1

Currently using WSUS

For many years I have used WSUS (and WAM to streamline WSUS). It has worked reasonably well (as my clients networks are small) and a huge bonus was it downloaded update once to server and deployed from local server to clients. This was pretty much essential for some clients with very poor Internet bandwidth.

However, reporting functionality of WSUS has always been very poor. SQL Memory usage of WSUS is also dreadful. Last WSUS Package Publisher has worked well to deploy 3rd party software and updates, but I can’t work out how to update the Certificates without breaking deployment of software configured before updating Certificate. In addition, while WAM does help tame WSUS, it is simply not value for money when Action1 can provide all the functionality I am currently missing in WSUS all free of charge as none of my clients have 100 endpoints.

So, I am keen to move to Action1. However, I have some questions.

Questions about Action1

Is it easy to install and update the following software? Openvpn, Pdf Xchange Editor (free on most devices and paid for on a couple of devices)?

Do you configure end clients Windows Update to update from Action1 or disable Windows Update? Their documentation is not clear. Currently I have configured all devices to update from WSUS Server

If I want to upgrade 50 devices to W11 24H2, does this upgrade say 10 devices an hour or what? I don’t want to kill the bandwidth downloading 20GB * 50 machines. I currently have Delivery Optimisation disabled because I want to prevent lateral movement between workstations.

Supply Chain Attacks are now a massive attack vector and security concern these days. Does Action1 allow me to disable functionality such as Remote Desktop, Scripts etc? I use Simple Help (installed on my own very secure server) to connect remotely to my clients. I only need a patch management program, I do not need an RMM. Does Action1 allow super admin to restrict exactly what can be done on end clients through Action1?

Reporting Functionality. How reliable, effective and user friendly is their reporting functionality? I am very keen to get something that tells me whether computers are up to date, what patches are missing and what 3rd party software is of concern etc. This is something that WSUS is really crap at, so would love to finally address this massive shortcoming. My concern is that some patching programs say computer is updated, but update or software is never installed.

What is the best guidance on Driver updates with Action1? Yes or no? Drivers are a bit of a problem nowadays with Windows 10/11 as newer drivers can fix weird Windows issues, but also break Windows as well!

A massive bonus of deploying 3rd party software through Windows updates via WSUS is that I can install a brand new machine today, click update and it will install/update all 3rd party software there and then. I get the impression, with Action1, you have to wait an hour for this to occur if you want to install on deployed software onto a brand new machine?

Approvals and Automatic Decline. This probably works differently from WSUS by design. Currently in WSUS, I need to decline ARM, 32 bit, Itanium, Office 2010 etc, Windows 7 etc. So, I configured WAM to auto decline all that rubbish. I presume with Action1, I won’t need to decline updates that are not intended for the target pc. However, I need to ensure that say W11 24H2 is not automatically installed. We are still running W11 23H2 - as I am not sure that 24H2 is ready yet. So many problems have been reported. Can I simply not approve 24H2 and it is not offered to any client.

Groups/Categories and Individual Updates. How good is Action1 for creating Groups and sub Groups. For example, I currently have 4 groups - Servers, Office, Staff and Pupils in WSUS and I use reg keys or existing files to control exactly what end devices get a specific software deployed. However, moving forward I would like to be able to assign a pc to multiple groups such as Staff and Laptop to deploy Openvpn to office and staff laptops, but not a Pupil laptop or Office/Staff Computers. Or if Action1 does this in a better way than my current deployment configuration. Especially for those 2/3 machines with paid for versions of Pdf Xchange Editor versus the other end points with free versions.

Conclusion

Was Action1 or Microsoft responsible for the situation where Servers were upgraded from say Server 2021 to Server 2025? If I had approve before installing in place, I assume I would not have been affected by this issue? The impression I got is that it was not clear that it was an upgrade and looked more like a normal security update.

2 Spice ups
2

Yes, I can confirm 3rd party updates are as easy as Windows ones, not all packages are included in the catalog, but you can add your own. OpenVPN for example updates like any other WU update.

You disable your GPO to use WSUS, Action1 takes care of disabling WU outside of this.

You choose when to upgrade them via the console, it could be 1 or 100, your call. Updates will try to share with local peers before using the internet, but it’s going to depend on what is cached.

There are built-in scripts to disable certain aspects, if you validate your business, you can also then run your own PowerShell or other scripts against your devices.

Everything is visible via the main dashboard, but there are also a number of built-in reports to do this, you can also subscribe to email reports or customize your own.

The software will also inventory all software installed, even if it cannot itself update it, it’s visible so you can decide or package your own updates.

Driver updates are not a standard part of the product, but you can deploy your own packages.

As far as immediate updates, if you create a tag called new and a device is classed as new for 24 hours, you can always have a scheduled task to run updates every hour which will push out any missing every hour for these devices, you choose how and when, using tags or groups you can set your own rules.

Declining of updates can be done, but if the OS doesn’t need them, they’re not included from the start.

Feature upgrades W11 23H2 → 24H2 are not automatic, nor are W10 → W11, you have to manually choose to do this. So you wont be burdened by this unless you explicitly choose to deploy them.

Groups can be controlled by tags, AD OU, Device type, device name, IP, subnet etc - you choose.

Devices can be in more than one group, or you can add exclusions too.

You might want a desktops group, then pupils, but you don’t want both sets of desktops in ‘desktops’ so you can exclude to suit. Play with the settings.

The situation where servers were unexpectedly upgraded from Windows Server 2022 to Windows Server 2025 was primarily due to a misclassification in Microsoft’s update API.

