Alex - stock.adobe.com
The Microsoft patch management guide for admins
Microsoft recently added WSUS to its deprecation list. Now that the battle-tested patch management tool's days are numbered, what are the alternatives from the company?
Windows Server Update Services has been a longstanding tool in many Microsoft administrator's environments.
Microsoft's recent plan to deprecate WSUS -- the company's free centralized patching tool for Windows -- has gathered considerable attention and questions, especially from admins who still use the service. Microsoft has many other patching tools and related technologies -- Windows Autopatch, Intune, Azure Update Manager, Windows Update for Business (WUfB), Azure Arc and Microsoft Configuration Manager – and each has its own specialized capabilities to make it a challenge to understand what the WSUS alternatives are. Explore your options to find a suitable replacement for WSUS to get ahead of its imminent demise.
What is WSUS and why is it being deprecated?
Microsoft released WSUS in 2005, replacing Software Update Services. At this time, the world was less connected to the internet, and bandwidth was at a premium. By default, Windows OSes communicated with Microsoft servers to download any OS updates or required patches. This was not a problem for the home user, but trying to pull down updates over a single narrow internet connection was far from ideal for a business with hundreds or thousands of clients and servers. WSUS was the answer to this, acting as a central point between the Microsoft servers and the company's Windows OSes, downloading each update once and then distributing it across the local network when requested by an endpoint.
Beyond bandwidth benefits, WSUS also provides reporting on clients, such as showing required updates and success rates. It's also relatively easy to set up, requiring only a single Windows Server with fairly low specifications. There are no licensing costs beyond the Windows Server and a Windows Server Client Access License (CAL) for each client accessing the server. This CAL covers a client connecting to any internal Windows Server, which is already required for other basic functions, such as access to a Windows file share and printing.
Due to WSUS being the de facto method to keep a Windows environment up to date, it has become an ingrained part of many on-premises environments. This includes environments that use Microsoft Configuration Manager -- previously and better known as System Center Configuration Manager, or SCCM -- which is used for on-premises endpoint management, such as imaging, software installations and updates. Configuration Manager uses WSUS as a back end to distribute Windows updates. As yet, there is no information from Microsoft on a replacement.
This popularity has led to the collective surprise reaction to the WSUS deprecation announcement -- but what exactly does this mean? Official documentation for Windows Server 2025 shows a list of features that Microsoft is no longer developing, which includes WSUS with the explanation: "WSUS is no longer actively developed, all the existing capabilities and content continue to be available for your deployments."
Microsoft further clarified its position in a Tech Community post, stating its focus on cloud-based Windows management but that it would continue to support distributing content via WSUS.
Because WSUS is part of Windows Server 2025, it falls under Microsoft's Fixed Lifecycle Policy, meaning a minimum of five years of mainstream support and an undefined extended support period to provide security updates and paid support. Historically, Microsoft has given five years of extended support with Windows Server. Microsoft has also pushed out dates beyond its original announcements when the product still has reasonable levels of usage. The point being: WSUS will still be here for a long time, and there's no need to panic.
Alternatives to WSUS for patching
For those still concerned about WSUS' looming end, here's what Microsoft recommends as an alternative, along with some of the new features you'll get by migrating.
Windows Autopatch
For clients, this cloud service uses WUfB to deliver updates to Windows clients. Windows Autopatch is managed via Intune, which automates updates and minimizes the need for manual configuration of granular settings. While WUfB settings can also be set via Group Policy in legacy scenarios, Windows Autopatch is designed to ease management by handling a majority of these automatically. Microsoft integrates reporting in the Intune admin center with dashboards to summarize compliance and update status. Admins who need additional data can pull unfiltered update information from WUfB via Azure Monitor and Log Analytics.
Windows Autopatch also requires licensing. For the full feature set, you need Windows 10/11 Enterprise E3/F3 or better. Elements of Autopatch are available in Business Premium and Windows 10/11 Education A3 or better. Differences between these two include group management, driver and firmware updates, Microsoft Edge updates and Microsoft Teams updates, among others. Customers in small businesses and education may be frustrated by the feature gap here.
Azure Update Manager
This is a cloud service for servers and supports managing and governing software updates for endpoints in Azure, on-premises and Azure Arc-enabled servers across other clouds, such as AWS. It also supports Linux in these scenarios, has inbuilt reporting and runs from the Microsoft Azure portal. Azure Update Manager is a powerful tool for update management thanks to its Microsoft native method, providing clear oversight of the update status across your server fleet. Azure Update Manager supports hot patching -- applying updates without requiring a reboot -- which only applies to Arc-enabled servers or those in Azure.
Azure Update Manager is free for servers hosted and connected directly in Azure, whereas, for servers that are Arc-enabled, the cost is roughly $5 per month.
Microsoft provides native alternatives, such as WUfB and Windows Autopatch, as part of the Windows ecosystem. WSUS is included with the price of a Windows Server license, unlike the cloud-based alternatives.
There's also potential overlap: You could use Azure Update Manager to control patching schedules and compliance but still use WSUS for the repository of updates.
Windows Autopatch and WUfB were separate products until recently, making research on the products harder to digest. Windows Autopatch not only updates Windows using WUfB, but also includes updates for Microsoft Edge and Microsoft Teams. However, WUfB still lets you fine-tune how updates are applied.
Due to the varied pros and cons of each product, each organization needs to spend time reading documentation, testing and learning the new options to make an informed decision on what's the best fit for their environment.
There are also many third-party patching products available, which often have other associated benefits and services, such as cloud cost reduction, asset management and alert management. These could be investigated, but they all require a financial investment while being a layer removed from Microsoft, which provides the patches and updates directly.
Regardless of the alternatives, WSUS will still be around for a long time. Although it still works well, it is only for on-premises environments. There is no immediate rush to move away from WSUS, but admins should understand the cloud-based alternatives that offer integration with other services. For example, you could use Autopilot with Intune to require a certain feature in Windows 11 or a patch level for compliance, which allows or blocks sign-in access to specific services. Azure Update Manager gives the metaphorical single pane of glass to manage and report on the update status of servers across clouds, on-premises environments and Linux machines.
Check the extensive documentation on each alternative at the Microsoft site, understand your current licensing and plan your path forward.
