WSUS (Windows Server Update Services) is a fundamental, free add-on program and network service developed by Microsoft which assists IT administrators in the effective management of the download and distribution of updates, patches and hot-fixes released for Microsoft software products to Windows Server operating systems in their network through the use of automation and continuous analyses.
WSUS, previously known as SUS (Software Update Services), is particularly useful for small to medium sized businesses, acting as an intermediary between basic Windows Update used in individual PCs and more complex Systems Management Servers used in larger companies, and since expanded, it can also distribute service packs, security updates, device drivers, feature packs as well as update roll-ups, hot-fixes and more to client computers from a centralized server.
Here is our list of the top WSUS Tools:
- SolarWinds Diagnostic Tool for the WSUS Agent – FREE TOOL A free system verifier that tests connections between a WSUS server and client. Installs on Windows Server.
- SolarWinds Patch Manager – FREE TRIAL This third-party package extends the use of WSUS and integrates it with other patch management systems. Installs on Windows Server.
- Syxsense Manage – FREE TRIAL A WSUS replacement that manages endpoints and patches them whenever necessary. This is a cloud-based system.
- ManageEngine Patch Manager Plus – FREE TRIAL Fleet patch manager for Windows, Linux, and macOS devices. Available for Windows Server or as a cloud service.
- NinjaOne Patch Management – FREE TRIAL A cloud-based service that implements all aspects of patch management on remote sites.
- ManageEngine Patch Connect Plus – FREE TRIAL A patch coordinator that integrates with SCCM and Intune to centralize patch management in one console. Runs on Windows Server.
- BatchPatch A utility that centralizes different patch management systems, including WSUS, to update many endpoints. Runs on Windows.
- ADFDesign’s WSUS Tool An open-source utility that test connections to WSUS clients and checks their functionality. Runs on Windows.
- WSUS Offline Update An open-source tool that will patch computers that aren’t connected to the internet.
- AJ Tek WSUS Automated Maintenance A bundle of WSUS management tools that improve performance and reduce the space taken up by WSUS. Installs on Windows Server.
The management and distribution of updates through a WSUS server is completed through a management console with the aim of giving administrators full control, allowing them to direct workstations connected to the WSUS server in the network while simultaneously restricting the end users’ access to Windows Update.
Administrators can further determine to utilize a single WSUS server as the update source for other WSUS servers (known as an upstream server) in an organization, providing it connects to Microsoft Update to obtain available update information, or choose which WSUS servers can connect directly to Microsoft Update based on network configuration and security.
Maintenance & Deployment
The maintenance and deployment of interim software releases through the use of automatic updates aids in preserving operational efficiency and stability within an organization, as well as minimizing the threat of potential security vulnerabilities by maintaining properly configured systems, installing of the latest software and updates, which in turn avoids the loss of revenue or exploitation of intellectual property.
In the interest of not disrupting workflow, the Automatic Updates service runs in the background and consolidates all updates requiring a restart into a single restart, ensuring its impact on network functionality and employee productivity is minimal, while also greatly limiting its use of bandwidth when each client computer obtains its updates from a WSUS server instead of individually downloading it from the internet.
WSUS also allows for synchronization, which administrators can configure, choosing which updates are downloaded to a WSUS server during this process, and synchronization can be scheduled to initiate automatically.
Administrators can additionally group client computers to be members of a specific WSUS computer group for the easier distribution of patches based on target groups.
The overall level of compliance can be assessed and monitored per individual computer and computer group by administrators using the Status of Update report, which details the statuses for update approval and deployment per update, based on all events sent from each computer.
Update Summaries & Troubleshooting
Summaries of updates installed or required to be installed, as well as compliance information for specific computers or updates, are available and the synchronization activity and status for a given time period can be tracked, with the option of viewing all of the latest updates downloaded.
In the case of troubleshooting client computers which may be failing to report to the WSUS server, WSUS client diagnostic tools and software significantly ease and speed up this process, and we have gathered the best WSUS client diagnostic tools and software for you, detailing their capabilities and strengths, with download links and pricing structures listed under each tool.
