Introduction
Patch management for physical and virtual machines is a critical process when considering estate security. It is integral for security and operation teams to have a mechanism to efficiently roll out patches. It is also often a challenge for organizations when reviewing and selecting the best product. It can soon become overwhelming to decide on the best tools and processes to manage patches.
This article explores three different options that organizations may want to consider when protecting workloads in Microsoft Azure:
- Windows Server Update Services (WSUS).
- Update Management in Azure.
- Microsoft Endpoint manager.
There are several options, but these are three common solutions for workloads in Azure and will be the focus for this article. The spotlight will remain on Microsoft Windows workloads, but there are also considerations for Linux have also been made.
Windows Server Update Services (WSUS)
WSUS has a rich history and is still considered one of the main patch management systems for Windows workloads. Microsoft first released Server Update Services (SUS) in 2005 which had limited features but still proved to simplify the lives of IT Administrators. SUS evolved into WSUS which built on the platform to include features such as server grouping and update classifications.
WSUS gained popularity due to it supporting multiple deployment scenarios and the fact that it is built into Windows server made it an attractive option for customers. For instance, WSUS allows you to distribute multiple WSUS servers and create an update hierarchy across an environment (See figure 1 below). This essentially means that organizations only need to expose one WSUS server to the internet. The other WSUS servers do not require internet access and can simply retrieve updates from the dedicated upstream server. The synchronized WSUS servers are known as downstream servers.
Pros
- Costs: WSUS is part of the Windows Server operating system which results in no additional charges for customers.
- Compatibility: WSUS is a Microsoft native tool which offers great compatibility across the Microsoft ecosystem.
- Community: Due to the age of WSUS, there is a large online community offering support, recommendations, and resources for WSUS. It is never too difficult to find help when you encounter problems.
- Deployment Scenarios: Microsoft allow administrators to configure WSUS to meet business requirements and covers an array of deployment scenarios e.g. downstream and upstream servers.
Cons
- Infrastructure: WSUS does rely on additional infrastructure. Depending on how complex your environment is there might be a number of servers to manage. This ultimately increases management overhead as the WSUS servers will need to be maintained and patched.
- Database: WSUS requires a database to function. The two main options are Windows Internal Database (WID) and SQL. While WID is considered low maintenance compared to SQL, this does not mean that the database can be entirely neglected. Whether WSUS utilizes WID or SQL, there is a certain level of maintenance that needs to be undertaken on a regular basis, otherwise you will experience bottlenecks or WSUS failures.
- Training: There is a steep learning curve with WSUS. Approvals, groups, and classifications are some of terms that WSUS administrators need to familiarize themselves with. Configuring the product correctly also takes considerable time investment.
- Remote machines: It is extremely challenging to update remote devices. WSUS requires clients to connect to the WSUS server, this is only valid for machines that are connected to the same network as the WSUS server (devices on the LAN) or the corporate VPN. WSUS is not a strong option for cloud devices.
Azure Update Manager
Azure update manager is a cloud based offering from Microsoft. It can be used to update both Windows and Linux servers. The historic solution known as Azure automation update management did rely on Azure automation and Azure monitor. But Azure update manager no longer requires these Azure services as prerequisites. Azure update manager works by utilising Azure Windows VM Agent.
Azure update manager doesn’t offer as many features as WSUS but it is a good option for those that want to cut down on their infrastructure.
Pros
- Cloud Service: Azure update manager does not rely on standing up or managing your own infrastructure.
- Time: As there is no infrastructure to manage, the IT team can use this time to focus on other projects and initiatives.
- WSUS – It can be used alongside WSUS if required.
- Unified Platform: Azure Update Manager offers a single pane of glass for managing updates across both Azure and on-premises environments, simplifying the update management process.
- Intuitive Dashboard: Provides an intuitive and user-friendly dashboard for managing updates, making it easier for IT teams to monitor and control the update process.
- Pricing: The costs to utilize Azure update manager is extremely competitive.
Cons
- Features: Azure update manager isn’t as feature rich as WSUS.
- Firewall Exposure: Unlike WSUS, it is not possible to restrict internet access in your environment. Servers will require access to a number of Microsoft update servers and IP addresses. This will either require rules being configured on the central firewall or individually on each VM.
- Configuration Complexity: Setting up Azure Update Manager can be complex, requiring thorough understanding of both Azure services and the existing IT infrastructure. This complexity can lead to a steep learning curve for IT staff.
- Additional Costs: While Azure Update Manager itself is part of Azure Automation, using it can incur additional costs, particularly if it involves scaling up resources, data transfer, or integrating with other paid Azure services. These costs can add up, especially for smaller businesses or those with budget constraints.
- Azure-Centric: The service is deeply integrated with Azure, which can be a limitation for organizations with a diverse multi-cloud or hybrid environment. It may not seamlessly integrate with non-Azure platforms, potentially complicating the management of updates across different environments.
It is also worth emphasising that you can use Azure update manager in conjunction with WSUS to form a robust solution.
Windows Autopatch
Windows Autopatch is a cloud service offered by Microsoft that automates the process of managing updates for Windows and Microsoft 365 apps. It aims to simplify the update process, ensuring that devices are always up-to-date with the latest security patches, feature updates, and quality improvements.
It is important to highlight that Windows Autopatch requires devices to be enrolled in Microsoft Intune.
Pros
- Automated Updates: Windows Autopatch automatically deploys updates for Windows 10/11 and Microsoft 365 apps, reducing the administrative burden on IT departments.
- Rollback Capability: In case an update causes issues, Windows Autopatch includes mechanisms to roll back changes to ensure business continuity.
- Integration with Microsoft Endpoint Manager: Windows Autopatch integrates seamlessly with Microsoft Endpoint Manager, leveraging tools like Intune for device management.
Cons
- Application Conflicts: Automatic updates can sometimes cause compatibility issues with existing applications, particularly custom or legacy software. This can lead to unexpected downtime or operational disruptions.
- Reduced Flexibility: Organizations used to having granular control over their update process might find the automation and preset configurations limiting. Custom update schedules and specific patch management strategies might be harder to implement.
- Internet Connectivity Required: Windows Autopatch relies on cloud-based services, which means consistent internet connectivity is essential for it to function effectively. This can be a limitation in environments with poor or unreliable internet access.
Conclusion
This article explored three popular patch management solutions provided by Microsoft: WSUS, Azure Update Manager, and Windows Autopatch. All three products offer varying features. WSUS provides the greatest level control whereas Windows Autopatch is quite limiting in terms of user configuration and management.
WSUS still offers the greatest flexibility for customers. Azure Update Manager and Windows Autopatch can be good options for start-ups that do not have existing on-premises infrastructure. This is not to say the solutions should not be used in hybrid environments, but the use case and requirements need to be carefully planned before deployment.