The Windows Server Update Services–or WSUS–are a component of modern Windows server operating systems that take care of obtaining available Microsoft system and software updates and distributing them to client computers. The tool can greatly reduce the amount of bandwidth used for upgrades as each networked computer gets its upgrades from the WSUS server instead of each downloading it from the Internet. Unfortunately, the WSUS are far from perfect and they suffer from several shortcomings. This has led several software publishers–including Microsoft–to release tools to address some of them. In today’s article, we’ll review some of the best Windows Server Update Service tools.
We always like to give our reader as much information as possible so we’ll start off by explaining what the WSUS are in deeper details. We’ll discuss the different functionalities of the WSUS, trying to understand how they work. And since most WSUS tools were created to address some the WSUS shortcomings, this is what we’ll discuss next. After that, you’ll be better equipped to better appreciate the rest of our discussion. This will take us to the core of the matter, the best Windows Server Update Services tools. We’ll not only list the best products but also do a brief review of each.
What Are The Windows Server Update Services
The Windows Server Update Services are software tools from Microsoft that are used to manage the distribution of updates and hotfixes released for Microsoft products to computers in a corporate environment. The WSUS download updates from the Microsoft Update website and then distribute them to computers on a network.
SUS, the precursor of the WSUS, originally only allowed the download of Windows operating system updates to a centralized location. This allowed networked computers to use Windows update to get their updates from this central location rather than directly from Windows Update. Since then it’s been renamed and expanded and can now distribute updates, hotfixes, service packs, device drivers and feature packs to clients from a central server.
The WSUS are primarily targeting small and medium businesses. Larger corporations often use the System Center Configuration Manager as their primary update mechanism as it offers many more features and greater flexibility.
Functionalities Of The Windows Server Update Service
Although it may appear simple, even simplistic a lot goes on in the background with the WSUS. The service first analyzes systems and evaluate their update statuses. It can determine which updates are available and required on each connected system. It will then proceed to download the required updates from Microsoft and store them locally. It supports a wide range of Microsoft products and is integrated as a server role to recent versions of Windows server.
The Windows Server Update Services have many advanced features such as bandwidth and network resource optimization. The services also handle the targeted download of updates to specific computer or sets of computers. Furthermore, the tool has excellent reporting capabilities which will enable you to pull all sorts of reports showing the status of updates.
The WSUS allows administrators to approve or decline updates before installation. They can also force updates to install by a given date or obtain extensive reports on which updates each machine requires. The WSUS can be configured to approve certain classes of updates automatically (such as critical updates, security updates, service packs, drivers, etc.). Updates can also be approved for “detection” only, allowing an administrator to see which machines require a given update without actually installing it.
Shortcomings Of The Windows Server Update Services
As good as they are, the Windows Server Update Services are not perfect. First and foremost, they only support Windows clients but most importantly, they only work with Microsoft software. And even then, not all software from the Redmond giant can be upgraded by the WSUS.
But there’s more. Even software that should be updated by the WSUS isn’t always. A quick search will reveal countless horror stories of computers that appear fully patched in the WSUS reports but aren’t, of client agents that won’t connect to WSUS, and of updates that get stuck while processing. The missing patches can go back several years and we’ve seen machines that were reporting a 100% patched status but still needed hundreds of updates.
This is not to say that the WSUS are not good. They are! But keeping computers updated is a hugely complex job. And even with their shortcomings, automated systems are still doing a far better job than can usually be done manually, especially when considering the time investment it requires.
Our Top 7 Best Windows Server Update Services Tools
Most of the tools that are on the market to complement the WSUS were made to address some of the software’s issues. Others will add functionality to the process such as updating third-party software. Oddly enough, two of our tools are from Microsoft which, possibly recognizing some of its system’s issues, has decided to release additional tools.
Our first entry is from SolarWinds who makes some of the best network and system management tools. The company is particularly famous for its many excellent free tools like the Diagnostic Tool for the WSUS Agent. As you can deduce from its name, the main purpose of this free software package is ensuring that the WSUS agent works correctly on all computers. This is an important task as it is where most of the WSUS issues stem from and it’s possibly the weakest area of the WSUS.
The primary functions of this tool are as follows. It will first validate the machine state and the Windows Update agent configuration values. If all seems OK, it will attempt a connection to a configured WSUS server and provide detailed feedback about the result of the connection attempt.
The tool’s installation is as simple as launching the installer. The tool automatically starts after installation and an initial analysis is performed. Once this initial analysis completes, you can click the Start Diagnostic button to run a deeper analysis that will reveal each and every potential issue with the WSUS agent in very clear terms and often including the exact steps that must be taken to fix them.
The main drawback of this tool is that it must be installed and run on the client computer. But if you have issues with some computers failing their updates or not reporting correctly in WSUS, installing this tool could provide an easy way to diagnose the problem.
And while you’re on the SolarWinds website, you might want to have a look at some of the excellent free tools that are available. A few of them were reviewed in these pages when we discussed the best subnet calculators or the best free TFTP servers, for example.
Next, we have an even greater tool, also from SolarWinds. This time, it is the SolarWinds Patch Manager we’re talking about. This tool takes the WSUS to a whole other level. It starts where WSUS stops. This is a full software patch and update management package that will work with the WSUS–or SCCM, for that matter–to provide one of the very best experiences in patch management.
This tool integrates seamlessly with the WSUS and adds some welcome functionality to it. For instance, you get scheduled patch and update deployment, a feature that’s tragically missing from the WSUS. The Patch Manager will also report on patch status and inventory. While we’re talking about integration with other tools, this one also integrates with SCCM to provide a complete patch management system not only for Microsoft operating systems and software but also for third-party applications.
