One of the biggest challenges faced by network administrators is secure management, deployment of software updates, and hotfixes especially in networks containing hundreds of client PCs. If it’s not done right, it could lead to serious problems. Having the right update management tool and procedures is critical to the successful management and deployment of software updates and patches into production environments. This helps to maintain operational efficiency, overcome security vulnerabilities, and maintain the stability of your corporate network.
To help administrators manage the distribution of software updates in the Windows network environment, Microsoft released a tool known as Windows Server Update Services (WSUS). WSUS allows automatic downloads of updates, hotfixes, service packs, device drivers, and feature packs to client PCs from a central server or servers. WSUS downloads these updates from the Microsoft Update website and then distributes them to computers on a network.
Systems Center Configuration Manager (SCCM) is another tool by Microsoft that can also improve patch management. SCCM acts as a complementary tool to WSUS. While WSUS implements updates to your Windows server, SCCM is a much broader patch management system that can update third-party applications. Although WSUS is an excellent tool for patch and update management, it is not without problems and issues.
One of the biggest challenges faced by WSUS server administrators is the inability of clients to report or communicate back to the server. In fact, if you google the search term “WSUS clients not reporting”, you will likely see over 200,000 search results. This offers a glimpse into the scale or enormity of the problem. There are also problems associated with synchronization, approvals, console access, storage, self-updating, and targeting. Instead of focusing on more important things, you find yourself struggling to figure out why a tool meant to make your life easier is actually complicating it. In this article, we will take a look at some of the six best WSUS client diagnostic tools to help you deal with common issues associated with WSUS.
The Best WSUS Client Diagnostic Tools
The SolarWinds Diagnostic Tool for the WSUS Agent is a simple GUI-based free patch management tool that helps Windows network administrators validate client configurations and troubleshoot client connection issues in their WSUS environment. With this tool, you can easily figure out if the client-side agent for WSUS has the right configuration. This can potentially save you hours of combing through log files and online forums.
The SolarWinds WSUS diagnostic tool can make your job as a Windows network administrator much easier by helping you troubleshoot issues with the WSUS agent, and even patch third party apps at no cost—it’s 100% free. Other key features and capabilities include:
- Validates client configurations and troubleshoot client connection issues in your WSS environment.
- Tests connections to all WSUS resources required by a client and Identifies causes for defective configuration, and the appropriate repairs based on real-world experiences of other WSS administrators.
- Validates the machine state and Windows Update agent configuration values.
- Connects to the configured WSUS server, and provides detailed descriptions of Windows Update Agent errors.
SolarWinds Patch Manager is a powerful WSUS diagnostic tool targeted at large network and virtual environments with multiple WSUS servers and hundreds to thousands of workstations. It is designed to extend the traditional functions of WSUS and SCCM to provide scalable and automated patch management.
Apart from diagnosing and fixing problems on clients, Patch Manager has the ability to use WSUS and SCCM integration to provide updates to most third-party applications, giving you complete control over your entire patch management process. It also includes and extends the capabilities of the SolarWinds Diagnostic Tool for the WSUS Agent. Other key features and capabilities include:
- Perform centralized and automated software installation
- WSUS and third-party application patch management
- Troubleshoot issues with the WSUS agent
- Receive notifications of failed updates
- Integrations with SCCM
- Facilitate reporting
It can also deploy Wake on LAN to reactivate sleeping devices when a scan is scheduled and to turn them back off once the scan is complete. Patch Manager aims to help you mitigate software vulnerabilities with real-time security monitoring and detailed security compliance reports. You can also schedule automated summary reports for updates on the status of your patch activities.
You can check out the 30-day free trial to confirm its capabilities and make sure it’s the right fit for you and your organization before purchase. The price starts at $1,976. Subscription and perpetual licensing options are available.
3. Microsoft WSUS Diagnostic Tool
In response to the issues arising from the WSUS client software, Microsoft created WSUS Diagnostic Tool to aid the WSUS administrator in troubleshooting the client machines that are failing to report back to the WSUS Server.
The tool tests the communication between the WSUS Server and the client machine, and displays the results in the console window, with the option to have the results logged to a file in addition to being displayed on the console. It executes the following functions which enable it to evaluate and return the completed results:
- Verify the machine state
- Compare AU settings
- Verify the proxy settings
- Verify the WSUS server URL
Having a diagnostic tool directly from Microsoft to deal with issues arising from its WSUS application makes sense, and results obtained from the diagnostic tool have been used by Microsoft support teams to resolve reported WSUS related issues. However, the WSUS diagnostic tool is a command-line tool and may be less favorable for those who are more inclined to GUI-based tools. Most of all, the tool is outdated and only supported in the archaic Windows Server 2000 and 2003 OS. You would have to look elsewhere if you’re running a more recent Server OS.
