Windows Server Update Services, better known as WSUS, is a software update facility bundled into Windows Server. The utility will automatically check for Microsoft software updates, hotfixes, and patches and then distribute them to all the computers on the network.
Although the WSUS server is a free automatic update service, it is a little rudimentary as a patch management solution. The system produces logs, but these can be difficult to comb through manually.
Fortunately, several small utilities can organize the data produced by WSUS and help you keep track of the software versions operating on your network.
Here is our list of the best WSUS server tools & software alternatives:
- SolarWinds Patch Manager (FREE TRIAL) This utility gives you full patch management and it integrates SCCM monitoring; the tool can update software on Mac OS, Unix, Linux, and Windows, but the software only runs on Windows Server.
- ManageEngine Patch Manager Plus (FREE TRIAL) Patch management with automated rollouts, update testing system, and version status audit reports for software resident on Windows, Mac OS, Linux, and the Cloud.
- Syxsense Manage (FREE TRIAL) A cloud-based IT asset management service that includes OS patching, third-party patching and patch management systems to keep your endpoints fully up to date.
- NinjaRMM Patch Manager (FREE TRIAL) A technicians tool package for MSPs that includes an automated patch manager. This is a cloud based system.
- ManageEngine Patch Connect Plus (FREE TRIAL) An SCCM-based patch manager that is able to manage updates to Microsoft and third-party software. Installs on Windows Server.
- AJ Tek WSUS Automated Maintenance A package of useful tools for managing and improving WSUS. Installs on Windows.
- AFDesign’s WSUS Tool for Spiceworks User-community-provided front end to the standard WSUS process.
- Atera RMM Manages operating system and firmware patching as part of a suite of remote monitoring and management tools.
- WSUS Offline Tool Registers the need to update internal software on offline devices.
- BatchPatch Windows-based interface to WSUS procedures.
The best WSUS server tools and software alternatives
What should you look for in a WSUS server tool? We reviewed the software patch manager market and analyzed tools based on the following criteria:
- The ability to integrate with WSUS to enhance functionality
- Samples of WSUS replacement options
- Patch gathering and storage
- Automated patch rollout
- Full action logging for compliance reporting
- The option for manual patch application
- The offer of a free trial for assessment
- Valuable tools that are worth the money
This list includes a wide range of tools that work with WSUS ranging from quick reporting utilities through to full-blown patch management systems. The top-of-the-line patch management tool that uses WSUS is the SolarWinds Patch Manager.
The Patch Manager provides full patch management functions. It integrates SCCM monitoring to interact with agents running on Mac OS, Linux, Unix, iOS, and Android devices as well as the full range of Windows operating systems. So, this patch manager tool, although it runs on Windows Server, extends patching capabilities to the whole computer network and is more than just WSUS management console or even an SCCM console substitute.
Patch processes complete with diagnostic verification applied automatically, so you don’t need to run a separate investigation to discover whether any of the endpoints on the network are out of sync. The tool reports reasons for patch update failure. You can select an action to take from a drop-down list of options that appears against each failed update record.
Thanks to SCCM inclusion, the SolarWinds Patch Manager is not limited to just updating system software and services. You can include updates to all of the software running on your devices, including applications. The types of software that the Patch Manager can handle extend to virtual environment management systems. The management settings extend to GPO control, including factors such as a local group policy.
The centralized dashboard of the Patch Manager displays your devices and the software installed on each. This gives you an overview, and a reduced list shows failed updates on devices or devices that have fallen behind in their software versions. Software vulnerabilities can also be identified in reports for distribution to other actors in the organization.
SolarWinds includes a support service, which is almost unique in the network management market. It pre-tests the patches available from all of the major software producers, so you can install them all automatically without fear of malware or software bugs. The Patch Manager includes a scheduler so you can install patches and updates outside of working hours. The pre-screening service of SolarWinds is an essential part of getting the tool to do all the work for you while you sleep.
All of these features come at a price. The SolarWinds Patch Manager’s price starts at $3,690. That base price gets you perpetual use of the software to cover up to 250 network nodes. The largest network the Patch Manager can handle includes 60,000 nodes, which would cost you $147,495. You can get a 30-day free trial to try out the SolarWinds Patch Manager.
