Windows Server Update Services, better known as WSUS, is a software update facility bundled into Windows Server. The utility will automatically check for updates, hotfixes, and patches to Microsoft software and then distribute them to all the computers on the network.
Keeping all of your software up to date is an important guard against viruses and network intrusions. Hackers discover new exploits in software all of the time and as soon as their new attacks are discovered software producers race to close off the loophole. Those exploit shutdowns are issued as patches and updates.
We cover the tools in this post in some depth below, but in case you only have time for a quick summary, here is our list of the best Windows Server Update Services tools:
- SolarWinds Diagnostic Tool for the WSUS Agent (FREE DOWNLOAD) – A troubleshooting wizard for WSUS connections that just won’t work.
- Microsoft WSUS Client Diagnostic Tool – The definitive client diagnostic tool for WSUS.
- ManageEngine Patch Manager Plus (FREE TRIAL) – Patch management for software resident on Windows, Mac OS, Linux, and the Cloud.
- Microsoft WSUS Reporting Rollup Sample Tool – An update consolidation service for status reports in multi-server WSUS implementations.
- AFDesign’s WSUS Tool for Spiceworks – User-community-provided front end to the standard WSUS process.
- WSUS Offline Tool – Registers the need to update software on offline devices.
- BatchPatch – Windows-based interface to WSUS procedures.
- SolarWinds Patch Manager (FREE TRIAL) – This utility gives you full patch management and it integrates SCCM monitoring; the tool can update software on Mac OS, Unix, Linux, and Windows, but the software only runs on Windows Server.
- 1 WSUS functions
- 2 WSUS and SCCM tools
- 3 The best WSUS tools and alternatives
- 3.1 1. SolarWinds Diagnostic Tool for the WSUS Agent (FREE DOWNLOAD)
- 3.2 EDITOR'S CHOICE
- 3.3 2. Microsoft WSUS Client Diagnostic Tool
- 3.4 3. ManageEngine Patch Manager Plus (FREE TRIAL)
- 3.5 4. Microsoft WSUS Reporting Rollup Sample Tool
- 3.6 5. AFDesign’s WSUS Tool for Spiceworks
- 3.7 6. WSUS Offline Tool
- 3.8 7. BatchPatch
- 3.9 8. SolarWinds Patch Manager (FREE TRIAL)
- 4 Choosing a WSUS tool
Keeping up to the latest version of your operating system is particularly important. An exploit in the operating system can give hackers access to the underlying firmware of your computer and give them unrestricted access to all software and data stored on your equipment. Therefore, WSUS is an essential tool for any business running the Windows Server environment.
WSUS is a free automatic updates service, but as a patch management system, it is a little rudimentary. The system does produce logs, but these can be difficult to comb through manually. Fortunately, a number of small utilities can organize the data produced by WSUS and help you keep track of the software versions operating on your network.
WSUS periodically checks the Microsoft servers for software updates and downloads them into a central repository. As an administrator, you have the option to approve or block specific updates. You can also specify the date on which the software will be distributed. It is also possible to pre-configure the distribution function to define automatic procedures for different classes of updates. So, you can specify that critical and security updates get installed automatically, while service packs and driver updates are held pending manual approval.
A detection function in WSUS creates a report on the updates available for each machine. This provides an inventory of the Microsoft software on each endpoint with the version status of each program. Other settings in WSUS block manual changes to Microsoft products operating on each computer.
WSUS and SCCM tools
Although WSUS does very well as a patch management service, gaps in its functionality can be filled by other tools. WSUS only deals with Microsoft products, so you have to look elsewhere for facilities to cover patch management of other software. SCCM, the System Server Configuration Management tool, is another important patch management service that operates in the Windows environment. It is common to encounter tools that can interact with both WSUS and SCCM to produce a more comprehensive patch management service.
Not all patch management tools integrate with WSUS, so in this report, we have focused only on tools that either enhance WSUS capabilities or integrate WSUS in a wider and more comprehensive patch management system for automatic updates.
When selecting tools for this list our main considerations were tool reliability and robustness in diverse industry use cases, how the software is maintained and updates, how easy to set up and use the software is, the availability of documentation and support, and overall functionality and performance.
