locked
WSUS RRS feed

  • Question

  • Excuse my ignorance, but does WSUS only push out Windows updates, or can it handle stuff like apple, adobe etc?
    Friday, May 7, 2010 8:41 AM

Answers

  • Excuse my ignorance, but does WSUS only push out Windows updates, or can it handle stuff like apple, adobe etc?


    To manage non-Microsoft updates with WSUS requires additional product.

    There are four options that I'm immediately aware of that can deploy Adobe/Apple/Java updates using the existing WSUS infrastructure (or a minor rebuild thereof).

    1. System Center Essentials

    2. System Center Configuration Manager

    3. EminentWare WSUS Extension Pack

    4. Secunia CSI.

     

    The System Center products, however, only provide the infrastructure, not the content, although you can subscribe to a content catalog from Shavlik, but you have to manually download and import the catalog in your System Center environment as new packages are released.

    The Secunia CSI product is primarily a vulnerability scanner. It scans for *security* defects in 3rd party products, similar to how MBSA scans for *security* defects in Microsoft products. Secunia provides metadata for 3rd party updates, but you must obtain the binary content direct from the vendor. There is no methodology for customizing the metadata, and the only tool available for managing approvals is the Secunia CSI console, and it's pretty primitive.

    The EminentWare WSUS Extension Pack provides an end to end solution, including content via scheduled synchronization, the ability to customize metadata, or create new packages from scratch, update approvals, delegation of update approvals, immediate deployment, scheduled deployment, advanced reporting capabilities, and a collection of inventory and configuration management tools beyond the scope of simple update management.

     


    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    Principal/CTO, Onsite Technology Solutions, Houston, Texas
    Microsoft MVP - Software Distribution (2005-2010)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
    My Blog: http://onsitechsolutions.spaces.live.com
    Friday, May 7, 2010 5:34 PM

All replies

  • WSUS does publish more then just Windows updates, but only for Microsoft products.
    Friday, May 7, 2010 9:16 AM
  • Excuse my ignorance, but does WSUS only push out Windows updates, or can it handle stuff like apple, adobe etc?


    To manage non-Microsoft updates with WSUS requires additional product.

    There are four options that I'm immediately aware of that can deploy Adobe/Apple/Java updates using the existing WSUS infrastructure (or a minor rebuild thereof).

    1. System Center Essentials

    2. System Center Configuration Manager

    3. EminentWare WSUS Extension Pack

    4. Secunia CSI.

     

    The System Center products, however, only provide the infrastructure, not the content, although you can subscribe to a content catalog from Shavlik, but you have to manually download and import the catalog in your System Center environment as new packages are released.

    The Secunia CSI product is primarily a vulnerability scanner. It scans for *security* defects in 3rd party products, similar to how MBSA scans for *security* defects in Microsoft products. Secunia provides metadata for 3rd party updates, but you must obtain the binary content direct from the vendor. There is no methodology for customizing the metadata, and the only tool available for managing approvals is the Secunia CSI console, and it's pretty primitive.

    The EminentWare WSUS Extension Pack provides an end to end solution, including content via scheduled synchronization, the ability to customize metadata, or create new packages from scratch, update approvals, delegation of update approvals, immediate deployment, scheduled deployment, advanced reporting capabilities, and a collection of inventory and configuration management tools beyond the scope of simple update management.

     


    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    Principal/CTO, Onsite Technology Solutions, Houston, Texas
    Microsoft MVP - Software Distribution (2005-2010)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
    My Blog: http://onsitechsolutions.spaces.live.com
    Friday, May 7, 2010 5:34 PM
  • As this thread has been quiet for a while, we assume that the issue has been resolved. At this time, we will mark it as ‘Answered’ as the previous steps should be helpful for many similar scenarios.

    If the issue still persists and you want to return to this question, please reply this post directly so we will be notified to follow it up. You can also choose to unmark the answer as you wish.

    In addition, we’d love to hear your feedback about the solution. By sharing your experience you can help other community members facing similar problems.

    Thanks!

