Articles in this section

See more

Windows Solution Overview

JetPatch integrates with Windows Server Update Services (WSUS) to manage Windows endpoint patching. Key benefits of using WSUS:

  • Bandwidth Optimization: Minimizes heavy internet downloads for endpoints by leveraging a local WSUS server.
  • Offline Environments: Servers without internet access can still receive updates from a local source.
  • Third-Party Patching: WSUS can be extended to distribute updates for applications like Chrome or Java.
  WSUS Local CAB file Direct to Windows Update Catalog
Bandwith into the organization LOW LOW HIGH
Bandwith to Endpoint LOW HIGH LOW
No internet connectivity support YES YES NO
Third-party applications support YES NO

NO
Centralized approval system YES NO

NO
Supported Products and Classifications All (link) Only Security Updates, Service Packs, Update Rollups

All

For more information about WSUS supported configuration check the "WSUS Supported Configuration " section below.

Hardware specifications can be found here

JetPatch Interaction With WSUS

Note - WSUS must be configured as a Discovery Source for JetPatch to pull all the information above. (endpoints can be discovered in many different ways).

Pulling Data

The first thing JetPatch is doing with WSUS is to pull data on the environment:

  • Computers & Computer Groups - List of the endpoints and the computer group they are within. Only endpoints that are communicating with WSUS are applicable for patch activities. JetPatch will convert the Computer Groups to patching smart groups and will keep the association of the endpoints (if they are already assigned to groups). 
    • Note: Characters Not Allowed in Computer Group Names:~ ! @ # $ % ^ & * ( ) + = { } [ ] | \ : ; " ' < > ? , /
  • Patches Information - For any patch that is available in the WSUS (based on the Products and updates Classifications configured) JetPatch will pull the title, KB ID, operating systems, superseded,  and more.
    Note - JetPatch pulls the metadata only and not the binaries if they exist on the WSUS server.
  • Patches Status - The understanding of which patches are needed on which endpoints with their status (already installed or needed).
  • Environment Information - It includes the WSUS configuration and Replicas/Downstreams if exist.

Some of the information above is consistently pulled via JetPatch in the ongoing.

Patch Approvals

mceclip0.png

After activation of a Remediation Plan, JetPatch will change the approval of the selected patches on the selected groups in WSUS.

There are a few types of approvals:

  • Install - Approval for Install
  • Remove - Approval for Remove
  • Decline - Update is removed from the default list of available updates. This operation affects all of the groups regardless of the chosen groups.

Note - If ITSM is configured, JetPatch will approve the patch in WSUS only after change request approval.

Patch Operations

mceclip1.png

When it is time for updating the endpoint, (based on each endpoint Maintenance Schedule) JetPatch application will send the needed commands and information to the JetPatch agent (Connector) which will operate the Windows Update Agent for his need.

Connector actions via Windows Update Agent:

  • Check for updates
  • Download updates
  • Install/remove updates

When done, Connector will send the result to JetPatch (JetPatch does not need to wait for patch installation approval from WSUS)

WSUS Types

There are two types of WSUS -

  • Primary WSUS - Updates, settings, and computer groups for all connected endpoints.
  • Replica WSUS -
    • Inherits updates, settings, and groups from its parent WSUS.
    • Approvals can only be done on the main (upstream) server.
    • Example Use-Case: Externally Facing WSUS Server

Important: JetPatch only supports server-side targeting—client-side targeting is not supported.

Synchronization & Downstreams

  • A downstream (replica) WSUS can synchronize from an upstream (primary) WSUS to pull update metadata.
  • JetPatch supports only one level of replica depth (e.g., Main WSUS → Replica). Replicas of replicas are not supported.

Configuration Options

There are many configurations ("Options") to apply to the WSUS. The most important settings are:

  • Update Source and Proxy: Choose the upstream server and proxy settings.
  • Products and Classifications: Decide which Microsoft products and classifications to include. (see article)
  • Update Files and Languages:
    • Store locally: Binaries download to the WSUS server, and endpoints retrieve them from WSUS.
    • Not stored locally: Endpoints download directly from Microsoft Update after approval.
    • More information can be found in Update Files
  • Synchronization Schedule: Manual or scheduled sync.  We recommend scheduling at least twice a day
  • Computers: Server-Side Targeting Only in JetPatch (client-side targeting is not supported). 
  • For more information, please read WSUS Group Management.

Update Files

There are two main options:

    1. Store update files locally
      • Good for on-prem architecture or endpoints without internet access.
      • Requires sufficient disk space on the WSUS server.
    2. Do not store update files locally
      • Endpoints download updates directly from Microsoft Update.
      • Useful for cloud or remote (“work-from-home”) scenarios.

        Two main ways to handle update files in WSUS:

    3. More info: Configure WSUS to Make the Endpoints Download the Patches Directly from MSFT

WSUS Supported Configuration

JetPatch will work properly with WSUS that:

  • Keep the total number of patches below 100,000.
  • Have no “Automatic Approval” update rules.
  • Contain only one level of replica hierarchy (Main → Replica).
  • Server-Side Targeting is required. Client-side targeting is not supported by JetPatch.
  • See more best practices from Microsoft

 

 

Related articles

Comments

0 comments

Please sign in to leave a comment.