Articles in this section

See more

5a. Endpoint Configuration for WSUS (Windows Prerequisites)

Overview

This article covers the configuration of Windows endpoints to communicate with WSUS servers for patch management. 

It includes prerequisites, two configuration methods (GPO for domain-joined endpoints and JetPatch scripts for non-domain endpoints), and an optional Microsoft Defender update configuration.

Prerequisites

  • Verify that the Windows endpoints can communicate with the WSUS server via ports 8530 and 8531 (if using SSL)
  • Verify that no Windows endpoints have a duplicative SusClientId.

Configuration

Option 1: GPO (Domain-joined endpoints / Active Directory)

  • Configure Updates by going to Computer Configuration -> Administrative Templates -> Windows Components -> Windows Updates ->
    • Configure Automatic Updates -> Enable the policy and select the following "Configure automatic updating" in the "Options" section:
      • Auto download and notify for install 
    • Specify the intranet Microsoft update service -> Enable the policy and set both URLs in the "Options" section:
    • Automatic Update detection frequency -> Enable the policy and set "Check for updates at the following interval (hours)" in the "Options" section:
      • 4 hours
    • Allow signed updates from an intranet Microsoft update service location -> Enable the policy
IMPORTANT: Everything else not mentioned in the Windows Update section must be set to Not configured.
  • Enable the execution policy by going to Computer Configuration -> Administrative Templates -> Windows Components -> Windows PowerShell -> 
    • Turn on Script Execution -> Enable the policy and set "Allow local scripts and remote signed scripts" in the "Options" section

Optional Policy

  • Restrict users from pausing the updates in the endpoints that enable this policy.
    • Computer Configuration -> Administrative Templates -> Windows Components -> Windows Updates -> Remove Access to "Pause updates" feature -> Enable the Policy.
  • Microsoft Defender Antivirus
Note: If you want to apply the GPO in phases:
  1. Create a new OU – Link your newly created WSUS GPO to it 
  2. Gradually move computers – Move a few test machines or a pilot group to this OU to confirm the policy settings work as expected.
  3. Expand deployment – As you confirm success, move more machines into the OU.

Post-Steps

Post-Steps

After applying the GPO, perform the following steps on endpoints to ensure WSUS registration:

Step 1: Verify Windows Update Service

  • Open services.msc
  • Locate Windows Update (wuauserv)
  • Ensure it is running and set to Automatic

Step 2: Update GPO and Trigger WUA Check

gpupdate /force
  • Open PowerShell as Administrator, run:
$updateSession = New-Object -ComObject Microsoft.Update.Session$searcher = $updateSession.CreateUpdateSearcher()$result = $searcher.Search("IsInstalled=0")
Note: If you receive an exception from HRRESULT, please search that HRRESULT online or on Microsoft website.

Step 3: If GPO doesn't apply and there is no error shown, reboot the endpoint.

Step 4: If there is still an issue, see this article, starting step 4.

Option 2: Built-in JetPatch Script (non-domain-joined endpoints)

To configure the endpoint to communicate with WSUS, you can use the JetPatch capability of running a task on the endpoint. First, you need to create a task with the right values from the built-in script by following the instructions below:

  • Create a Task
    • Go to "System -> Tasks" and click on "+ CREATE TASK" button
    • Fill in the "Task Name" and Description as you want
    • On the right of the page, go to the "Execution" tab -
      • Task Source = Both
      • Script = "Register Windows Endpoint to WSUS"
      • Execution Type = "Windows batch file"
      • Execution Command = "@file @WSUSAddress @AutomaticDownload"
        mceclip0.png
    • Switch to the "Parameters" tab
      • AutomaticDownload = fill "2" to "notify for download and install" or "3" to "auto download and notify for install". (3 is recommended)
      • WSUSAddress = the full WSUS URL with the port (example - "http://30.30.55.249:8530")
        mceclip1.png
    • Click on "SAVE TASK".

Run the Task on Non-Domain Endpoints

  • After the task was saved, you can select the required endpoints in "Endpoints" -> "Management" and run the task on them.

After running the task, if you do not see the endpoint reporting to WSUS, then do the following directly on the machine.

Step 1: Verify Windows Update Service

  • Open services.msc
  • Locate Windows Update (wuauserv)
  • Ensure it is running and set to Automatic

Step 2: Trigger WUA Check - open PowerShell as Administrator, run:

$updateSession = New-Object -ComObject Microsoft.Update.Session$searcher = $updateSession.CreateUpdateSearcher()$result = $searcher.Search("IsInstalled=0")
Note: If you receive an exception from HRRESULT, please search that HRRESULT online or on Microsoft website.

Step 3: If registry settings are not set and there is no error shown, reboot the endpoint.

Step 4: If there is still an issue, see this article, starting step 4.

Troubleshooting

If you verify that the endpoint is properly configured to talk to the WSUS server, but it is still not reporting, or it has been more than 24 hours since it last reported, please see this article

If you encounter the error message "Some update files aren't signed correctly. Error code: (0x800b0109)", please consult the "Deploy your code signing certificate on Endpoints."

Disable the Pause updates feature in the Windows Update window
Optional: WSUS and Microsoft Defender Updates
Note: The built-in JetPatch regex script currently does not handle Microsoft Defender updates changes. Thus, follow these steps to configure Microsoft Defender updates via WSUS:

Step 1: Configure WSUS Synchronization Frequency

  • Open WSUS Console
  • Go to Options → Synchronization Schedule
  • Select Synchronize automatically and set frequency:
    • Recommended interval: Every 6 hours (e.g., 6 AM, 12 PM, 6 PM, 12 AM)

Step 2: Configure WSUS Automatic Approval for Defender Definitions

  • WSUS Console → Options → Automatic Approvals → New Rule
  • Step 1: Check Definition Updates
  • Step 2: Select Approve the update for all computers (or specific target groups)
  • Step 3: Set the deadline to 0 days at a specific same-day time (e.g., 4:00 PM)
    • Save clearly (e.g., "Defender Updates Daily Approval")

Step 3: Configure Endpoint GPO (WSUS Defender Updates)

  • Edit the endpoint policy:
Computer Configuration → Policies → Administrative Templates → Windows Components → Microsoft Defender Antivirus → Security Intelligence Updates
  • Configure and enable the following policy:
    • Define the order of sources for downloading security intelligence updates: Enabled
      • Set source explicitly to: InternalDefinitionUpdateServer
  • Additionally, ensure Defender does not perform its own independent updates:
Computer Configuration → Policies → Administrative Templates → Windows Components → Microsoft Defender Antivirus → Scan
  • Set "Specify the day of the week to check for definition updates" to Never (prevents Defender from scheduling separate updates).
  • Ensure the policy is applied to endpoints:
gpupdate /force

Step 4: Verification

To confirm Defender updates via WSUS, run in PowerShell as Administrator:

Get-MpComputerStatus | Select AntivirusSignatureLastUpdated, AntivirusSignatureVersion

Endpoints will now exclusively use WSUS for Microsoft Defender updates, aligning with your centralized patch management strategy.

Optional Step 5: Create JetPatch Daily Maintenance Window

  • JetPatch Console → Maintenance Windows → New
  • Example: Daily, 6:00 PM – 10:00 PM (recommended 4-hour window)
  • This schedule should be part of a daily automatic remediation plan that uses this new daily window as part of the emergency configuration section.

 

Related articles

Comments

0 comments

Please sign in to leave a comment.