ManageEngine offers a software monitoring service that allows you to keep all of your utilities up to date automatically. Patch Manager Plus is part of the stable of IT infrastructure management tools offered by the company, and it can also be integrated as a plug-in into Spiceworks.
The software for Patch Manager Plus runs on Windows and Windows Server environments. However, there are agents available that enable the system to monitor software statuses on Mac OS and Linux systems as well. Patch Manager Plus agents can run on Debian, Ubuntu, CentOS, RHEL, and SuSE Enterprise Linux.
The tool scans all contactable endpoints, making an inventory of their software. A check on the latest versions of each of these products reveals which modules are out of date. Patch Manager Plus then communicates with the servers of the relevant software producers and downloads all of the necessary patches. These patches can then be installed automatically without human intervention. However, you can specify that all candidate patches should be listed in the centralized dashboard first for human approval.
The approval process might demand a test of the new update. The Patch Manager Plus interface includes a test system that will try out the new update on a small number of devices first so that you can assess the impact of software changes before they roll out to your entire network.
All of the facilities of Patch Manager Plus are available for software running on a cloud server. However, those servers will need to be running Windows. The utility is available for installation on-premises or as a cloud-based service. ManageEngine offers a free edition of Patch Manager Plus, but that will only monitor up to 25 devices. If you have a larger network, you can decide between the Professional edition, which covers LANs or the Enterprise edition, which is suitable for managing deployed software across multi-site WANs. You can get a 30-day free trial of either of these paid options.
Syxsense Manage is a SaaS system that helps you manage IT assets and particularly looks after endpoints. As a cloud-based service, this system isn’t limited to looking after assets on one network. It can identify and group together the management of all of your endpoints anywhere in the world. It isn’t limited to just supervising the management of desktop computers. The tool will manage peripherals and IoT devices as well.
Among the functions of this service, you will find a software management system. This is able to monitor and log OS versions and scan for all software packages, noting their versions. The system then performs its patch management routines, looking out for patches when they become available and copying them into its own storage space in the cloud.
The patch manager in Syxsense will cover devices running Windows, macOS, and Linux. That includes servers. The system is able to roll out patches automatically, given a schedule of downtime windows to work with. It also includes the option to install patches on demand to individual devices or to groups of endpoints.
The service will scan all endpoints and alert you to software, applications, and OS s that are out of date. It also keeps a log of all patching actions and records the completion status of each patch as it is applied, or if it failed to apply. The logs and reports are essential if you need to comply to standards such HIPAA, PCI DSS, and SOX.
Syxsense Manage isn’t just a patch manager. It includes a device discovery service that will search your network and log all connected devices. This device inventory, along with the software inventory that it creates from a scan of each device is constantly refreshed, so you know that you can see the latest hardware and software inventories in the Syxsense dashboard.
The console for the Syxsense system is resident in the cloud and accessible from anywhere through any standard Web browser. Features within the dashboard include a remote control system that support manual investigations of any of your endpoints, even those that are turned off – there is a Wake-on-LAN function in the package.
The dashboard allows you to set up a standard configuration for a typical device and also a software profile. This automates the onboarding or any new endpoint or a remapping of the device to suit the needs of a new user. Device onboarding can also be implemented in bulk.
The price for Syxsense Manage starts at $600 per year to manage 10 devices. It is available for a 14-day free trial.
The NinjaRMM Patch Manager is part of a bundle of tools that help technicians working for a managed service provider (MSP) to support the networks of client companies. This package would also be useful for IT professionals working in the central IT department of a large, multi-site enterprise.
This patch manager focuses on updating endpoints and servers that run Windows and macOS. It also updates more than 135 third-party applications. The success of the patch manager relies on the autodiscovery functions embedded in NinjaRMM. Whenever the system is set up to monitor a new network, it scans that site, logging all endpoints and then scouring each device for all installed software.
