Windows Patching without WSUS (WSUS-Less) Solution Overview

Purpose

This article provides an overview of the WSUS-Less Windows patching solution in JetPatch, including process flow, requirements, and supported use cases.

New in JetPatch 4.2.8: JetPatch now supports patching Windows endpoints without a WSUS server. In this mode, endpoints retrieve patches directly from Microsoft Update and integrate fully with standard JetPatch workflows.
This requires version 4.2.8 of the JetPatch Connector.

Scope

Applicable to Windows endpoints managed by JetPatch where no local WSUS server is used.

Solution Summary

The WSUS-Less solution enables Windows endpoints to retrieve patches directly from Microsoft Update.
JetPatch manages patch discovery, approval, and installation without relying on a local patch repository.

Hybrid WSUS/WSUS-Less Mode: JetPatch supports mixed environments where some endpoints use WSUS and others use Microsoft Update directly. This allows flexibility for environments where direct Internet access is restricted for some systems.

Patch Source

• Windows updates are downloaded from Microsoft Update over the internet.

• Local WSUS repositories are not supported in WSUS-Less mode.

• Caching or internal mirroring is not available.

How Does It Work?

Deploy the Connector

• JetPatch Connector (agent) is deployed on each Windows endpoint.
• The Connector maintains continuous communication and compliance visibility.

Collect Endpoint Updates

• JetPatch executes the built-in task "Collect Endpoint Updates" directly on endpoints.
• This task identifies installed and required updates. See the article for more information.

Patch Installation

• Performed via the built-in "Execute Patch Installation" task during scheduled maintenance.
• Approved patch download and installation both happen during scheduled maintenance.  Pre-patch download on approval will be added in 5.0

Prerequisites

• Microsoft Update Service Installed: Automatically activated by JetPatch Connector deployment.
• Connectivity: Direct or proxy-based connection to Microsoft Update via ports 80 and 443. 
• For configuration prerequisites and steps, see: Endpoint Configuration for WSUS-Less (Windows Prerequisites).

This WSUS-less approach simplifies patch management infrastructure, reduces complexity, and enhances security and compliance through direct integration with Microsoft's cloud-based updates.

Limitations

• Third-party patching is not yet supported in WSUS-Less mode.
• Approved patches are not pre-downloaded — endpoints download patches during maintenance windows.