WSUS deprecated
What next for patch management?

What exactly does "WSUS deprecated" mean?

In September 2024 Microsoft announced that WSUS is deprecated. In practice this means:

• No new features: Microsoft no longer adds capabilities to WSUS and does not accept new feature requests.
• WSUS still works and is supported: current functionality is preserved, updates are still published through the WSUS channel.
• No hard end-of-life date: Microsoft has not announced an end-of-support or removal date and declares feature support within the Windows Server 2025 lifecycle.
• Microsoft steers companies toward cloud solutions: Intune and Windows Autopatch for workstations, Azure Update Manager for servers.

In its announcement, Microsoft indicates that WSUS is deprecated and that the recommended direction is cloud solutions (Windows Autopatch, Intune) and third-party tools - while WSUS's existing functionality remains available.

Worth remembering: some companies in Poland cannot or do not want to move update management to the cloud. Banks, manufacturing plants, and the public sector require on-premise, full data control, and network isolation. For them the natural direction is third-party on-premise solutions.

Who is most affected?

Checklist: if you agree with the items below, you need to start acting now.

• Companies with on-premise infrastructure without Intune: this is the majority of Polish IT shops
• Organizations with limited internet access: manufacturing, public sector, defense
• Teams of 50-500 employees without a dedicated IT cloud team: Intune is too complex
• Air-gapped (isolated) networks: WSUS was the only option there; what now?
• Regulated companies (banks, insurance): GDPR / sectoral rules require on-premise data

If this fits your situation, the WSUS deprecation concerns you. The good news: there is no hard end-of-life date for WSUS, so you have time for a calm migration plan - this is not an emergency. Bear in mind, however, that the NIS2 directive (and national laws implementing it) requires cybersecurity risk management, including a documented vulnerability and update handling process. Details in our article NIS2 patch management: requirements and documentation.

Alternatives: a comparison of four solutions

Note: A third Microsoft option is Azure Update Manager, available free of charge for Azure VMs and via Arc for on-premise servers. Worth including in the analysis if infrastructure is already partly in Azure.

Why ManageEngine Endpoint Central?

ManageEngine Endpoint Central is the best WSUS alternative for companies of 50-500 employees. Here is why:

1. On-Premise: full data control

You install the EC server on your own infrastructure. No data leaves to the cloud without your consent. GDPR, banks, public sector: all handled.

2. Patch management beyond Windows

WSUS only handles Windows Update. Endpoint Central patches:

• Windows: all versions, third-party applications (Chrome, Adobe, Office, Firefox, Java, etc.)
• Linux: CentOS, Ubuntu, Red Hat, Debian, automatic system patches
• macOS: OS and Apple application patching
• Mobile: iOS, Android (via MDM)

3. Vulnerability management (CVE tracking)

EC monitors new security vulnerabilities (CVEs) and automatically suggests patches. WSUS does not do this. You can click "Patch CVE-2024-1234" and the system rolls out the patch across the whole infrastructure in minutes.

4. Built-in CMDB (Configuration Management Database)

All computers, their configurations, and installed applications in one database. WSUS requires separate tools (System Center, Intune, etc.). EC has this out of the box.

5. Reporting and compliance

Over 50 built-in reports:

• Which computers have patch X installed?
• Which ones are vulnerable to CVE-2024-xxxx?
• What is the average patch deployment time?
• Which deployments failed and why?

6. Active Directory integration

One-way sync from AD (EC reads data from AD). A new user is created in AD and automatically appears in EC. Outgoing employee? Automatically removed from management.

7. Migration from WSUS: simple and fast

Export computer groups from WSUS (PowerShell), import to EC, configure patch groups, and you are done. If your company is subject to NIS2, after migration it is worth completing documentation in line with Article 21 requirements. Check our NIS2 checklist for IT managers.

Step by step: migration from WSUS to Endpoint Central

Below is a detailed plan for an IT manager. You can run it yourself or outsource it.

1. Export the list of computers from WSUS

Open the WSUS Console, launch PowerShell, and run:

You get a CSV with the list of all computers managed by WSUS.

2. Install the Endpoint Central server

Download ManageEngine EC from the ManageEngine site. Requirements:

• Windows Server 2016+ or Linux (Red Hat, CentOS, Ubuntu)
• Min. 4 CPU, 8 GB RAM, 50 GB disk (for 500 computers)
• Internet access only for downloading Microsoft patches (not required for day-to-day operation)

Installation takes around 30 minutes. By default EC listens on port 8383 (HTTPS).

3. Deploy the EC agent on computers

Two options:

• GPO (Group Policy) for companies with Active Directory: closest to what you had with WSUS. You distribute the EC agent via GPO, like WSUS
• Manual deployment on a few computers: slow, not recommended

After deployment, computers automatically register in the EC Console.

4. Configure patch groups

In the EC Console you create computer groups matching the WSUS ones:

• Office: laptops, workstations
• Servers: production, staging
• Warehouses: POS, scanners

Each group has its own patching schedule. For example, production patches at night, the office during working hours (with a reboot at 17:00).

5. Configure patch policies

You set which patches to install:

• Critical patches: automatically, no delays
• Important patches: 1 week after release (tested on developer machines)
• Optional patches: manually or ignore

6. Testing and parallel-run (week 1-2)

First a pilot:

• 5-10 computers in each group, install the EC agent
• Observe patch deployment for a week
• If no issues, expand to the whole infrastructure

At the same time WSUS stays on, and computers can sync with both systems. After 2-3 weeks, if everything works, you turn WSUS off.

7. Turning off WSUS

After 30 days of parallel running you turn off the WSUS Server:

• Remove the WSUS role from the server (Server Manager)
• Or stop the WsusService if you may need it later
• I recommend keeping the WSUS server up for another 3 months in case of a rollback

Isolated networks: how to manage patches?

If you work in an air-gapped network without internet access, WSUS used to be the only option. What now?

ManageEngine Endpoint Central supports an offline patch repository. Here is how:

Scenario: production without internet

You have two networks:

• Production network (air-gapped): 200 computers, no internet access
• IT network (with internet access): a dedicated network for downloading patches

Solution: offline patch repository

1. On a machine in the IT network you install ManageEngine Patch Manager Pro (purpose-built for this)
2. It downloads patches from Microsoft servers (Chrome, Adobe, etc.)
3. Packages them into a file/archive
4. You transfer the archive to production: USB drive, media, or a dedicated data link
5. In the production network, the EC server pulls patches from the offline repo
6. You sync production computers with the EC server
7. Patches deploy automatically