    Monday, May 17, 2010 9:58 AM
  • Just to add my pennies worth, you can now use SCUP 2011 to push out all sort of updates. I've created a step by step guide to pushing out Java updates using WSUS here:

    http://itguru82-sccm.blogspot.co.uk/2012/08/java-updates-using-wsussccm.html

    You can use WSUS now for pretty much any software you like, so long as you know what you are doing!

    Tuesday, August 28, 2012 8:25 PM
  • Just to add my pennies worth, you can now use SCUP 2011 to push out all sort of updates.

    Actually, in a WSUS-only environment you cannot use System Center Updates Publisher (SCUP). SCUP is only licensed for use by customers who have licensed installations of System Center Configuration Manager or System Center Essentials.

    WSUS-only shops will need to use one of the three products designed for publishing and managing third-party updates with WSUS:

    In addition, I must note, since I originally responded to this thread in May, 2012, I have become employed by SolarWinds as a Product Manager.


    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    Product Manager, SolarWinds
    Microsoft MVP - Software Distribution (2005-2012)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin

    Tuesday, August 28, 2012 11:25 PM
  • Of course, I did know that. I tend not to use our System Center for windows updates and instead leave it to WSUS and have SCUP putting in the 3rd party updates. So yes, my guide is only of use if you have System Center licensed/installed in your org. But still the guide still stands up, you can use SCUP for 3rd party updates so long as you have the correct licencing.


    http://itguru82-sccm.blogspot.co.uk/

    Tuesday, September 18, 2012 7:47 PM
  • But still the guide still stands up, you can use SCUP for 3rd party updates so long as you have the correct licencing.

    I absolutely agree that the guide is valid as regards the technical aspects of using SCUP and publishing to the WSUS server. However, unless I missed something, neither of the posts cited use the terms "Configuration Manager", "System Center Essentials", or "Software Update Point" -- and you did post them in the **WSUS** forum (and there are dedicated forums for SCCM and SCE), so on its face the posts imply that this capability is a viable solution for WSUS_only environments, when exactly the opposite is the reality.

    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    Product Manager, SolarWinds
    Microsoft MVP - Software Distribution (2005-2012)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin

    Wednesday, September 19, 2012 1:45 AM
  • Does this apply to Office for Mac 2011 updates as well? Can I keep Office for Mac 2011 up to date with WSUS or similar centralised management service?
    Friday, October 12, 2012 3:06 AM
  • Does this apply to Office for Mac 2011 updates as well? Can I keep Office for Mac 2011 up to date with WSUS or similar centralised management service?
    No, WSUS is only for Microsoft Platforms. There could be other centralized management services that update MAC's, but I am not aware of any systems that update Apple computers the same way WSUS updates Microsoft OS's.
    • Proposed as answer by TechieGurl Monday, October 15, 2012 5:12 AM
    Friday, October 12, 2012 4:36 PM
  • Hi Lawrence, Alert Me,

    as I have been working with Secunia products extensively throughout the past 2 years, I just want to update a bit your information that dates from 2010. Secunia CSI 4.1 was the tool you obviously referred to back then, but now with the current implementation provided by Secunia (CSI 6.0), one can use several open-interface mechanisms to patch accross organizational networks. CSI 6.0 allows integration with 3rd-party vendors for 3rd party distribution (i.e. Altiris, ZENworks, and all tools with support direct/automated import of software update metadata via XML formating), full PM integration with WSUS/SCCM (via WSUS API), as it also provides the SCCM console which is embedded in the new SCCM 2012 release to adhere direct 3rd party VI assessment and PM through the SCCM UI. Secunia is really going forward to support all its/MS customers with full coverage of security patches for simplified PM.

    Please note, this is not a commercial, I am being objective and just wanted to share this with all you guys that want to have simplified process without re-designing your environments to fit yet another PM tool. Secunia CSI 6.0 will comply with current policies and process without requiring additional setup and design to be performed. Moreover, CSI can provide direct VI assessment by fetching SCCM inventory reports straight from SCCM database which saves Administrators to deploy additional Agents / Scanners. SolarWinds and Secunia seem to be the only companies on the market 'to take the right approach to PM'.

