Articles in this section

Endpoint Configuration for WSUS-Less (Windows Prerequisites)

Prerequisites for Windows Patching without WSUS (WSUS-Less)

  • Microsoft Update Service Installed
    • The endpoint must have the Microsoft Update service present to receive patches for Windows and other Microsoft products (automatically enabled with our Collect Endpoints Script for Windows)
  • Connectivity to Microsoft Update (port 80 and 443)
    • Same list needed as WSUS

Configuration Options

Option 1: GPO (recommended for domain-joined endpoints / Active Directory)

  • Configure Updates by going to Computer Configuration -> Administrative Templates -> Windows Components -> Windows Updates ->
    • Configure Automatic Updates -> Disable the policy 
    • IMPORTANT: Everything else not mentioned in the Windows Update section must be set to Not configured.
  • Enable the execution policy by going to Computer Configuration -> Administrative Templates -> Windows Components -> Windows PowerShell ->
    • Turn on Script Execution -> Enable the policy and set "Allow local scripts and remote signed scripts" in the "Options" section

Optional Policy

  • Restrict users from pausing updates in endpoints that enable this policy.
    • Computer Configuration -> Administrative Templates -> Windows Components -> Windows Updates -> Remove Access to "Pause updates" feature -> Enable the Policy.
  • Microsoft Defender Antivirus

NoteIf you want to apply the GPO in phases:

  1. Create a new OU – Link your newly created WSUS GPO to it 
  2. Gradually move computers – Move a few test machines or a pilot group to this OU to confirm the policy settings work as expected.
  3. Expand deployment – As you confirm success, move more machines into the OU.

Post-Steps 

After applying the GPO, perform the following steps on endpoints to ensure WSUS registration:

Step 1: Verify Windows Update Service

  • Open services.msc
  • Locate Windows Update (wuauserv)
  • Ensure it is running and set to Automatic

Step 2: Update GPO and Trigger WUA Check

  • Open Command Prompt as Administrator, run:

gpupdate /force
  • Open PowerShell as Administrator, run:
$updateSession = New-Object -ComObject Microsoft.Update.Session
$searcher = $updateSession.CreateUpdateSearcher()
$result = $searcher.Search("IsInstalled=0")

Note 1: If you receive an exception from HRRESULT, please search that HRRESULT online or on the Microsoft website.

Step 3: If the GPO doesn’t apply and no error is shown, reboot the endpoint.

Step 4: If there is still an issue, see this article, starting step 4.

Option 2: Built-in JetPatch Script (recommended for non-domain-joined endpoints)

  • Go to  "Endpoints" -> "Management", select the task "Register Windows Endpoint to Microsoft Update (WSUS-Less)", and run the task on it

After running the task, if you do not see the endpoint reporting to JetPatch, then do the following directly on the machine.

Step 1: Verify Windows Update Service

  • Open services.msc
  • Locate Windows Update (wuauserv)
  • Ensure it is running and set to Automatic

Step 2: Trigger WUA Check - open PowerShell as Administrator, run:

$updateSession = New-Object -ComObject Microsoft.Update.Session
$searcher = $updateSession.CreateUpdateSearcher()
$result = $searcher.Search("IsInstalled=0")

Note 1: If you receive an exception from HRRESULT, please search that HRRESULT online or on the Microsoft website.

Step 3: If the registry settings are not set and no error is shown, reboot the endpoint.

Step 4: If there is still an issue, see this article, starting step 4.

Troubleshooting

If you verify that the endpoint is properly configured to talk to the WSUS server, but it is still not reporting, or it has been more than 24 hours since it last reported, please see this article

If you encounter the error message "Some update files aren't signed correctly. Error code: (0x800b0109)", please consult the "Deploy your code signing certificate on Endpoints"

 
Disable the Pause updates feature in the Windows Update window
 

Optional: Microsoft Defender Updates in WSUS-Less Mode

Note: The built-in JetPatch regex script currently does not handle Microsoft Defender update changes. In WSUS-Less configurations, Microsoft Defender Antivirus receives definition updates directly from Microsoft Update. To ensure endpoints remain updated effectively and maintain full JetPatch visibility, explicitly configure the following Group Policy settings:

Step 1: Configure Endpoint GPO 

  • Open Group Policy Management Console
  • Edit the endpoint policy:
Computer Configuration → Policies → Administrative Templates → Windows Components → Microsoft Defender Antivirus → Security Intelligence Updates
  • Enable the following policy explicitly:
    • Define the order of sources for downloading security intelligence updates:
      Set explicitly to: MicrosoftUpdateServer

  • Additionally, enable regular scheduled updates (Critical step):

Computer Configuration → Policies → Administrative Templates → Windows Components → Microsoft Defender Antivirus → Scan
  • Specify the day of the week to check for definition updates: Enabled
    • Recommended frequency: Daily at minimum, ideally every 8-12 hours, ensuring definitions are consistently updated from Microsoft Update.

  • Apply the GPO immediately:

gpupdate /force

Step 2: Verification

Confirm Defender definition updates via PowerShell (run as Administrator):

Get-MpComputerStatus | Select AntivirusSignatureLastUpdated, AntivirusSignatureVersion

Optional Step 3: Create JetPatch Daily Maintenance Window

  • JetPatch Console → Maintenance Windows → New
    • Example: Daily, 6:00 PM – 10:00 PM (recommended 4-hour window)
    • This schedule should be part of a daily automatic remediation plan that uses this new daily window as part of the emergency configuration section.

Related articles

Comments

0 comments

Please sign in to leave a comment.