SolarWinds provides an extensive library of infrastructure management software and it is particularly strong on network device monitoring utilities. This free utility from SolarWinds enhances WSUS and is a step between bare WSUS capabilities and full patch management. If you only have a small network and can’t really justify the cost of a full patch management facility, this tool could be your best option.
The SolarWinds Diagnostic Tool for the WSUS Agent monitors the client status of WSUS agents running on the endpoints on your network. This gives an alternative view of update actions, so you don’t just have to rely on the status reports given by the central WSUS server.
The agent perspective of this tool helps resolve situations where the whole WSUS system just doesn’t work properly. It is very nice when everything works as it is supposed to, but as a systems administrator, you know that a large part of your job involves dealing with things going wrong. SolarWinds started with the assumption that things will go wrong and that gives this tool a unique starting point.
What do you do if an endpoint just doesn’t show up in WSUS? Why do some updates take forever to install and some fail repeatedly? WSUS is such a contained package that it can sometimes be a bit inscrutable. So, a good place to start when checking on problems is to ensure that the flow through of WSUS is getting to each agent on the endpoint machines.
With this tool, you can start off by making sure that each WSUS agent is actually operating and that the central WSUS server can communicate with each of them. The Diagnostic Tool will check all for the configuration values of each agent and report on them to give you a baseline. Nine times out of ten, this check will solve most of your update syncing problems. However, in the difficult-to-fix cases, you have another level of assistance with the Diagnostic Tool.
The tool produces error reports on each troubled update agent. Error codes are explained and the tool gives you recommendations on the actions you need to take to get the problem agent properly running again. This tool is a great help and it costs nothing.
The SolarWinds Diagnostic Tool for the WSUS Agent is a great help when things go wrong. You can also use it to perform periodic system checks to keep ahead of potential points of failure. This management console tool covers all of the tasks that you could get from the WSUS update agent. If you also seek a substitute for the SCCM console then you should investigate the SolarWinds Patch Manager that also appears on this list.
SolarWinds Diagnostic Tool is perfect for network administrators looking to monitor and diagnose WSUS issues. Based on the assumption that WSUS will go wrong it lets you test connections, identify causes of failure and helps you to repair Windows Update Agent errors. A great tool that every net admin should use.
OS: Windows Server
Microsoft is also aware that the WSUS system doesn’t always run smoothly and has made available its own agent diagnostic tool to ease the Microsoft update process. This free utility is similar to the SolarWinds Diagnostic Tool for WSUS Agents — in the world of WSUS, examining the “client” or the “agent” amounts to the same thing.
As you can see from the screenshot above, the Microsoft diagnostic tool runs from the command line. It does not have the sophisticated GUI interface that the SolarWinds free tool offers. Another difference between these two tools is that the Microsoft tool runs on the client machine and doesn’t operate from a central point. So, you have the option of visiting each endpoint, installing the executable file and running it there or using remote management software to install the program and run it from a central location. Either way, the on-screen feedback makes it difficult to get any analysis records out of this system.
Many system administrators have a “supplier first” policy when it comes to using diagnostic tools. That attitude is totally understandable. It is better to get error reports produced by the original software supplier’s diagnostic tools. So, if you want to know why a Microsoft product is not working properly, it is better to use a Microsoft diagnostic tool. This is particularly the case where other Microsoft products, such as Active Directory, may be contributing to the problem. This is why the Microsoft WSUS Client Diagnostic Tool is included in this list.
If you need to call Microsoft for support, they may expect you to run this utility in order to give them status information before they can help you solve the problem. That said, Microsoft makes it very clear that the tool is provided as is and provides no support for the utility itself.
So, even if you are not very impressed by this tool, it is probably better to download it and have it on hand, just in case. The tool costs nothing and takes up very little space, so it won’t be too much bother to just keep it in case of performance problems.
ManageEngine offers a software monitoring service that allows you to keep all of your utilities up to date automatically. Patch Manager Plus is part of a stable of IT infrastructure management tools offered by the company and it can also be integrated as a plug-in into Spiceworks.
