In Matthew Jones' blog post last week, he presents a good overview of the challenges that today's organizations deal with in regards to patching 3rd party updates when Microsoft Windows Server Update Services (WSUS) is the chosen patching mechanism. The most significant challenge being the simple fact that they're not getting patched, or if they are, it is likely in a haphazard manner at the whim of an end-user sufficiently motivated by desktop popups from the auto-updaters for those products.

 

While the article does a great job of calling attention to the problem, and even offers some suggestions for improving the environment, it doesn’t really provide a functional solution to the reader. For example, regarding educating users, the whole idea of a centralized patch management product is that users don’t have to be ‘educated’ -- an effective patch management system is completely transparent to the end user. Avoiding the expectation that users will install updates is exactly the reason the organization has implemented WSUS in the first place.

 

In the last paragraph, Jones offers the recommendation to "...implement a patch management solution that will deploy third-party patches", and provides two options, only one of which can actually be used in a WSUS environment. Other options do exist, but seem to have been overlooked in the article.

 

For the reader who is managing a WSUS environment, one product certainly worthy of mention is SolarWinds Patch Manager.  Patch Manager sits on top of the WSUS environment, provides automatic synchronization to a catalog of ready-to-use third-party updates for all of the prevalent desktop applications: Adobe Reader, Adobe Flash, Firefox, Chrome, Java Runtime, and iTunes, to name a few. In addition, Patch Manager provides an enhanced toolset for monitoring and managing the entire WSUS environment, and a toolset to directly deploy on-demand, or explicitly scheduled, third-party updates and Microsoft updates. Patch Manager also provides tools for asset inventory and reporting on the actual state of the products and updates in the organization, and it does all of this at a price point less than a third of the other option noted.

 

Patching third-party content should be no different at all from patching Microsoft content. The only reason it would be is because the methodologies are different (e.g. using GPO/Software Distribution, or trusting users to click on the auto-updater). With WSUS, the policies should be identical. More so, with WSUS, you don’t have to “scan” systems to get information – it happens automatically, daily. Publish the third-party update to the WSUS server after it automatically arrives, and in the morning run a report (or schedule it and deliver it via email to your Inbox) and review the status of your third-party updates side-by-side with your Microsoft updates.