The software inventory of NinjaRMM notes the version numbers of each operating system and package that it encounters. This version number indicates the patch level applied in each instance. The first sweep of a system triggers a key patch management phase. In many instances, businesses don’t coordinate the patching of all of their devices, so the software scanner will likely find that many instances of the same software, such as the operating system, are at different patch levels.
Bringing all instances up to date isn’t as simple as just installing the latest patch. In many cases, patch systems are incremental improvements and rely on all previous patches being present before the latest patch can be applied. Therefore, onboarding a new company can result in many rounds of updates. NinjaRMM’s system manages those tasks autonomously.
The technician sets up a calendar of maintenance windows for the client’s system. Most of these periods will be standard for all clients, such as evenings and weekends. When the RMM system detects the availability of a patch, it copies over the installer to its own cloud server and then waits for the next maintenance window before applying those new patches. The technician can elect to hold up a patch by finding it in the list of pending patches in the NinjaRMM dashboard.
The NinjaRMM patch manager is designed for unattended execution. It is assumed that all rollouts will occur out of office hours. The patch manager produces execution logs and shows end statuses in the dashboard. Technicians can then look through the results of the rollout, investigate failed actions, and optionally re-apply a patch manually.
NinjaRMM is a cloud-based system with a subscription rate per monitored device. It is available for a 14-day free trial.
ManageEngine Patch Connect Plus is an SCCM-dependent software update manager that is able to monitor the versions of more than 330 software packages. The screens for this ManageEngine tool create an adaptation of the SCCM system so its own functions can be accessed through the SCCM console. Although SCCM is a Microsoft product, Patch Connection Plus doesn’t limit its capabilities to just Microsoft software updates – it manages the products of other software houses as well.
The Patch Connect Plus scans a system for all installed software and then searches the information feeds of the suppliers of those packages for any available updates. This process is instant and creates a list of candidate patches. The user can read through that list and suspend some available updates if required. The way patches are rolled out depends on the settings chosen by the System Administrator. The behavior of patch installation is governed by the chosen Deployment Template.
Patch Connect Plus doesn’t just create a software inventory when it starts operations and then sticks to that list, it detects new software and updates the inventory automatically throughout its service life. The service also profiles each enrolled machine, giving a status report on software versions and available patches for each. All update actions are logged and failed patches are highlighted for investigation or a re-run.
ManageEngine Patch Connect Plus is implemented as on-premises software for installation on Windows Server. There are three editions of the system: Standard, Professional, and Enterprise. The Standard edition is free to use and its sole task is to load a list of third-party software updates into SCCM.
The Professional version has a lot more features, including the option to implement third-party patches with WSUS. This service integrates into SCCM, adding a whole section to it. The Professional edition makes constant scans to form a software inventory – a feature not included in the Standard edition. The Enterprise edition includes more tools, such as an Applications Management system. You can try the Professional and Enterprise editions on a 30-day free trial, which is restricted to monitoring 10 apps.
AJ Tek produces a range of WSUS maintenance tools that cover standalone and distributed WSUS servers. All are very reasonably priced for the useful utilities that these bundles contain.
This system takes care of all of the maintenance tasks that you should be undertaking to keep WSUS and SCCM operating efficiently. WSUS Index Optimization in the package makes the database operations run faster. The tool also clears out unused drivers from the system. The system administrator is offered the option to remove certain types of updates and block them in the future, the options include expired, superseded, and preview updates.
With your WSUS system reduced in size and focused to only implement meaningful updates for your system, you free up space on your server and get to see a more manageable list of pending updates. The system also includes a method to manage the reports and synchronization logs that accumulate in WSUS. You can decide to keep the last 14 days of logs and choose to either delete or archive the rest.
The WSUS Automated Maintenance package makes your WSUS system more manageable and it frees up space on your server. It also frees up your time for other tasks. The system is available in a distributed format with modules for online, offline, and disconnected upstream servers, downstream servers used for replication, autonomous servers, and standalone WSUS servers.
The interface for the system is a setup wizard and the actual processes run at the command line in PowerShell. Although the system doesn’t have its own GUI interface, you see the results of its actions in the WSUS system. AJ Tek doesn’t offer a free trial. However, the system is very cheap, starting at $60 per year.