Here's the Best WSUS Tools & Software of 2021:
Ideal for smaller networks who cannot justify a full patch management facility and the costs involved, the SolarWinds Diagnostic Tool for the WSUS Agent is a free software package which acts as a step between bare WSUS capabilities and full patch management.
Installed and run on the client’s computer, it ensures the WSUS agent works correctly on all computers linked to the WSUS server while also aiding in the troubleshooting of issues arising. This is especially handy as a troubleshooting tool when you are looking for issues relating to Windows updates on your systems.
With the Diagnostic Tool for the WSUS Agent, you will not have to rely solely on status reports by the central WSUS server, as the software provides a different view of update actions through the monitoring of client status of WSUS agents running on the endpoints on your network and validates Windows Update agent configuration values, reporting these values back to you to serve as a baseline.
This helps you to build up historical and trend data that is very helpful in the long run. It helps you to establish patterns and issues that reoccur.
The SolarWinds Diagnostic Tool for the WSUS Agent starts automatically after installation, performing an initial analysis, after which a deeper analysis can be run by clicking the Start Diagnostic button.
This will discover and reveal all potential issues with the WSUS agent, producing detailed error reports and providing recommendations on what actions are need to resolve the problem, speeding up the troubleshooting needed to have the agent running properly, while also providing the ability to run periodic checks with the aim of discovering potential points of failure before they become a problem.
Knowing ahead of time before a problem becomes serious can save an organization countless hours of repairs, as well as potential cost savings in repairs.
Download: A download link to this free software can be found here.
SolarWinds Patch Manager, a full software patch and update management package, includes the facilities covered by Free Diagnostic Tool for the WSUS Agent and extends past it, aiming to provide an efficient and inclusive experience in the management of updates and patches, with its integration of SCCM monitoring allowing it to interact with agents not only running on Windows operating systems, but also Mac OS, Linux, Unix, Android devices and iOS, covering the entire network with its patching capabilities.
SolarWinds Patch Manager integrates flawlessly with WSUS and displays each of your devices as well as the software installed on them on its dashboard, providing an overview of status and compliance, with reports on patch status and inventory made, while a reduced list details any failed updates on specific devices or devices which do not have the latest software versions.
Deployments of patches and updates can be scheduled in Patch Manager, allowing for the installation of patches outside working hours which lessons workflow interruptions, and it applies diagnostic verification automatically, reducing the need for further investigation into whether any endpoints on the network are not in sync and reports of patch update failures sent to you, allowing immediate actions to be taken, which can be done from a drop-down list of options appearing against each record of a failed update.
SolarWinds Patch Manager further includes a support service, which pre-tests patches available from all major software produces, allowing for the automatic installation of patches with a lower risk of malware or software bugs. Its additional vulnerability management, limited by the patch management application, will ensure the computers connected to WSUS servers do not have vulnerable software installed, and if found, the proper patches will automatically deploy to fix the issue. Reports on vulnerabilities identified are available and can be distributed to others within the organization.
Price: Pricing for the SolarWinds Patch Manager starts with a 30 Day Free Trial!
Download: A 30 day trail version as well as an interactive demo can be found here.
Syxsense Manage is a cloud-based service that is charged for by subscription. While the central console operates on the Syxsense server, local agents need to be installed on each site that hosts endpoints that are to be included in the management system. System administrators that are dissatisfied with WSUS should consider Syxsense Manager as a substitute.
The Syxsense system is able to manage devices that run Windows, Linux, and macOS and it can also supervise IoT devices. The tool, as a cloud-based system, isn’t limited to supervising endpoints on one network. It is able to centralize the supervision of endpoints on several sites and can also include remote desktops located in the homes of telecommuting workers.
When a customer starts up a new account with Syxsense Manage, the first phase of tasks is to set the system up. You need to set up a maintenance schedule that lets Syxsense know when it is OK to roll out patches. The other big task that needs to be undertaken is to populate the management system with details of the devices that are going to be managed by the service. This is an easy task because, once an agent has been downloaded, Syxsense Manage will scour the network and identify each endpoint. It then populates the system inventory with details about each device.
