Articles in this section

See more

Endpoint and JetPatch Configuration for WSUS

Yotam Krief
  • Updated
Follow

Endpoint Configuration for WSUS

Prerequisites

  • Verify that the ports 8530/8531 are open on the WSUS server for the endpoints to register.
  • Verify that no Windows endpoints have duplicative SusClientId.
  • Verify the WSUS endpoint was added to JetPatch and it is connected, before adding it as a discovery source 

Configuration

Note - In managed environments, we recommend applying the following configuration changes using the GPO capabilities.

There are four ways to apply the Windows Update Agent configuration for WSUS:

  1. Local Endpoint Configuration 
  2. GPO (preferred for domain-joined endpoints)
  3. Built-in JetPatch Script after Connector deployment (preferred for POCs and non-domain joined endpoints)
  4. Connector MSI Installation

Option 1: Local Endpoint Configuration 

Register the endpoints to the WSUS server:

  • Open the group policy of the endpoint (start->run->gpedit.msc)
  • Configure Updates by going to Computer Configuration -> Administrative Templates -> Windows Components -> Windows Updates ->
    • Configure Automatic Updates -> Enable the policy and of the following options for "Configure automatic updating" in the "Options" section:
      • notify for download and notify for install
      • auto download and notify for install (recommended)
    • Enable and set both the intranet update for detecting updates and the intranet statistics server URLs -> Enabled and set both URL’s to http://wsusserverip:8530 (if using SSL use https and 8531)
  • Enable PowerShell execution policy to run scripts
  • Verify that IPV6 is disabled on all Windows endpoints and the WSUS server.

Note: In order to install non-Microsoft 3rd Party Software Updates

  • Open the group policy of the endpoint (start->run->gpedit.msc)
  • Configure Updates by going to Computer Configuration -> Administrative Templates -> Windows Components -> Windows Updates ->
    • Allow signed updates from an intranet Microsoft update service location -> Enable the policy

Post-Steps 

Open Command Prompt and run the following commands to use the new policy and to register it on WSUS

  • Update GPO settings:
    gpupdate /force
  • Initiate first connection to WSUS:
    • If Windows version is less than 10/2019 
      wuauclt /resetauthorization /detectnow /reportnow
    • Windows version is 10/2019 or later 
      USOClient.exe RefreshSettings
      USOClient.exe StartScan

Note: If the endpoint is still not reporting to WSUS, please see this article.

 

Option 2: GPO 

Apply the same configuration as described above in your GPO settings.

 

Option 3: Built-in JetPatch Script

To configure the endpoint to communicate with WSUS you can use JetPatch capability of running a task on the endpoint. First, you need to create a task with the right values from the built-in script by following the instructions below:

  1. Create a Task
    1. Go to "System -> Tasks" and click on "+ CREATE TASK" button
    2. Fill the "Task Name" and Description as you want
    3. On the right of the page, go to the "Execution" tab -
      1. Task Source = Both
      2. Script = "Register Windows Endpoint to WSUS"
      3. Execution Type = "Windows batch file"
      4. Execution Command = "@file @WSUSAddress @AutomaticDownload"
        mceclip0.png
    4. Switch to the "Parameters" tab - 
      1. AutomaticDownload = fill "2" to "notify for download and install" or "3" to "auto download and notify for install".
      2. WSUSAddress = the full WSUS URL with the port (example - "http://30.30.55.249:8530")
        mceclip1.png
    5. Click on "SAVE TASK".

After the task was saved, you can select the required endpoints in "Endpoints" -> "Management" and run the task on them.

 

Option 4: Connector MSI Installation

JetPatch Configuration for WSUS

Recommendation: Have all endpoints registered and reporting to the WSUS server (as per the above steps). It is also suggested to have the endpoints in WSUS groups before using JetPatch.

Do the following in order (note: the connector must be deployed on the WSUS server before it can be added as a discovery source)

  1. Add the WSUS server to JetPatch
  2. Add and assign an administrative account to the WSUS server
  3. Deploy the JetPatch connector on the WSUS server
  4. Add the WSUS discovery source

Note: You can only add one WSUS server as discovery source to JetPatch. For more WSUS servers use a primary-replica or primary-autonomous setup.

wsus2.green.local

Source Type: WSUS Server

Post-Steps

Within 20 minutes, all machines reporting to WSUS should be reporting to JetPatch.  From there, you can do the following

  1. Add and assign an administrative account to the Windows endpoints
  2. Deploy the JetPatch connector on the Windows endpoints

Certificates (Optional)

Note - In managed environments, we recommend deploying the following certificates (if you need them) using the GPO capabilities. If some of your endpoints are not managed or you prefer not doing it via the GPO you can use the instructions below:

3rd Party Patching Certificate

To patch 3rd party updates in your Windows environment there is a need for another certificate to be installed in the endpoints.

You can deploy the certificate by using:

  1. GPO
  2. Built-in JetPatch Script after Connector deployment (see instructions below)
  3. Connector MSI Installation

For non-GPO deployment, the full certificate file path should be described in the third-party-certificate.path configuration in the intigua.properties file.

 

Install 3rd Party Certificate using JetPatch Built-in Script

To install the 3rd Party certificate using JetPatch capability of running a task on the endpoint, you need to create a task with the right values from the built-in script.

  1. Preparation:
    1. Put the 3rd party certificate in the JetPatch Server and add "third-party-certificate.path=<FILE_PATH>" to the intigua.properties file (replace <FILE_PATH> with the full path of the certificate).
    2. Restart JetPatch application (restart tomcat) to apply the new configuration.
  2. Create a Task:
    1. Go to "System -> Tasks" and click on "+ CREATE TASK" button
    2. Fill the "Task Name" and Description as you want
    3. On the right of the page, go to the "Execution" tab -
      1. Task Source = Both
      2. Script = "Third-party patching certificate Windows"
      3. Execution Type = "Power shell script"
      4. Execution Command = ".\@file @Username @API_Key @URL"
        mceclip0.png
    4. Switch to the "Parameters" tab - 
      1. API_Key = generate API permission and copy the generated key into the "API_Key" parameter.
      2. URL = the full JetPatch URL with hostname or IP (example - "https://30.30.201.55").
      3. Username = the username that was generated the API_Key.
        mceclip1.png
    5. Click on "SAVE TASK".

After the task was saved, you can select the required endpoints in "Endpoints" -> "Management" and run the task on them.

 

WSUS Certificate

To enable secure communication between WSUS and the Windows endpoint you need to install a certificate on the endpoints.

You can deploy the certificate by using:

  1. GPO
  2. Connector MSI Installation - The certificate should be located in a path described in the wsus-certificates.path configuration in the intigua.properties file. The default location is - /usr/share/intigua/wsus-certs. 

Related Articles 

 

Related articles

Comments

0 comments

Please sign in to leave a comment.