Spiceworks’ user community produces add-ons and features for the free Spiceworks network management utility. One of the free tools available from the Spiceworks community is AFDesign’s WSUS Tool. The source code for the program is available at the utility’s page on the Spiceworks community website.
This is a script that automates the queries and actions that can be performed by the standard wuauclt.exe program, which ships with WSUS. This program runs on client terminals, so if you like this WSUS tool, you will need to install it on each endpoint. If you have remote management software, you can install and execute the script from your central location.
As the utility only employs standard Microsoft executables, you can be secure in the knowledge that you are not running third-party software that could damage your network or install malware. You can comb through the code yourself and see there is nothing malicious in there.
The program uses the standard WSUS detection procedure as a starting point. This gives you information on which services of the client agent are visible to the server. It will restart the client auditing software and run an audit check on it. This gets you a limited timeframe report rather than a tagged-on endless ongoing log file.
The process automation script checks each client. It is the type of utility you could probably write yourself. However, as someone has written this for you, the AFDesign WSUS Tool saves you some time running diagnostics.
Atera is a remote monitoring and management tool (RMM) that includes patch management functions for Microsoft Windows devices.
Available patches are recognized by the patch manager and listed in the management console. The operator has an opportunity to nominate any of them to be excluded from the update. Patches can be rolled out to all devices on the client’s network, to a group of devices, or they can be sent to individual devices.
Each Windows patch arrives with metadata that indicates its importance: Critical, Important, Security, or Service Pack. The Atera environment is able to read these categorizations and gives you the option of installing one, some, or all of the patches in these status types. The patch rollout service can be used to update Microsoft Office software, Java, and Adobe services.
The patch manager can be set to run weekly or monthly. When the update run is scheduled, the patch manager will apply all patches that are available in its working directory as long as none of them have been specifically blocked by the operator.
Atera is a cloud-based service, so you don’t need to install any software on your premises. The remote system that is being monitored will need agent programs installed, however. The pricing model for Atera levies charges per technician per month, with an annual tariff also available. Atera is available on a 30-day free trial.
WSUS deals with endpoints that don’t have direct access to the internet using a process called WSUS Offline Update. However, this system only installs “critical” and “security” status patches, leaving the endpoint out of sync with the full set of patches available from Microsoft. The Anoop WSUS Offline Tool fixes that deficit.
This tool schedules all available patches for the endpoint device type and delivers them from a central download server. Anoop C Nair, who wrote the tool, recommends it only for development and sandbox environments, not for live systems. Essentially, the tool will flag offline machines for all updates to be installed, not just the higher-status ones.
BatchPatch adds a cheery and colorful GUI interface to your WSUS server. BatchPatch sits on top of the underlying WSUS service to provide better management and reporting functions than the bare WSUS facility. This utility is not free — the price for the tool is $399 for a one-user license with one year of support included. Prices go up to $2,999 for a 15-user license and increase to $3,745 if you buy a two-year support package with it.
BatchPatch works on the central server and includes a client querying section, which enables you to remotely access each client terminal and run custom scripts for diagnostic purposes. Those remote functions let you manually reboot or shut down individual endpoints and employ Wake on LAN. Offline installs to clients can also be managed through BatchPatch. So, the functionality of this tool combines both server and client elements, although there won’t be any BatchPatch programs installed on any of the client computers.
First of all, this utility gives you all the functionality that the standard WSUS package includes; it just makes the commands easier to see. It makes a better effort of querying the statuses of each endpoint than the standard WSUS system. A range of pre-written report formats helps you view network device statuses. A rollup reporting system is available for networks with multiple WSUS servers.
BatchPatch goes beyond WSUS because it manages updates from other systems service producers, such as Adobe and Oracle. The scripting language of BatchPatch lets you sequence updates to manage software dependencies better. That extends across providers, so you can install required supporting software for each update, no matter where that software comes from.