4. ADF Designs WSUS Tool
The ADF Designs WSUS tool is a free and open-source GUI WSUS client diagnostic tool that debugs and manages WSUS. It is designed for Windows administrators who clone PCs and need to troubleshoot and manage WSUS related issues. The tool can perform multiple actions on WSUS clients with limited accounts and strict group policies. The three primary features and capabilities of the ADF Designs WSUS tool are as follows:
- Detect Now—detects all the clients running the Windows Automatic Updates service (wuaucltl.exe)
- Clone Fix—attempts to fix the failure in the client. Removes some registry values and resets and restarts authorization and the wuauserv service respectively.
- Report now—runs the reporting functionality on the WSUS client and saves the logs.
All of those functions can normally be done via the Windows command-line and registry, but this tool simplifies the entire process, thereby making it easy to carry out diagnosis on machines with restricted accounts and strict Group Policy Object (GPO). In November of 2019, the application was updated to support Windows 10, Server 2012 R2, Server 2016, and Server 2019. The new version now runs on .NET Framework 4.0 or later (Net 4.0+). The latest version can be downloaded here.
In order to be able to use this tool, you’ll need to have Windows Automatic Updates service (wuaucltl.exe) located in “C:\Windows\System32” always running in the background for each WSUS client. The only major concern here is that malicious actors sometimes create files with virus scripts and name them after wuauclt.exe with the intention to spread the virus on the internet. Ensure that you have an up-to-date anti-malware program running on your systems. If you notice the file located outside “C:\Windows\System32”, you know it is malware. You should run an anti-malware scan to get rid of the malware.
5. WSUS Offline Update
WSUS Offline Update just as the name implies is a free and open-source tool that allows you to download Microsoft updates. The downloaded updates can then be installed on offline computers running Microsoft Windows or Office applications without an internet connection.
There are times when it is necessary to perform Windows updates on offline computers especially if you have computers on your network that do not have internet access, or if you do not want all your computers to connect to Microsoft update server and download updates. This is where the WSUS Offline Update tool comes into play. Although it does not troubleshoot or diagnose connections between WSUS clients and servers like the other tools. However, it is an excellent alternative to update computers that are unable to communicate with the WSUS server due to one failure or the other. This gives you time to diagnose and fix the issues while keeping your systems up to date.
The tool provides options to convert the updated files to ISO images and store them in a USB memory stick or DVD where they can be installed on offline computers. The tool supports updates for Windows OS, Office, and legacy applications. The following tools are required to successfully download and install updates on offline computers:
- A Windows 7/10 computer or Windows Server computer with an internet connection and adequate storage space for the updates (mandatory)
- A folder on the computer to save the downloaded zip file (mandatory)
- A USB or DVD drive to allow copying of updated files (optional)
The latest version of the software can be downloaded here.
BatchPatch is a Windows update and WSUS patch management tool designed to help automate the distribution of software updates. In addition to having all the functionalities of the standard WSUS package, this utility comes with a colorful GUI interface and better management and reporting capabilities than the Windows WSUS server. BatchPatch comes with a functionality that allows it to access and query each client remotely and run independent diagnostics, manually perform tasks such as restart the WSUS service, run custom scripts, reboot, and shut down.
BatchPatch was designed to be simple and easy to use. All it takes to launch the application is to run the .exe file—no installation required. Once you launch the application, you can then begin to load a list of computer names, IP addresses, or MAC addresses to perform actions on. Some of the key features and capabilities include:
- Initiate the download and/or installation of Windows updates on multiple remote computers (standalone, workgroup, or domain) simultaneously from a single console.
- Choose to install all available updates or just specific updates such as Critical Updates, Security Updates, Service Packs, Drivers, or Microsoft recommended updates.
- Turn BatchPatch into a central distribution point for Windows Updates using the optional ‘Cached Mode’.
- Apply Windows Updates to computers that do not have internet access (offline Windows Update) using ‘Offline Mode.
BatchPatch is supported on Windows Vista, 7, 8/8.1, 10, server 2003/2003R2, server 2008/2008R2, server 2012/2012R2, server 2016, and server 2019; and must have the .NET Framework 4.0 installed. In addition to patching recent Windows OSs, BatchPatch can also patch computers running Windows 2000 SP3/SP4 and Windows XP, but it is not supported on those operating systems.
A trial version of BatchPatch is available for download and free evaluation before you purchase the license. The evaluation version is fully functional (except the ‘Run BatchPatch as a service’ functionality) and does not have a time limit, but it allows a maximum of only four simultaneous target hosts in the grid.
The tools reviewed above are some of the best WSUS diagnostic tools out there. With those tools at your disposal, you no longer have to dread Microsoft Patch Tuesday or your organization’s patch management process, or even the common issues associated with WSUS. If your network is large and includes virtual environments and a mix of Windows and non-Windows operating systems and applications, make sure to consider a large-scale patching tool such as SolarWinds Patch Manager that can also accommodate third-party applications.
The tools discussed are not necessarily a replacement for your WSUS and SCCM utility—rather, they build upon them to provide a hitch-free patch management process for your Windows and non-Windows operating systems and applications. If you are looking to learn more about other patch management applications and WSUS software alternatives, check out this definitive guide.