Many organizations find themselves patching the endpoints in their environment, but in the end of the day, the most critical server is not being patched and is vulnerable.
This article provides guidelines on how to patch your WSUS server in a way which will not affect the patching procedure of the rest of your environment.
Step 1: Configure the WUA of WSUS to point itself
Follow the instruction in Endpoint server configuration to configure the Windows Update Agent (WUA) to communicate with the WSUS installed on the same endpoint.
Step 2: Refresh WUA information
Make sure you run one of the following commands:
For Windows version less than 10/2019:
wuauclt /resetauthorization /detectnow
For Windows version 10/2019 or later -
Step 3: Create a Separate Group for WSUS server
In the WSUS server, create a new computer group and add the WSUS server to it. We recommend naming the group with a catchy name, so you won't add any other servers. (For example Only_WSUS_Server)
Step 4: Create a Maintenance Window dedicated for patching the WSUS Server
Create a maintenance window in separate time slots than the rest of the computer groups. Since most updates require a restart, we don't want such procedure to interfere ongoing patching activities.
For more recommendations please contact the JetPatch support team