BatchPatch is a step up from the straightforward WSUS system because it offers a full-blown patch management system for all service software. However, it isn’t advertised as a patch management tool for all software, i.e., applications and operating system software and services. The tool’s capabilities include downloading, transferring, and installing updates, diagnosing problem clients, and reporting on activities.
You can get a free trial version of BatchPatch. This does not have a time limit, but it is restricted to covering just four endpoints.
Choosing a WSUS server tool
The definition of “WSUS server tool” is very broad, so this review has covered the whole spectrum. If you just want to get a grip with error reporting on failed downloads, then the SolarWinds Patch Manager would serve you well.
ManageEngine offers two routes to patch management. Patch Manager Plus manages updates for devices running Windows, macOS, and Linux as well as Windows Server. Patch Connect Plus integrates into SCCM to feed through patches available from software houses other than Microsoft onto a Windows Server machine.
Surprisingly few tools on the market just focus on enhancing WSUS. You are much more likely to get WSUS support with patch management systems such as BatchPatch or the SolarWinds Patch Manager. It may be worthwhile to look into network device management systems and endpoint user managers. Many of these integrate well with patch management to improve the security of your network.
The importance of WSUS and patch management
Keeping all of your software up to date is an essential guard against viruses and network intrusions. Hackers discover new exploits in software all of the time and as soon as their new attacks are discovered software producers race to close off the loophole. Those exploit shutdowns are issued as patches and updates.
Keeping up to the latest version of your operating system is particularly important. An exploit in the operating system can give hackers access to the underlying firmware of your computer and give them unrestricted access to all software and data stored on your equipment. Therefore, WSUS is an essential tool for any business running the Windows Server environment.
WSUS periodically checks the Microsoft servers for software updates and downloads them into a central repository. As an administrator, you have the option to approve or block specific updates. You can also specify the date on which the software will be distributed. It is also possible to pre-configure the distribution function to define automatic procedures for different classes of updates. So, you can specify that critical and security updates get installed automatically, while service packs and driver updates are held pending manual approval.
A detection function in WSUS creates a report on the updates available for each machine. This provides an inventory of the Microsoft software on each endpoint with the version status of each program. Other settings in WSUS block manual changes to Microsoft products operating on each computer.
WSUS and SCCM tools
Although a WSUS server works well as a patch management service, it only deals with Microsoft products, so you have to look elsewhere for more general patch management software. SCCM, the System Server Configuration Management tool, is another critical patch management service that operates in the Windows environment. It is common to encounter tools that can interact with both WSUS and SCCM to produce a more comprehensive patch management service.
WSUS Server FAQs
How do I use WSUSutil.exe?
WSUSutil.exe will give you a library of command-line controls to manage a WSUS server implementation. You don’t need to install the WSUSutil.exe program separately because it is part of the WSUS software package. The program is resident in the
Program Files\Update Services\Tools directory of the drive that holds the WSUS server. You need to be in that drive to issue WSUS utility commands. All WSUS commands start with wsusutil followed by a keyword and parameters. For example, wsusutil reset.
How do I push WSUS updates immediately?
The WSUS administration settings enable you to specify that all updates are applied immediately so you don’t need to intervene for every single update. In order to set up an automatic push of WSUS updates immediately:
- Go to the Group Policy Object Editor
- Expand Computer Configuration and then expand Administrative Templates
- Expand Windows Components and click on Windows Update
- A details pane will open. Click on Allow Automatic Update Immediate to set it
- Click OK.
What is the latest version of WSUS server?
The latest version of WSUS server is 5.0. This is part of Windows Server 2016.
What is the difference between WSUS and SCCM?
WSUS only updates Microsoft products whereas SCCM is a much broader patch management system that can update software and firmware from other producers.
How do you audit a patch management process?
A patch management audit retrospectively checks that all necessary patches have been applied. Each patch changes the version number of the software. In order to perform this check, you need to have a list of all of the software that you have, including firmware and operating systems. You also need to look at the current version numbers and reconcile those against the version numbers that should be expected if the latest patch had been applied.
It is almost impossible to perform a patch management audit manually. In some cases, you might have intentionally refused an update. The reasons for those rejections need to be recorded so that you are aware of them later when you check on version numbers.