The next step in the setup is a software search. Syxsense Manage compiles a software inventory, listing the operating system and software installed on each endpoint. The system records the versions of all of these, which indicates the patch level that each package is at.
The discovery process is continuous so both the hardware and software inventories get repeatedly updated so there is no need to the operator to add in any new resources after the initial scan.
Ongoing, the patch manager in Syxsense Manage will watch the notification systems of all of the vendors for those software packages identified in the discovery phase. When a patch becomes available, Syxsense copies over the installer and stores it, When the next available maintenance window arrives, that patch will be applied to all relevant endpoints.
Each account for Syxsense Manage gets 50GB of space on the Syxsense server to store patch installers and also all of the logs generated by the patch manager. Those logs and all of the other system information can be extracted as reports in formats needed to prove compliance to PCI DSS, HIPAA, and SOX.
Pricing: The Syxsense Manage is charged for on a subscription with rates starting at $600 to manage 10 devices.
Download: You can download a 14-day free trial of Syxsense Manage.
ManageEngine Patch Manager Plus is one part of the IT infrastructure management tools that ManageEngine offers which aims at overcoming any potential vulnerability that can create security weaknesses. It can also help to prevent bad patches that can corrupt system data or cause a system to become unavailable.
It does all of this whilst ensuring that performance is not reduced and new features as well as resources are not missed due to unpatched endpoints.
This is all very useful if you are managing critical systems on your network and you can’t afford any downtime due to bad patches or improper patch installations.
ManageEngine Patch Manager Plus creates an inventory of the software of all endpoints. These typically exist in a network and are identified by scanning them.
ManageEngine Patch Manager Plus then compares these to the latest versions of each product.
It then details which modules are no longer up to date and then proceeds to communicate with the servers of all relevant software producers to download necessary patches.
This whole process can be automatically installed without intervention required.
However, if you require candidate patches to be approved before deployment, the patches can be listed on the dashboard for prior approval. This helps to streamline the process somewhat and is a good way to semi automate the way that your patches are selected and installed.
The inclusion of a test system by ManageEngine Patch Manager Plus assists in making the deployment of patches stable and error free, doing this by first testing the new update on a limited number of devices so that the impact of software changes can be viewed and assessed before they roll out to the entire network, saving both time and effort in the event of an issue arising, with reports on system vulnerability, applicable and missing Windows patches as well as task statuses made available.
ManageEngine Patch Manager Plus is available for on-premises installation or as a cloud-based service and while it runs on Windows and Windows Server environments, with the option of being integrated as a plug-in into Spiceworks.
Certain agents enable the software to monitor software statuses on Mac OS, Linux systems and others.
This is normally done via SNMP and can give you a lot of information about the systems that are attached to your network.
Price: Pricing for ManageEngine Patch Manager Plus Professional starts at $245.00 annually for 50 computers on-premises and $34.50 on a monthly basis for 50 computers on a cloud service and more details on pricing structure with the option of a free trial can be found below!
Download: A free version of this tool can be downloaded here.
NinjaOne – formerly NinjaRMM – is a package of tools that support the remote management of entire IT systems. This is a particularly interesting service for managed service providers (MSPs) because the NinjaOne service provides all of the tools that their technicians need.
Within the NinjaOne bundle is a Windows patch management service. This covers all tasks relating to installing patches and replaces the need to access the WSUS interface. The NinjaOne aim is to provide all system management tools in one interface. Patch management actions implement all stages of IT asset management.
The basis of the patch management system lies in the asset discovery service of NinjaOne. When a client is enrolled into the support service, NinjaOne scours the network and registers all of the devices that it discovers in an asset inventory. The service then searches each endpoint and composes a software inventory for it. The result of this discovery phase is a complete list of every instance of each operating system and the software packages installed on each device.
