Prerequisites
- Verify that the ports 8530 and 8531 (if using SSL) are open on the WSUS server for the endpoints to register.
- Verify that no Windows endpoints have duplicative SusClientId.
- Verify the WSUS endpoint was added to JetPatch and it is connected, before adding it as a discovery source
Configuration
Note - In managed environments, we recommend applying the following configuration changes using the GPO capabilities.
There are four ways to apply the Windows Update Agent configuration for WSUS:
- Local Endpoint Configuration
- GPO (preferred for domain-joined endpoints)
- Built-in JetPatch Script after Connector deployment (preferred for POCs and non-domain joined endpoints)
- Connector MSI Installation
Option 1: Local Endpoint Configuration
Register the endpoints to the WSUS server:
- Open the group policy of the endpoint (start->run->gpedit.msc)
- Configure Updates by going to Computer Configuration -> Administrative Templates -> Windows Components -> Windows Updates ->
- Configure Automatic Updates -> Enable the policy and of the following options for "Configure automatic updating" in the "Options" section:
- auto download and notify for install (recommended)
- notify for download and notify for install
- Enable and set both the intranet update for detecting updates and the intranet statistics server URLs -> Enabled and set both URL’s to http://wsusserverip:8530 (if using SSL use https and 8531)
- Configure Automatic Updates -> Enable the policy and of the following options for "Configure automatic updating" in the "Options" section:
- Enable PowerShell execution policy to run scripts
Note: In order to install non-Microsoft 3rd Party Software Updates
- Open the group policy of the endpoint (start->run->gpedit.msc)
- Configure Updates by going to Computer Configuration -> Administrative Templates -> Windows Components -> Windows Updates ->
- Allow signed updates from an intranet Microsoft update service location -> Enable the policy
Post-Steps
Open Command Prompt and run the following commands to use the new policy and to register it on WSUS
- Update GPO settings:
gpupdate /force
- Initiate first connection to WSUS:
- If Windows version is less than 10/2019
wuauclt /resetauthorization /detectnow /reportnow
- Windows version is 10/2019 or later
USOClient.exe RefreshSettings
USOClient.exe StartScan
- If Windows version is less than 10/2019
If the endpoint still not reporting to WSUS, run the following Powershell command:
$updateSession = new-object -com "Microsoft.Update.Session";$updates=$updateSession.CreateupdateSearcher().Search($criteria).Updates
Note: If after all the steps above the endpoint is still not reporting to WSUS, please see this article.
Option 2: GPO
Apply the same configuration as described above in your GPO settings.
Option 3: Built-in JetPatch Script
To configure the endpoint to communicate with WSUS you can use JetPatch capability of running a task on the endpoint. First, you need to create a task with the right values from the built-in script by following the instructions below:
- Create a Task
- Go to "System -> Tasks" and click on "+ CREATE TASK" button
- Fill the "Task Name" and Description as you want
- On the right of the page, go to the "Execution" tab -
- Task Source = Both
- Script = "Register Windows Endpoint to WSUS"
- Execution Type = "Windows batch file"
- Execution Command = "@file @WSUSAddress @AutomaticDownload"
- Switch to the "Parameters" tab -
- AutomaticDownload = fill "2" to "notify for download and install" or "3" to "auto download and notify for install".
- WSUSAddress = the full WSUS URL with the port (example - "http://30.30.55.249:8530")
- Click on "SAVE TASK".
After the task was saved, you can select the required endpoints in "Endpoints" -> "Management" and run the task on them.
Option 4: Connector MSI installation
Troubleshooting
If you verify that the endpoint is properly configured to talk to the WSUS server, but it is still not reporting or it has been more than 24 hours since it has last reported, please see this article.
Comments
0 comments
Please sign in to leave a comment.