Prerequisites for Windows Patching without WSUS (WSUS-Less)
-
Microsoft Update Service Installed
- The endpoint must have the Microsoft Update service present to receive patches for Windows and other Microsoft products (automatically enabled with our Collect Endpoints Script for Windows)
-
Connectivity to Microsoft Update (port 80 and 443)
- Same list needed as WSUS
Configuration Options
Option 1: GPO (recommended for domain joined endpoints / Active Directory)
- Configure Updates by going to Computer Configuration -> Administrative Templates -> Windows Components -> Windows Updates ->
- Configure Automatic Updates -> Disable the policy
- IMPORTANT: Everything else not mentioned in the Windows Update section must be set to Not configured.
- Enable the execution policy by going to Computer Configuration -> Administrative Templates -> Windows Components -> Windows PowerShell ->
- Turn on Script Execution -> Enable the policy and set "Allow local scripts and remote signed scripts" in the "Options" section
Optional Policy
- Restrict users not to pause the updates in the endpoints enable this policy.
- Computer Configuration -> Administrative Templates -> Windows Components -> Windows Updates -> Remove Access to "Pause updates" feature -> Enable the Policy.
- Microsoft Defender Antivirus
Note: If you want to apply the GPO in phases:
- Create a new OU – Link your newly created WSUS GPO to it
- Gradually move computers – Move a few test machines or a pilot group to this OU to confirm the policy settings work as expected.
- Expand deployment – As you confirm success, move more machines into the OU.
Post-Steps
After applying the GPO, perform the following steps on endpoints to ensure WSUS registration:
Step 1: Verify Windows Update Service
- Open
services.msc
- Locate Windows Update (wuauserv)
- Ensure it is Running and set to Automatic
Step 2: Update GPO and Trigger WUA Check
-
Open Command Prompt as Administrator, run:
gpupdate /force
- Open PowerShell as Administrator, run:
$updateSession = New-Object -ComObject Microsoft.Update.Session
$searcher = $updateSession.CreateUpdateSearcher()
$result = $searcher.Search("IsInstalled=0")
Note1: If you receive an exception from HRRESULT, please search that HRRESULT online or on Microsoft website.
Step 3: If GPO doesn’t apply and there is no error shown, reboot the endpoint.
Step 4: If there is still an issue see this article, starting step 4.
Option 2: Built-in JetPatch Script (recommended for non-domain joined endpoints)
-
One-time: Create a Task in JetPatch (task will be auto created in 4.2.8 UR2+)
- Go to System -> Tasks and click + CREATE TASK.
- Set Task Source = Script
- Script = Register Windows Endpoint to WUA (WSUS-Less)
-
Run the Task on Non-Domain Endpoints
-
After the task was saved, you can select the required endpoints in "Endpoints" -> "Management" and run the task on them.
-
After running the task, if you do not see the endpoint reporting to JetPatch, then do the following directly on the machine.
Step 1: Verify Windows Update Service
- Open
services.msc
- Locate Windows Update (wuauserv)
- Ensure it is Running and set to Automatic
Step 2: Trigger WUA Check - open PowerShell as Administrator, run:
$updateSession = New-Object -ComObject Microsoft.Update.Session
$searcher = $updateSession.CreateUpdateSearcher()
$result = $searcher.Search("IsInstalled=0")
Note1: If you receive an exception from HRRESULT, please search that HRRESULT online or on Microsoft website.
Step 3: If registry settings do not and there is no error shown, reboot the endpoint.
Step 4: If there is still an issue see this article, starting step 4.
Troubleshooting
If you verify that the endpoint is properly configured to talk to the WSUS server, but it is still not reporting or it has been more than 24 hours since it has last reported, please see this article.
If you are encounter the error message "Some update files aren't signed correctly. Error code: (0x800b0109)" please consult the "Deploy your code signing certificate on Endpoints"
Comments
0 comments
Please sign in to leave a comment.