The software for Patch Manager Plus runs on Windows and Windows Server environments. However, there are agents available that enable the system to monitor software statuses on Mac OS and Linux systems as well. Patch Manager Plus agents can run on Debian, Ubuntu, CentOS, RHEL, and SuSE Enterprise Linux.
The tool scans all contactable endpoints, making an inventory of their software. A check on the latest versions of each of these products reveals which modules are out of date. Patch Manager Plus then communicates with the servers of the relevant software producers and downloads all of the necessary patches. These patches can then be installed automatically without human intervention. However, you can specify that all candidate patches should be listed in the dashboard first for human approval.
The approval process might demand a test of the new update. The Patch Manager Plus interface includes a test system that will try out the new update on a small number of devices first so that you can assess the impact of software changes before they roll out to your entire network.
All of the facilities of Patch Manager Plus are available for software running on a cloud server. However, those servers will need to be running Windows. The utility is available for installation on-premises or as a cloud-based service. ManageEngine offers a free edition of Patch Manager Plus, but that will only monitor up to 25 devices. If you have a larger network, you can decide between the Professional edition, which covers LANs or the Enterprise edition, which is suitable for managing software across multi-site WANs. You can get a 30-day free trial of either of these paid options.
The Microsoft WSUS Reporting Rollup Sample Tool is a free Microsoft update utility and has a much better interface that the Microsoft Diagnostic Tool. This is an extension of the server element of WSUS, so you only have to install it in one place, not on each endpoint. Although Microsoft seems to have put more work into the production of this facility than the command line diagnostic tool, it still states in the tool’s documentation that it offers no support for it. So don’t call on Microsoft’s Support team if you can’t get this tool to work properly.
The “rollup” element in this tool’s name refers to its purpose as a consolidation service for environments that include multiple WSUS servers. This reporting tool gathers status reports from all the WSUS servers on the network and present them as unified data. Whether you merge all of the data from all of the servers or enumerate them is up to you. The reporting rollup tool is completely customizable. Users are expected to write their own report scripts. This is a specialist task and you may not have the skills to write your own scripts, or the time to learn the scripting language. This is where the “sample” part of the tool’s name comes in.
When you download this utility, you also get a number of pre-written report formats bundled in with it. These are sample reports that you can use as they are, or adjust the code to create your own reports in less time than it would take you to create a report script from scratch. This is a great help for busy systems administrators with little spare time in the day. Remember, this tool is only of use to networks that include more than one WSUS server. So, if you only have a small network with one central WSUS server, you won’t need this utility.
Spiceworks’ user community produces add-ons and features for the free Spiceworks network management utility. One of the free tools available from the Spiceworks community is AFDesign’s WSUS Tool. The source code for the program is available at the utility’s page on the Spiceworks community website.
This is a script that automates the queries and actions that can be performed by the standard wuauclt.exe program, which ships with WSUS. This program runs on client machines, so if you like this WSUS tool, you will need to install it on each endpoint. If you have remote management software, you can install and execute the script from your central location.
As the utility only employs standard Microsoft executables, you can be secure in the knowledge that you are not running third-party software that could damage your network or install malware. You can comb through the code yourself and see there is nothing malicious in there.
The program uses the standard WSUS detection procedure as a starting point. This gives you information on which services of the client agent are visible to the server. It will restart the client auditing software and run an audit check on it. This gets you a limited timeframe report rather than a tagged-on endless ongoing log file.
The process automation script checks each client. It is the type of utility you could probably write yourself. However, as someone has written this for you, the AFDesign WSUS Tool saves you some time running diagnostics.
WSUS deals with endpoints that don’t have direct access to the internet using a process called WSUS Offline Update. However, this system only installs “critical” and “security” status patches, leaving the endpoint out of sync with the full set of patches available from Microsoft. The Anoop WSUS Offline Tool fixes that deficit.
This tool schedules all available patches for the endpoint device type and delivers them from a central download server. Anoop C Nair, who wrote the tool, recommends it only for development and sandbox environments, not for live systems. Essentially, the tool will flag offline machines for all updates to be installed, not just the higher-status ones.
