Prerequisites
- Verify that the Windows endpoints can communicate with the WSUS server via port 8530 and 8531 (if using SSL)
- Verify that no Windows endpoints have duplicative SusClientId.
Configuration
Option 1: GPO (recommended for domain joined endpoints / Active Directory)
- Configure Updates by going to Computer Configuration -> Administrative Templates -> Windows Components -> Windows Updates ->
-
Configure Automatic Updates -> Enable the policy and select the following "Configure automatic updating" in the "Options" section:
- Auto download and notify for install
-
Specify intranet Microsoft update service -> Enable the policy and set both URL’s in the "Options" section:
-
http://Your_WSUS_Server_Hostname:8530
- Note: if using SSL use https and 8531
-
http://Your_WSUS_Server_Hostname:8530
-
Automatic Update detection frequency -> Enable the policy and set "Check for updates at the following interval (hours)" in the "Options" section:
- 4 hours
-
Allow signed updates from an intranet Microsoft update service location -> Enable the policy
- This is required in order to install non-Microsoft 3rd Party Software Updates and when SSL has been configured on the WSUS server.
- Everything else in the Windows Update section should be set to Not configured.
-
Configure Automatic Updates -> Enable the policy and select the following "Configure automatic updating" in the "Options" section:
- Enable the execution policy by going to Computer Configuration -> Administrative Templates -> Windows Components -> Windows PowerShell ->
- Turn on Script Execution -> Enable the policy and set "Allow local scripts and remote signed scripts" in the "Options" section
Post-Steps
Open Command Prompt and run the following commands to use the new policy and to register it on WSUS
- Update GPO settings:
gpupdate /force
- Initiate first connection to WSUS:
- Windows version is 10/2016 or later
USOClient.exe RefreshSettings
USOClient.exe StartScan
- Windows version is 10/2016 or later
- If Windows version is less than 10/2016
wuauclt /resetauthorization /detectnow
wuauclt /reportnow
If the endpoint still not reporting to WSUS, run the following Powershell command:
$updateSession = new-object -com "Microsoft.Update.Session";$updates=$updateSession.CreateupdateSearcher().Search($criteria).Updates
Note: If after all the steps above the endpoint is still not reporting to WSUS, please see this article.
Option 2: Built-in JetPatch Script (recommended for non-domain joined endpoints / Intune MDM enrolled machines)
To configure the endpoint to communicate with WSUS you can use JetPatch capability of running a task on the endpoint. First, you need to create a task with the right values from the built-in script by following the instructions below:
-
Create a Task
- Go to "System -> Tasks" and click on "+ CREATE TASK" button
- Fill the "Task Name" and Description as you want
- On the right of the page, go to the "Execution" tab -
- Task Source = Both
- Script = "Register Windows Endpoint to WSUS"
- Execution Type = "Windows batch file"
- Execution Command = "@file @WSUSAddress @AutomaticDownload"
- Switch to the "Parameters" tab -
- AutomaticDownload = fill "2" to "notify for download and install" or "3" to "auto download and notify for install". (3 is recommended)
- WSUSAddress = the full WSUS URL with the port (example - "http://30.30.55.249:8530")
- Click on "SAVE TASK".
After the task was saved, you can select the required endpoints in "Endpoints" -> "Management" and run the task on them.
Troubleshooting
If you verify that the endpoint is properly configured to talk to the WSUS server, but it is still not reporting or it has been more than 24 hours since it has last reported, please see this article.
If you are encounter the error message "Some update files aren't signed correctly. Error code: (0x800b0109)" please consult the "Deploy your code signing certificate on Endpoints"
Comments
0 comments
Please sign in to leave a comment.