Why look beyond WSUS for Patch Management?

Brien Posey

WSUS is Microsoft’s free solution for enterprise patch management. On the surface, WSUS would seem to be a great tool. It is scalable, it has a decent reporting engine, and the software is mature and reliable. When you also consider that Microsoft makes WSUS available for free, using it seems like a no-brainer.

In spite of WSUS’s many great qualities, however, it does have its shortcomings. Some of these shortcomings may force enterprise IT to look to third-party vendors for a more comprehensive patch management solution.

Product Support
WSUS was designed by Microsoft to deploy patches for Microsoft software products. As such, WSUS works really well for keeping Windows, Exchange Server, and SQL Server up to date. However, there is no native support for third-party patch management.

The lack of support for patching non-Microsoft products is a problem because Microsoft is far from being the only software company to provide patches. Today almost every software vendor releases periodic patches. Large IT shops need a way to centrally manage the patch management process. Having a separate patch management solution for each vendor creates far too much administrative overhead.

In all fairness, Microsoft does offer an SDK that allows third party vendors to provide patches through WSUS. However, most vendors do not take advantage of this SDK. As such, large IT shops would be well advised to consider a third party patch management solution.

Scheduling
Another capability that seems to be missing from WSUS is the ability to schedule the update process. Client computers use the Windows Update Service to periodically check to see if any new updates are available. In some organizations, administrators have developed their own scripts to allow update checks to be performed on a scheduled basis. However, WSUS itself lacks a scheduler.

Conversely, at least some of the third-party patch management products include a built-in scheduler. This is important for a number of different reasons. For instance, a scheduler makes it possible to rapidly deploy critical patches. It might also be possible to use a scheduler to stagger the deployment of large updates, so as to avoid creating a performance bottleneck or burdening the end user with reboots during business hours.

Perhaps the most important benefit to having a scheduler is that scheduling gives the patch management server full control over the update process. Unlike WSUS, a patch management solution that includes a built-in scheduler can scan network endpoints on a scheduled basis rather than waiting for a computer to check in. This is important because there are any number of conditions that could prevent Windows Update from checking in with WSUS.

Inventory Management
Another key feature that is missing from WSUS is inventory management. A patch management system has to scan network endpoints to determine which applications are installed, which patches are installed, and which patches are missing. If these actions are being performed anyway, then the patch management system should ideally be able to use the scanning process to build a comprehensive inventory of the software that is running on the target computer.

A software inventory report can assist administrators with licensing, version control, and tracking down unauthorized applications.

Conclusion
Microsoft’s WSUS does a good job of keeping Microsoft products up to date, but it was never designed to be a comprehensive solution for addressing all of the patch management needs of a large enterprise. Those organizations that require centralized support for patching applications from a variety of vendors on a scheduled basis are going to be better off adopting a third party patch management solution.