    I will not makes an effort to support EminentWare in this regards because I don't think their '3rd party PM service' even worth mentioning with such a small limited support to only few common applications provided through a Software Catalog. I am not fan of catalogs because application lifecycles i.e. Adobe, Java, went short to only 2 - 3 weeks for a following release which compromises the reliability of a software catalog, as only few patches in it would really be sufficient to 'strike by a first hit' your vulnerable 3rd party software. Usually catalogs would also store a lot of insecure patches since no-one took care of cleaning/updating the catalog, moreover vendors like to have 'as much as possible' updates shown in their catalogs obviously making them think that quantity is better than quality.

    Best Regards / Rosen

    Best Regards / Rosen

    Friday, December 21, 2012 10:14 AM
  • Secunia CSI 4.1 was the tool you obviously referred to back then, but now with the current implementation provided by Secunia (CSI 6.0), one can use several open-interface mechanisms to patch accross organizational networks. CSI 6.0 allows integration with 3rd-party vendors for 3rd party distribution (i.e. Altiris, ZENworks, and all tools with support direct/automated import of software update metadata via XML formating), full PM integration with WSUS/SCCM (via WSUS API), as it also provides the SCCM console which is embedded in the new SCCM 2012 release to adhere direct 3rd party VI assessment and PM through the SCCM UI.

    Thank you for the updated information, Rosen. I've not yet had the chance to look at the new version of CSI (although I wish I had). This was very helpful for me.

    SolarWinds and Secunia seem to be the only companies on the market 'to take the right approach to PM'.

    :-) We thank you for the vote of confidence.

    I will not makes an effort to support EminentWare in this regards because I don't think their '3rd party PM service' even worth mentioning with such a small limited support to only few common applications provided through a Software Catalog.

    Now I'm confused.. SolarWinds Patch Manager is the EminentWare WSUS Extension Pack I mentioned in May 2010 (which was updated in my post in August 2012). As for the contention that the smaller catalog in Patch Manager is a detriment, I submit that the ostensibly larger catalogs advertised by the competitors of Patch Manager are just excessive noise. To everybody who makes this point I ask this question: What products do you have installed in your enterprise that need to be patched on a regular basis that are not in the Patch Manager 3rd party updates catalog? When we get a valid answer to that question, we add that product to the list of products to be added. Of late, we've added such "widespread" products as Skype (May 2012), RealPlayer (July 2012), Yahoo! Messenger (Nov 2012), and Foxit Reader (Jan 2013). How many of those do you have installed? (Skype is the only one of those that I use -- and only because Microsoft has now forced me to replace WLM with it.)

    I am not fan of catalogs because application lifecycles i.e. Adobe, Java, went short to only 2 - 3 weeks for a following release which compromises the reliability of a software catalog, as only few patches in it would really be sufficient to 'strike by a first hit' your vulnerable 3rd party software. Usually catalogs would also store a lot of insecure patches since no-one took care of cleaning/updating the catalog, moreover vendors like to have 'as much as possible' updates shown in their catalogs obviously making them think that quantity is better than quality.

    I'm not really grasping what you mean by this, and just a moment ago you were denigrating the EminentWare product because of it's "small catalog".

    Just to be accurate -- what you're using with Secunia CSI is a 'catalog' as well - the only difference is that with Secunia (as I recall), the update package is downloaded from Secunia on a per-update basis (which means you have to have a working Internet connection to package/publish/deploy a needed update), rather than the entire catalog being stored locally (eliminating the real-time dependency on the Internet for package sources), as it is with SolarWinds, vCenter Protect, and vendors like Adobe, HP, and Dell.


    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    SolarWinds Head Geek
    Microsoft MVP - Software Distribution (2005-2013)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
    The views expressed on this post are mine and do not necessarily reflect the views of SolarWinds.

    Saturday, February 2, 2013 8:05 PM