There is no guarantee that all devices will be at the same patch level, so NinjaOne first bring all software up-to-date by sequentially applying all missing patches. This allows the service to update the versions of all operating systems and software packages in the software inventory. Once the initial update has been completed, the NinjaOne system continues to look out for new updates and patches and applies them when necessary.
The system administrator needs to set up the NinjaOne Patch Manager with a calendar of maintenance windows. With this in place, the patch manager will schedule patch rollouts for the next available period.
NinjaOne is a cloud platform and it is suitable for use by the IT departments of multi-site businesses as well as managed service providers.
Price: Contact sales team for a quote.
Download: NinjaOne is available for a 14-day free trial.
Patch Connect Plus from ManageEngine is a tool that helps you “Re-define your SCCM Experience” – Or in other words, Integrate with SCCM to help you with your 3rd party software updates and patch distribution.
This tool has over 530+ third-party updates across 330 (and counting) software applications that give you the flexibility of deploying customized software roll-outs to optimize end-user experience.
Features & Capabilities of this Tool:
Here's some of the highlight features of this tool that we like the most.
- Optimize workflow operations including Troubleshooting and Managing Clients with their Built-in Admin Tools package
- Automate 3rd Party Software & Application Patching tasks
- Customize your Deployment with Pre & Post Scripts before & After you deploy
- Expansive SCCM 3rd Party Software Catologs
- Auto-detection of New apps & software installed within your Network
- Native Plugin for SCCM
BatchPatch is a full, autonomous patch management system for service software and works alongside the WSUS service, providing the effective management of updates downloaded, transferred, installed and stored, as well as better reporting functions and diagnosis of problematic clients than the bare WSUS facility, while adding its colorful user interface to the WSUS server, making the commands easier to view and follow.
BatchPatch works from a central server and has the ability to simultaneously initiate downloads and installations of Windows updates on multiple remote computers, whether stand-alone, members of a domain or in a work group, further letting you choose to install all available updates or only particular updates by either name or category.
For diagnostic purposes, BatchPatch has a client querying section, enabling the remote access of each client to run custom scripts on the clients in the effort of troubleshooting and its remote functions allow the manual reboot or shutdown of individual computers as well as the option to employ Wake on LAN, while also managing offline installs to specific clients.
BatchPatch extends past just patch management to include software deployment, allowing it to install most third-party software on remote computers, while its scripting language further supports the sequencing of updates and the more efficient management of software dependencies while also offering the option of managing updates from other system service providers.
For networks with multiple WSUS servers, Batch Patch has a rollup reporting system and possesses a wide range of pre-written formats for reports on network devices status which assists in overseeing the health of all devices connected to WSUS servers.
This helps to maintain the overall stability of your windows update environment and also helps to ensure a more secure update procedure.
The pricing for BatchPatch starts at $399.00 for 1 user and a year of support and all of its plans can be found here.
Price: You can download a free version of BatchPatch here but, while not time restricted, it is limited to four simultaneous target hosts in the grid. This gives you a better understanding of how the product performs and what it can do for your systems within your environment.
8. ADFDesign’s WSUS Tool
ADFDesign’s WSUS Tool is a free tool available from the Spiceworks Community, handy for IT administrators with the need for cloning PCs as well as debugging and managing WSUS and it focuses on simplicity rather than complexity, being a graphical front end to actions performed in the background by the wuaucltl.exe program, which while needing to be installed on each endpoint of the network and run from there, can be controlled remotely from a central location through remote management software.
The process automation script in ADFDesign’s WSUS Tool automatically detects each client and saves time in the running of diagnostics with its three main functions of detecting, cloning and reporting.
Its “Detect Now” function runs a standard WSUS detection procedure, providing information on which of the client’s services is visible to the WSUS server and will run an audit check on the client through the restarting of the client auditing software, offering a timeframe limited report instead of an ongoing log file.
The “Clone Fix” function of ADFDesign’s WSUS Tool will attempt the process of fixing the client, deleting some registry key and restarting the wuauserv service, before resetting its authorization and re-running is detect function while the “Report Now” function will immediately run a report on a particular client, avoiding the need to dig through logs for relevant information in the diagnosing of any issues related to the client or its communication with the WSUS server.
