Endpoint Configuration for WSUS
Note - The following instructions are describing the manual steps to configure the endpoint and the Windows Update Agent installed. Steps can be done using GPO as well.
Prerequisites
- Verify that the ports 8530/8531 are open on the WSUS server for the endpoints to register.
- Verify that IPV6 is disabled on all Windows endpoints and the WSUS server.
- Verify that no Windows endpoints have duplicative SusClientId.
Configuration
- Register the endpoints to the WSUS server:
- Open the group policy of the endpoint (start->run->gpedit.msc)
- Configure Updates by going to Computer Configuration -> Administrative Templates -> Windows Components -> Windows Updates ->
- Configure Automatic Updates -> Enable the policy and of the following options for "Configure automatic updating" in the "Options" section:
- notify for download and notify for install
- auto download and notify for install
- Specify intranet Microsoft update service location -> Enabled and set both URL’s to http://wsusserverip:8530 (if using SSL use https and 8531)
- Configure Automatic Updates -> Enable the policy and of the following options for "Configure automatic updating" in the "Options" section:
- Enable PowerShell execution policy to run scripts
- Optional: for non-Microsoft 3rd Party Software Updates
- Open the group policy of the endpoint (start->run->gpedit.msc)
- Configure Updates by going to Computer Configuration -> Administrative Templates -> Windows Components -> Windows Updates ->
- Allow signed updates from an intranet Microsoft update service location -> Enable the policy.
Post-Steps
Open Command Prompt and run the following commands to use the new policy and to register it on WSUS
- Update GPO settings:
gpupdate /force
- Initiate first connection to WSUS:
- If Windows version is less then 10/2019
wuauclt /resetauthorization /detectnow /reportnow
- Windows version is 10/2019 or later
USOClient.exe RefreshSettings
USOClient.exe StartScan
- If Windows version is less then 10/2019
Note: If the endpoint is still not reporting to WSUS, please see this article.
JetPatch Configuration for WSUS
Recommendation: Have all endpoints registered and reporting to the WSUS server (as per the above steps). It is also suggested to have the endpoints in WSUS groups before using JetPatch.
Do the following in order (note: the connector must be deployed on the WSUS server before it can be added as a discovery source)
- Add the WSUS server to JetPatch
- Add and assign an administrative account to the WSUS server
- Deploy the JetPatch connector on the WSUS server
- Add the WSUS discovery source
Note: You can only add one WSUS server as discovery source to JetPatch. For more WSUS servers use a primary-replica or primary-autonomous setup.
Post-Steps
Within 20 minutes, all machines reporting to WSUS should be reporting to JetPatch. From there, you can do the following
- Add and assign an administrative account to the Windows endpoints
- Deploy the JetPatch connector on the Windows endpoints
Optional: WSUS Certificate
When your environment has WSUS certificate and you want to deploy the JetPatch Agent using Connector MSI Installation you need to put the WSUS certificate in JetPatch server in the following location -
/usr/share/intigua/wsus-certs
Related Articles
Comments
0 comments
Please sign in to leave a comment.