading each update once and distributing locally reduces bandwidth consumption.
Air-gapped networks - Disconnected environments that cannot reach the internet require on-premises solutions. WSUS handles offline update distribution.
Windows-only environments - Organizations with no macOS or Linux devices and no third-party patching requirements can meet their needs with WSUS alone.
Stable existing deployments - If your WSUS infrastructure runs smoothly and you've built effective processes around it, deprecation alone doesn't force immediate change.
Even in these scenarios, plan for eventual migration given Microsoft's direction.
When should you replace WSUS?
Consider alternatives if your organization:
Spends significant time on WSUS maintenance and troubleshooting
Has remote or hybrid workers who rarely connect to the corporate network
Manages macOS or Linux devices alongside Windows
Needs to patch third-party applications like Chrome, Zoom, or Adobe products
Cannot trust WSUS compliance reports without manual verification
Runs multiple tools to cover what WSUS cannot
How to use WSUS with cloud-native patch management
Some organizations keep WSUS for local caching while adding a cloud-native tool for management and cross-platform coverage. This hybrid approach preserves bandwidth benefits while addressing WSUS limitations. For implementation details, see our WSUS + Automox integration guide.
Hybrid deployment configuration
Configure WSUS to auto-approve and cache Windows updates
Deploy the cloud-native agent to all endpoints
Point Windows devices to WSUS as their update source
Manage policies, schedules, and reporting through the cloud console
Handle macOS, Linux, and third-party updates through the cloud solution
Windows devices pull updates from the local WSUS cache. The cloud platform provides visibility, policy enforcement, and cross-platform management.
This approach makes sense for organizations with large office locations where bandwidth is a concern but who also need the management capabilities WSUS lacks. Learn more about local caching with your existing WSUS infrastructure.
Bandwidth optimization without WSUS
Windows 10 and 11 include Delivery Optimization, which enables peer-to-peer update sharing on local networks. This reduces bandwidth without requiring WSUS infrastructure.
Delivery Optimization settings you can configure:
Bandwidth limits during business hours
Peer sharing restricted to local subnet
Maximum cache size per device
Download mode (LAN only, internet peers, or Microsoft CDN)
For many organizations, Delivery Optimization provides enough bandwidth savings to eliminate the need for WSUS as a caching layer.
What to look for in a WSUS alternative
When evaluating replacements, focus on the gaps that led you away from WSUS in the first place.
If you're managing Windows alongside macOS or Linux, look for cross-platform support in a single console. Running separate tools for each OS recreates the fragmentation problem you're trying to solve.
Third-party application patching matters more than it used to. Chrome, Firefox, Zoom, Slack, Adobe products, and Java all have vulnerabilities that need addressing. A solution that handles these natively saves you from bolting on yet another tool.
For distributed teams, remote device support is non-negotiable. Devices should receive updates over any internet connection without VPN requirements. If you're replacing WSUS partly because of remote worker challenges, make sure the replacement actually solves that problem.
Reporting accuracy is worth testing during your evaluation. If you've dealt with WSUS compliance data that didn't match reality, verify that the new solution's reporting is trustworthy before committing.
Beyond basic patch scheduling, consider what else you need. Some solutions offer automated remediation, custom scripting, and policy-based configuration that extend well beyond what WSUS provides.
How to migrate from WSUS
Moving away from WSUS requires planning to avoid gaps in patch coverage.
Phase 1: Assessment
Inventory all devices currently managed by WSUS
Identify existing gaps (macOS, Linux, third-party applications, remote devices)
Document current patch policies, schedules, and approval workflows
Assess bandwidth requirements at each location
Phase 2: Pilot deployment
Deploy the new solution to a test group
Run parallel with WSUS to compare coverage and compliance data
Validate that the new solution catches everything WSUS does
Train IT staff on the new platform
Phase 3: Phased migration
Move device groups gradually from WSUS to the new solution
Start with remote devices or a single location
Monitor for missed patches or unexpected issues
Expand to additional groups as confidence builds
Phase 4: Decommission
Remove WSUS Group Policy settings from migrated devices
Decommission WSUS servers once all devices have migrated
Update documentation and procedures
Archive WSUS compliance data if retention is required
Where to go from here
WSUS served its purpose for nearly 20 years. For organizations with Windows-only environments, limited remote workers, and tolerance for maintenance overhead, it still functions.
For everyone else, Microsoft's deprecation announcement is a reasonable prompt to evaluate where you are. The maintenance burden, coverage gaps, and remote device challenges have always existed. Microsoft stepping back from development makes those limitations harder to ignore.
You don't need to migrate immediately. WSUS will continue working. But if it's been a source of frustration, or if your environment has outgrown what WSUS can handle, now is a good time to explore what else is available.
)
)
)
)