Another feature of the SolarWinds Patch Manager is the vulnerability management. Within the limit of a patch management application, this tool will ensure that none of the computers it manages have any vulnerable software. And if it finds any, it will proceed to fix it by deploying the proper patch.
For third-party applications, you can get several pre-built and pre-tested packages for the most common ones directly from SolarWinds. You can also build your own packages for in-house software or applications not available from SolarWinds.
Pricing for the SolarWinds Patch Manager is based on the number of nodes serviced. It starts at $3 690 for 250 nodes and goes up from there. This is a perpetual license that will let you use the software forever. The number of nodes can easily be increased by purchasing an additional license. Should you want to try this powerful software before committing to such a considerable investment, a free 30-day trial is available for download.
3. Microsoft WSUS Client Diagnostic Tool
The Microsoft WSUS Client Diagnostic Tool is offered by Microsoft in response to the numerous issues with the WSUS client software. Its main purpose is to assist WSUS administrators in troubleshooting client computers which may be failing to report back to the WSUS Server. This tool performs some preliminary checks and then test the communication between the WSUS Server and the client machine.
Contrary to the SolarWinds similar tool, this one doesn’t have a nice GUI. It is a command-line tool and its on-screen feedback is not the most useful. Despite its limited usefulness, especially compared to the SolarWinds similar tool, we felt this had to be included on our list for a few reasons.
First, it adheres to the “supplier-first” philosophy which claims that there is no one in a better position to find issues with a system than its own publisher. Given that line of thought, it makes sense to use a Microsoft tool to debug issues with a Microsoft product.
Also, if you contact Microsoft support for a WSUS issue, there’s a good chance they’ll ask you to run this tool on problematic computers. They could require that you provide them with the results of using the tool to help them in diagnosing the issue. This is odd when you consider that the Microsoft page for the tool clearly states that it is provided as-is and that Microsoft offers no support for it.
4. Microsoft WSUS Reporting Rollup Sample Tool
Next on our list is another tool from Microsoft. The Microsoft WSUS Reporting Rollup Sample Tool‘s primary purpose is in consolidating report data from multiple WSUS servers. The tool, which is essentially a reporting tool, will gather data from each WSUS server and present the results in a unified way. This is a completely customizable tool that can either merge the data from all servers or display each one separately.
Scripts are used to control the way this tool operates and writing these scripts might not be the easiest task. This is where the “sample” part of the tool’s name kicks in. Along with the actual software, the download includes a number of pre-written reports scripts. They are sample reports that you can elect to use as-is. Alternatively, you can also opt to modify the sample report scripts to your specific needs and use them as a starting point for writing your own.
As useful as this tool can be, you need to be aware that it is of no use if you only have one WSUS server. This tool is for large installations with multiple servers. Also, while it certainly is a very useful tool, it won’t add any functionality to the WSUS.
5. ADFDesign’s WSUS Tool
The WSUS Tool from ADFDesign is a simple yet powerful and useful tool. This tool is actually a “graphical” front end to several actions performed in the background by the wuaucltl.exe program which is installed along with the WSUS client on each computer. This means, of course, that you’ll need to install the tool on each client machine and run it from there. This can be done via remote control if you prefer not to have to walk to each computer, provided you have some remote management facility in place.
The tool has thee functions: Detect Now, Clone Fix, and Report Now. Detect Now will run the standard WSUS detection procedure. This gives you information on which services are visible from the server. Clone Fix will actually attempt to fix the client. it will delete some registry key, restart the wuauserv service and reset its authorization before running the detect function again. As for Report Now, it will run an immediate report on the client so you don’t have to go looking into logs for information.
This tool doesn’t do much but what it does, it does it well. And it sure beats doing it by hand. And since this a free tool, you might as well use it. This is a great example of how useful tools don’t have to be complex.
6. WSUS Offline Tool
The WSUS Offline Tool from Anoop C. Nair addresses one of the WSUS shortcomings we didn’t mention before that has to do with client computers without Internet access. WSUS can handle them through a process called the WSUS offline update. This is far from perfect, though, as in will only install patches with the “critical” and “security relevant” statuses. This can leave your offline client computers out of sync as compared to online computers and missing important updates. This tool, on the other hand, uses the Windows Update Agent, or WUA, to determine which patches to install on the client side. These will usually include most “important” and “optional” patches.
Just like most tools on this list, this one is not perfect. For instance, computers updated by WSUS Offline Update will hardly ever completely satisfy Microsoft’s Online Update. Some minor patches might be missing. However, the patch coverage completely satisfies the Microsoft’s Baseline Security Analyzer. For those reasons–and perhaps others, the tool’s developer recommends to only use this tool in non-production environments. We’ll leave it up to you to determine if you feel comfortable to do otherwise.
Last on our list is another cool tool called BatchPatch. This is way more than a WSUS tool, though. BatchPatch can work alongside the WSUS and use them for fetching and storing updates but it is also an autonomous patch management tool. And a good one too. This tool’s list of features is way too long to mention them all here. let’s see e=what the main ones are.
BatchPatch can initiate the download and/or installation of Windows updates on many remote computers simultaneously. Those computers can be stand-alone, in a workgroup, or members of a domain. The software will let you decide if you want to install all available updates or just specific updates identified by name or category such as “Critical Updates’ or “Service Packs”.
The system is not limited to patch management. It’s also a complete software deployment system that can install almost any third-party software on the remote machines. BatchPatch also features a scripting language that allows you to sequence updates and better manage software dependencies. Overall, BatchPatch is an excellent tool to use either by itself or as a companion to the WSUS. Pricing for the product starts at $399 and a free trial is available.