What I will suggest, is that you register and test this for yourself, as someone who moved from WSUS to Action1, I will tell you, it’s much easier to use once you know how things work.

WSUS is far more restrictive and relies on group policy and machines being in the domain, so DMZ and workgroup machines are missed. With Action1, this isn’t the case.

1 Spice up
3

I am still working on my configuration for the PDF Xchange Editor - the issues that I ran into due to the paid versions was that if I were not paying attention to what version it was updating to for the paid users, it would invalidate the license for them since their paid licenses are associated with particular versions unless you are paying for current support for the program to keep it up to date. Action1 does allow you to set up a custom updates as @Rod-IT mentioned already and it is possible to set up updates for particular versions of the software. Just something to watch out for.

1 Spice up
4

There is a setting to disable remote desktop. I don’t think there is one for disabling scripts.

2 Spice ups
5

You can disable remote access administratively in the advanced section, just search remote. If you would like it hard off, support can do that too.

Scripting cannot be disabled as it is part of its core function, there is no way to differentiate the scripting required to support other components.

2 Spice ups
6

@Rod-IT Thank you for a very clear and detailed reply that answered all my questions. Much appreciated. I will get started with Action1 in the next couple of weeks.

I think that I will need to re-enable delivery optimisation, but for lan only. The primary reason I disabled it, was because there was no need for delivery optimisation when using WSUS and it was just another potential attack vector. However for feature updates on the LAN, delivery optimisation will be essential.

I get the impression reading the docs on their website, that delivery optimisation is used to peer to peer install windows updates and Action1’s own peer to peer software (which you need to open ports for) is used for third party software peer to peer installs. If that is the case, I will only use the delivery optimisation as pdf Xchange and Openvpn are not huge installs and would mean I don’t need to open ports on each machine.

I might need scripts to be enabled as I found this - Basic health monitoring of endpoints to monitor the hard drives of the server. I assume this is the same kind of hardware monitoring that the Raid controller Adaptec would use. I would prefer to be alerted via Action1 if there are any issues with impending hard drive failure as email alerts can fail.

Is it just feature upgrades that are not automatic? I tend to hold all updates and only approve once I am satisfied that there are not issues with the latest monthly updates. Saved my bacon more than once.

@ajason - my main issue with pdf Xchange is whether I can tell it to deploy pdf xchange to all computers except the 2/3 that have the paid for version and then update the paid for version only to the relevant computers. Atm I am using reg keys to differentiate and it’s not desirable.

@mike-action1 I probably would go for a hard disable, as I don’t need remote access and it just represents a potential attack vector.

Thank you all for the replies. I have done a lot of reading up on Action1 and was pleasantly surprised how much it can do - I was not expecting vulnerability and inventory management as well. Makes me wonder why I stuck with WSUS for so long, although WSUS does help with clients with very poor Internet.

7

It is possible to create a software repository for the older version of the PDF Xchange Editor. I believe that you would have to separate the licensed endpoints into a different group to apply those updates properly. You would not have to use reg keys - Action1 would make this a lot simpler.

1 Spice up
8

Every update can be held back until approved by you through the Action1 portal.

2 Spice ups
9

Perfect. I am looking forward to setting up Action1 in a couple of weeks. Thanks

1 Spice up
10

All updates are within your control.

My point was, feature upgrades are not part of normal ‘patching’ they must be configured separately.

Yes, there would be a number of ways to do this, I’d start with tags or custom attributes, for the 3 that require paid option, give them a tag/attribute so when you choose patch all, you can add ‘except your tag’

This was my situation too, however I setup my machines (servers) to be as automated as possible, I set the updates out of hours, reboot them etc so it takes however long it needs over night and I’m not aware.

I do have a handful of clients in my setup and both Windows and macOS, and I’ve not had any major issues to date. Mostly client side problems and not the product itself.

If you get stuck with any part of the setup, feel free to post again.

1 Spice up
11

Just to add here, there are multiple ways to monitor storage, Action1 allows for extensible report datasources via powershell. Those data sources can then be used for reports, which in turn can have alerts set on them.

While the report scheduler polls every ~10m the report is not “live” unless you actively load it in the UI, but for items such as storage health, this is perfectly acceptable as failing to failed is seldom 10m for anything detectable in advance. So for posterity of those using Action1

Get-CimInstance -Namespace root\wmi -ClassName MSStorageDriver_FailurePredictStatus
OR
Get-CimInstance -Namespace root\wmi -ClassName MSStorageDriver_FailurePredictData

For more details

Or just general Get-PhysicalDisk has a health status that is a combination of a few factors.

2 Spice ups
12

Honestly, if someone gets control of your Action1, this is the least likely attack vector. If they take remote control, that’s something that is visible to the end user. They would almost certainly push scripts or apps that happen invisible to the user. They can also run those at scale, whereas remote would require someone to manually sit at every machine remotely so to speak.

Best suggestion would be to give it a try. You can do a limited trial with some test endpoints and see if it will let you lock it down the way you want.

1 Spice up
13

I appreciate your valid point. I think the real issue with remote access is more that, most people don’t need this feature in a patch management program as they usually already have a remote access software. So, most people just want to disable a feature that they are never going to use anyway. But I do agree, abuse of scripts is a far more likely scenario.

1 Spice up
14

I honestly wouldn’t worry about it. We’ve had instances where the RMM remote failed but A1 was able to access the machine. Came in very handy in a pinch. It doesn’t happen often, but it’s useful.

That being said everyone has to work within their comfort level, and if you’re more comfortable with it off, by all means turn it off. You will still have a fantastic product even without that feature.

1 Spice up