With ADFDesign’s WSUS Tool, ensure there is no third party software used which could install malware or damage the network, as ADFDesign’s WSUS Tool only utilizes standard Microsoft executable files or programs, which you can do by combing through the code yourself.
This makes the tool quite useful if you are trying to weed out programs that you do not want installed on users’ systems.
Download: This tool can be downloaded here.
9. WSUS Offline Tool
The WSUS Offline Tool from Anoop C. Nair addresses a shortcoming of WSUS with regards to client computers that do not have access to the internet, handled through a process called WSUS offline update which only installs critical or security relevant patches, leaving offline client computers out of sync in comparison to online computers as they can miss important updates.
The WSUS Offline Tool, however, uses the Windows Update Agent to determine what patches are required to be installed on a client’s computer, including both important and optional patches. This makes the WSUS Offline Tool a very useful application to have running on your network.
The WSUS Offline Tool schedules available patches for an offline client, delivering it from a central download server and while the patch coverage by WSUS Offline Update will rarely fully satisfy Microsoft’s Online Update, as minor patches could be missing, it does satisfy Microsoft’s Baseline Security Analyzer, but nonetheless is only recommended for use in non-production environments.
This could be useful in a lab type environment, or on a larger private network if you have the need to manage updates for multiple hosts and you don’t want to enforce it all manually.
Download: This tool can be downloaded here.
10. AJ Tek WSUS Automated Maintenance
AJ Tek provides a useful package of system improvement tools for WSUS. These are available in different formats that are suitable for standalone or distributed WSUS environments. The WSUS tools are implemented as a software package that needs to be installed on-premises. The system will run on Windows and Windows Server.
The WSUS Automated Maintenance system doesn’t have its own user interface. Instead, it operates on the WSUS system, modifying its behavior. Essentially, this is an extension to WSUS and it is implemented as an extra setup wizard.
The fundamental principle behind the WSUS Automated Maintenance package is to improve WSUS and not replace it. This system looks at underlying services that WSUS neglects. This is particularly the case with issues such as clean-up and optimization.
Modules within the AJ Tek package will optimize the WSUS database and enable the system administrator to clean up the file space of the system. A big benefit of this service is the option to reject certain types of available patches.
There are patches made available to WSUS that are actually already out of date – they have been superseded by other, newer patches. In other cases, earlier patches for the foundation for newer updates. The WSUS Automated Maintenance tool can tell the difference between the two. You will get the older patches that you need in order to build up the layered patch versions that keep your software running, you won’t end up installing unnecessary patches. Preview patches can also be filtered out.
The WSUS Automated Maintenance system offers you a better way to manage all of the synchronization logs that WSUS generates. You can keep those that were created over the last 14 days and then choose to either delete or archive older reports.
The AJ Tek system is available in different packages that are suitable for upstream, downstream, and offline WSUS servers. With this service, you can get your WSUS implementation cleaned up and optimized for as little as $60 per year. There is no free trial available.
Download: Access the WSUS Automated Maintenance system at
While Windows Server Update Services is key for the management and automatic distribution of updates, patches, device drivers, feature packs and more, it also plays an essential role in the security of networks and their proper configuration.
WSUS client diagnostic tools and software play a crucial role, as they ensure that the WSUS servers run smoothly and efficiently, allowing for the fast identification and troubleshooting of issues arising. Thereby also maintaining operational stability within an organization.
Not many people give much thought to the role that WSUS functionality can add to an environment, so it is good to know that there are many different tools out there that help accomplish the goal of system stability.
The suitability of the various types of solutions available will depend on features offered and costs involved versus on the size and nature of organizations and their network.
Your mileage may vary in many respects, and the features that work for one network might not necessarily work for all.
There are many different solutions out there, but we have covered some of the most popular ones. We hope the information gathered here helps in choosing the best tool to match your needs.