Prerequisites
- Verify that the Windows endpoints can communicate with the WSUS server via port 8530 and 8531 (if using SSL)
- Verify that no Windows endpoints have duplicative SusClientId.
Configuration
Option 1: GPO (recommended for domain joined endpoints / Active Directory)
- Configure Updates by going to Computer Configuration -> Administrative Templates -> Windows Components -> Windows Updates ->
-
Configure Automatic Updates -> Enable the policy and select the following "Configure automatic updating" in the "Options" section:
- Auto download and notify for install
-
Specify intranet Microsoft update service -> Enable the policy and set both URL’s in the "Options" section:
-
http://Your_WSUS_Server_Hostname:8530
- Note: if using SSL use https and 8531
-
http://Your_WSUS_Server_Hostname:8530
-
Automatic Update detection frequency -> Enable the policy and set "Check for updates at the following interval (hours)" in the "Options" section:
- 4 hours
-
Allow signed updates from an intranet Microsoft update service location -> Enable the policy
- This is required in order to install non-Microsoft 3rd Party Software Updates and when SSL has been configured on the WSUS server.
- IMPORTANT: Everything else not mentioned in the Windows Update section must be set to Not configured.
-
Configure Automatic Updates -> Enable the policy and select the following "Configure automatic updating" in the "Options" section:
- Enable the execution policy by going to Computer Configuration -> Administrative Templates -> Windows Components -> Windows PowerShell ->
- Turn on Script Execution -> Enable the policy and set "Allow local scripts and remote signed scripts" in the "Options" section
Optional Policy
- Restrict users not to pause the updates in the endpoints enable this policy.
- Computer Configuration -> Administrative Templates -> Windows Components -> Windows Updates -> Remove Access to "Pause updates" feature -> Enable the Policy.
- Microsoft Defender Antivirus
Note: If you want to apply the GPO in phases:
- Create a new OU – Link your newly created WSUS GPO to it
- Gradually move computers – Move a few test machines or a pilot group to this OU to confirm the policy settings work as expected.
- Expand deployment – As you confirm success, move more machines into the OU.
Post-Steps
After applying the GPO, perform the following steps on endpoints to ensure WSUS registration:
Step 1: Verify Windows Update Service
- Open
services.msc
- Locate Windows Update (wuauserv)
- Ensure it is Running and set to Automatic
Step 2: Update GPO and Trigger WUA Check
-
Open Command Prompt as Administrator, run:
gpupdate /force
- Open PowerShell as Administrator, run:
$updateSession = New-Object -ComObject Microsoft.Update.Session
$searcher = $updateSession.CreateUpdateSearcher()
$result = $searcher.Search("IsInstalled=0")
Note1: If you receive an exception from HRRESULT, please search that HRRESULT online or on Microsoft website.
Step 3: If GPO doesn’t apply and there is no error shown, reboot the endpoint.
Step 4: If there is still an issue see this article, starting step 4.
Option 2: Built-in JetPatch Script (recommended for non-domain joined endpoints)
To configure the endpoint to communicate with WSUS you can use JetPatch capability of running a task on the endpoint. First, you need to create a task with the right values from the built-in script by following the instructions below:
-
Create a Task
- Go to "System -> Tasks" and click on "+ CREATE TASK" button
- Fill the "Task Name" and Description as you want
- On the right of the page, go to the "Execution" tab -
- Task Source = Both
- Script = "Register Windows Endpoint to WSUS"
- Execution Type = "Windows batch file"
- Execution Command = "@file @WSUSAddress @AutomaticDownload"
- Switch to the "Parameters" tab -
- AutomaticDownload = fill "2" to "notify for download and install" or "3" to "auto download and notify for install". (3 is recommended)
- WSUSAddress = the full WSUS URL with the port (example - "http://30.30.55.249:8530")
- Click on "SAVE TASK".
Run the Task on Non-Domain Endpoints
- After the task was saved, you can select the required endpoints in "Endpoints" -> "Management" and run the task on them.
After running the task, if you do not see the endpoint reporting to WSUS, then do the following directly on the machine.
Step 1: Verify Windows Update Service
- Open
services.msc
- Locate Windows Update (wuauserv)
- Ensure it is Running and set to Automatic
Step 2: Trigger WUA Check - open PowerShell as Administrator, run:
$updateSession = New-Object -ComObject Microsoft.Update.Session
$searcher = $updateSession.CreateUpdateSearcher()
$result = $searcher.Search("IsInstalled=0")
Note1: If you receive an exception from HRRESULT, please search that HRRESULT online or on Microsoft website.
Step 3: If registry settings do not and there is no error shown, reboot the endpoint.
Step 4: If there is still an issue see this article, starting step 4.
Troubleshooting
If you verify that the endpoint is properly configured to talk to the WSUS server, but it is still not reporting or it has been more than 24 hours since it has last reported, please see this article.
If you are encounter the error message "Some update files aren't signed correctly. Error code: (0x800b0109)" please consult the "Deploy your code signing certificate on Endpoints"
Optional: WSUS and Microsoft Defender Updates
Step 1: Configure WSUS Synchronization Frequency
Step 2: Configure WSUS Automatic Approval for Defender Definitions
- WSUS Console → Options → Automatic Approvals → New Rule
- Step 1: Check Definition Updates
- Step 2: Select Approve the update for all computers (or specific target groups)
-
Step 3: Set deadline to 0 days at a specific same-day time (e.g., 4:00 PM)
- Save clearly (e.g., "Defender Updates Daily Approval")
Step 3: Configure Endpoint GPO (WSUS Defender Updates)
- Edit the endpoint policy:
Computer Configuration → Policies → Administrative Templates → Windows Components → Microsoft Defender Antivirus → Security Intelligence Updates
- Configure and enable the following policy:
-
Define the order of sources for downloading security intelligence updates: Enabled
- Set source explicitly to: InternalDefinitionUpdateServer
-
Define the order of sources for downloading security intelligence updates: Enabled
- Additionally, ensure Defender does not perform its own independent updates:
Computer Configuration → Policies → Administrative Templates → Windows Components → Microsoft Defender Antivirus → Signature Updates
- Set "Specify the day of the week to check for definition updates" to Never (prevents Defender from scheduling separate updates).
- Ensure the policy is applied to endpoints:
gpupdate /force
Step 4: Verification
To confirm Defender updates via WSUS, run in PowerShell as Administrator:
Get-MpComputerStatus | Select AntivirusSignatureLastUpdated, AntivirusSignatureVersion
Endpoints will now exclusively use WSUS for Microsoft Defender updates, aligning with your centralized patch management strategy.
Optional Step 5: Create JetPatch Daily Maintenance Window
- JetPatch Console → Maintenance Windows → New
- Example: Daily, 6:00 PM – 10:00 PM (recommended 4-hour window)
- This schedule should be part of a daily automatic remediation plan that uses this new daily window as part of the emergency configuration section.
Comments
0 comments
Please sign in to leave a comment.