1

We are migrating all our workstations to Intune and I’m evaluating Windows Autopatch. I really like it. Unfortunately this only patches Workstations not servers. I was wondering if there is a Microsoft product, preferably free, that can handle the server patching. I thing WSUS is very out-dated and doesn’t work very well. I know there are many 3rd party solutions out there, but I was hoping there is some MS sanctioned way. I believe Azure Arc might be able to do it. Any thoughts are appreciated.

3 Spice ups
2

If you are just patching servers, I really feel WSUS is more than adequate and should not be too much work. There are third-party solutions - but they do require some effort to implement. What, specifically is an issue at your org with WSUS.

3

I had WSUS setup in deployment rings using AD groups and GPOs. However, I found the servers would just stop reporting after a while. There must be some modern way to update them, similar to Intune Autopatch. I already tried WSUS, it hasnt changed in decades. It doesnt work well in my experience. With all due respect, I really dont want the answer to this post to be “Just use WSUS”.

4

You’re doing it WRONG then - either you’re not doing the required maintenance for WSUS or there’s something else going on at your client systems. I haven’t had a server stop reporting since ~2014 - and they have all been through multiple in-place upgrades.

That’s simply not true. Sure the main functionality hasn’t (because it works), but WSUS has had a lot of development over the years to introduce new and better functionality - Windows 10/11 Upgrades, UUP, and more.

OK, Let your Windows Servers update with Microsoft through Windows Update and automatically update with no reporting, and no scheduling and no ability to revert patches beyond manually removing them.

Configuration Manager - Not free, and not free of WSUS. Configuration Manager still uses WSUS under the hood.

5

There are better ways, just none prescribed as you have asked. MS is not going to “Sanction” anything MS does not profit from or that directly targets the same market as products they profit from. WSUS can work here, it is just both my biased and unbiased opinion, WSUS is no longer the best tool for the job, and has not been for a while now.

If you would like to try Risk Based Patch Management for OS and Third Party apps from Action1 it is free for the first 100 endpoints, client or server.

Fully featured, and not time limited, if you have under 100 servers with this need, its a canned solution for the price tag of $0

If you do want to give it a shot, or have any questions, just let me know.

1 Spice up
6

@overdrive Some of these responses are unnecessarily nasty. Like “You’re doing it WRONG then”. You are making an assumption here. I’m not new to Windows administration or new to WSUS. Perhaps there is something affecting the reporting, but not necessarily how WSUS is setup.

Also: “OK, Let your Windows Servers update with Microsoft through Windows Update and automatically update with no reporting, and no scheduling and no ability to revert patches beyond manually removing them.”. This is not the only other option.

But thanks for the other feedback

7

No I’m not.

You say it’s outdated an doesn’t work very well. If you think it doesn’t work very well, you’re doing it wrong.

If you’re not new to Windows Administration or WSUS, which I didn’t think you were as you’re saying it’s outdated (meaning you’ve been in the industry for a while), and saying how WSUS is setup is not necessarily the problem, then you’re doing it wrong. WSUS is a repository for updates. Said repository is a database that needs maintenance, optimizations, and is not a ‘set and forget’ thing - that’s where most people have issues - they think it’s set and forget (aka, doing it wrong). WSUS also just isn’t 1 service, it’s IIS, WSUS, GPOs, and potentially SSL/Certificate Services. All of these services must work properly together to get you your outcome, but of course you already knew that as you’ve been in the industry for a while.

Not with your requirements.

  • Windows Update with no policies (Free)

  • WSUS (Free - ish)

  • Configuration Manager/WSUS (Not Free)

  • Azure Arc (Not Free)
    As you’ve noted:

  • WUfB = not (yet) for servers

  • Autopatch = not (yet) for servers
    Beyond this list,it’s 3rd party.

8

You might want to check out Scalefusion’s Patch Management solution. It supports Windows Server patching alongside workstations and can be a good alternative if you’re moving away from WSUS. It’s worth looking into if you’re already exploring unified endpoint management.