Showing results for 
Show  only  | Search instead for 
Did you mean: 
Flexera Alumni

SVM Windows Server Update Services (WSUS) Management Tool
Version 1.0 (download)

wsus-mgmt.pngWindows Server Update Services (WSUS) is frequently used to manage Windows and Microsoft product updates in enterprise environments. Flexera’s Software Vulnerability Manger (SVM) extends to support the patching of third-party software to remediate security vulnerabilities. However, the tools available to manage WSUS are less than ideal when it comes to managing third-party updates. SVM includes some helpful management capabilities to give you control of these updates, but to do such things in a browser means requiring elevated privileges and reliance on an ActiveX control. To reduce the number of situations where IE w/ActiveX is a requirement, we are happy to offer this WSUS Management Tool which provides all the functionality available in SVM and more.

If you on your WSUS server, the target server and port information will be filled in automatically. Otherwise, enter your full server name or IP address and specify the connection port (typically 8530). To view all third-party updates, select “3rd Party” from the Filter Update List choices and click the button, “Connect to Server and Refresh”. Depending on the number of patches on your server this can take a variable amount of time. A hundred updates take only a second, but if you choose “Microsoft Updates” you may have a few thousand patches, which can take a minute or more to fully load.

After updates have been synchronized to your WSUS server, they will be scanned automatically for relevance to the server's client computers. However, you must approve the updates before they are deployed to the computers on your network. When you approve an update, you are essentially telling WSUS what to do with it. You can approve updates for the All computers group or for subgroups. If you do not approve an update, its approval status remains Not approved, unless the WSUS server is configured to auto-approve updates in which case the patches will automatically be targeted to the predefined recipients as per WSUS auto-approval configuration. Not approved is a state that will allow WSUS to gather data as to which clients may meet the requirements of a patch (may be applicable), but it is not a state that allows clients to evaluate whether they need the update or not.

The difference is that WSUS will essentially be able to store the applicability evaluation result when a client checks-in, but the Clients will, at the same time, not be able to assess their own need of the update as the update must be Approved for this to happen. Unless a package has Approved status, the client has zero information on what's applicable or not.

You can select one or more (holding the Ctrl key) and right-click to decline, delete or view the properties of any listed patch. You can also export SPD files contain information about an update which can helpful in troubleshooting as they hold the schema of a patch (for example its name, creation date, vendor, GUID, applicability rules, etc.)

Patches may be approved by WSUS group. Select a patch from the list and select/deselect any target groups at the top and click “Approve Groups” to save any desired changes.

In summary, to decline and/or approve updates, follow the simple steps below:

  1. At the top right, choose what list of updates you want to work with and press the button to connect/refresh
  2. On the bottom of the page,
    1. to approve: Click a patch from the list of updates and make any changes to desired WSUS groups selected and then click “Approve Groups” to save any changes
    2. To decline: Right click on a patch from the list of updates and choose decline

We hope you enjoy this tool and would love to hear any feedback you have, either positive or negative.