What are WSUS? Windows Server Update Services Explained

WSUS is a free application created and distributed by Microsoft that is used for managing updates, hotfixes and patches. As IT admins and professionals continually need to keep their client and corporate environments up to date, and chase a secure and highly-performant infrastructure, patch management is more important than ever. This article will look at how WSUS works, and whether it’s a smart choice for distributing updates across a network.

Explain it to me like I’m five – what exactly are WSUS?

WSUS stands for Windows Server Update Services, and it’s used for centralized update management of all Microsoft services. All of the latest Microsoft product updates can be distributed to all machines on a network via WSUS, from one management console on a centralized server or group of servers.

So, what can you use it for? From your WSUS server, you can manage and distribute all of your updates, even updating other WSUS servers in the network. The main reasons you would use WSUS is to ensure that all your machines are patched against security vulnerabilities and your production environment is fully stable. WSUS works across all machines, even those with varied versions of Windows OS, or those working with old XP, or modern Windows Server processes.

Hey, wasn’t that service called SUS?

You might have heard of Software Update Services, or SUS, and yes – you haven’t gone mad, the name changed back in 2007. Alongside the name change came a whole slew of new features and updates, including expanding the range of software that can be updated using the system. WSUS can automatically allow updates, hotfixes, service pack, driver and even feature pack downloads, all from a central server or multiple central servers.

What are the features of WSUS?

With WSUS, you don’t need to send technicians to manage each and every computer on its own, downloading updates and patches and deploying them using the Windows Update program. Instead, you can automatically ensure that all updates are approved in advance and downloaded in bulk at a time that works for the business. No downtime or interruption to service, and the peace of mind that patch management is handled in a hands-free manner. When an update is critical for security, these rules can be bypassed, ensuring that risk assessment and mitigation is always top of mind.

WSUS supports update management for every Microsoft product that’s ever been released, so you get really comprehensive coverage over their entire product suite. Through a single console, you can manage security updates, Windows updates, software drivers, and more.

Group policies is also a great feature, so that you can sort all of your machines across the network into categories (called management groups) and decide what is downloaded and how, performing exceptions if necessary for business continuity. If there are any problems with WSUS, you’ll get a simple email notification to show you where failures have occurred. You can also view the status dashboard to see all relevant information for your client or corporate environment, so that at a glance you can ensure all computers are completely secure, or which are waiting or in need of updates.

What are the best and worst things I should know about WSUS?

By now you should be able to list some awesome things about using WSUS – like the ability to manage as many computers as you need to at the same time, reducing the manual effort of securing and supporting a large IT environment. You’ll also be saving on bandwidth, as you just download updates one time. For Microsoft-only offices and environments, it will cover all of your patch management needs, and hey – it doesn’t cost a dime!

However, it’s not all rainbows and butterflies. Although it’s a free tool, to use WSUS, you’ll need to have Windows Server – alongside the costly license fee, and you also need a minimum of 4GB of memory for it to run. If you have more updates to install, you’ll need even more RAM to spare.

Of course, one of the biggest downsides to WSUS (although hardly Microsoft’s fault) is that it doesn’t work on mixed environments. Most business environments will have other operating systems, which will need to be handled separately and often manually if you’re relying on WSUS. It also doesn’t manage third-party applications, only Windows products, so risks that come from common applications such as Adobe, Javascript or even Zoom are open season for attackers.

What’s an alternative to WSUS?

WSUS is one of many tools that can be used for patch management processes across an IT environment. At Atera, we have a robust patch management process, including the use of Chocolatey for Windows, and Homebrew for Macs, which means that mixed environments can feel totally secure and in control over patch management. We offer the same bulk patch management and deployment, including exceptions and group policies. On top of that, Atera’s patch management integrations include support for all the software you use across your environment, no matter whether they are Microsoft, Apple, or third-party.

Patch management is an essential part of looking after an IT environment, and when done right – can reduce manual work, streamline security and maintenance tasks, and ensure you never miss a trick when it comes to software updates for the tools your clients and colleagues are using every day.