BatchPatch adds a cheery and colorful GUI interface to your WSUS server. BatchPatch sits on top of the underlying WSUS service to provide better management and reporting functions than the bare WSUS facility. This utility is not free — the price for the tool is $399 for a one-user license with one year of support included. Prices go up to $2,999 for a 15-user license and increase to $3,745 if you buy a two-year support package with it.
BatchPatch works on the central server and includes a client querying section, which enables you to remotely access each client and run custom scripts for diagnostic purposes. Those remote functions let you manually reboot or shut down individual endpoints and employ Wake on LAN. Offline installs to clients can also be managed through BatchPatch. So, the functionality of this tool combines both server and client elements, although there won’t be any BatchPatch programs installed on any of the client computers.
First of all, this utility gives you all the functionality that the standard WSUS package includes; it just makes the commands easier to see. It makes a better effort of querying the statuses of each endpoint than the standard WSUS system. A range of pre-written report formats help you view network device statuses. A rollup reporting system is available for networks with multiple WSUS servers.
BatchPatch goes beyond WSUS because it manages updates from other system service producers, such as Adobe and Oracle. The scripting language of BatchPatch lets you sequence updates to manage software dependencies better. That extends across providers, so you can install required supporting software for each update, no matter where that software comes from.
BatchPatch is a step up from the straightforward WSUS system because it offers a full-blown patch management system for all service software. However, it isn’t advertised as a patch management tool for all software, i.e., applications and operating system software and services. The tool’s capabilities include downloading, transferring, and installing updates, diagnosing problem clients, and reporting on activities.
You can get a free trial version of BatchPatch. This does not have a time limit, but it is restricted to covering just four endpoints.
This list includes a wide range of tools that work with WSUS ranging from quick reporting utilities through to full-blown patch management systems. The top-of-the-line patch management tool that uses WSUS is the SolarWinds Patch Manager.
The Patch Manager includes the facilities covered by the SolarWinds Diagnostic Tool for the WSUS Agent, listed above. However, it extends on that utility to provide full patch management functions. It integrates SCCM monitoring to interact with agents running on Mac OS, Linux, Unix, iOS, and Android devices as well as the full range of Windows operating systems. So, this patch manager tool, although it runs on Windows Server, extends patching capabilities to the whole network and is more than just WSUS management console or even a SCCM console substitute.
Patch processes complete with diagnostic verification applied automatically, so you don’t need to run a separate investigation in order to discover whether any of the endpoints on the network are out of sync. The tool reports reasons for patch update failure. You can select an action to take from a drop-down list of options that appears against each failed update record.
Thanks to SCCM inclusion, the SolarWinds Patch Manager is not limited to just updating system software and services. You can include updates to all of the software running on your devices, including applications. The types of software that the Patch Manager can handle extend to virtual environment management systems. The management settings extend to GPO control, including factors such as a local group policy.
The Dashboard of the Patch Manager displays your devices and the software installed on each. This gives you an overview, and a reduced list shows failed updates on devices or devices that have fallen behind in their software versions. Software vulnerabilities can also be identified in reports for distribution to other actors in the organization.
SolarWinds includes a support service, which is almost unique in the network management market. It pre-tests the patches available from all of the major software producers, so you can install them all automatically without fear of malware or software bugs. The Patch Manager includes a scheduler so you can install patches and updates outside of working hours. The pre-screening service of SolarWinds is an essential part of getting the tool to do all the work for you while you sleep.
All of these features come at a price. The SolarWinds Patch Manager’s price starts at $3,690. That base price gets you perpetual use of the software to cover up to 250 network nodes. The largest network the Patch Manager can handle includes 60,000 nodes, which would cost you $147,495. You can get a 30-day free trial to try out the SolarWinds Patch Manager.
Choosing a WSUS tool
The definition of “WSUS tool” is very broad, so this review has covered the whole spectrum. If you just want to get a grip with error reporting on failed downloads, then the free SolarWinds Diagnostic Tool would serve you well.
Surprisingly few tools on the market just focus on enhancing WSUS. You are much more likely to get WSUS support with patch management systems such as BatchPatch or the SolarWinds Patch Manager. It may be worthwhile to look into network device management systems and endpoint user managers. Many of these integrate well with patch management to improve the security of your network.