This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(150.4, 33%, 24%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBZ%3C/text%3E%3C/svg%3E)
Hi, today I started using Azure Update Manager for patching on-premises servers in DMZ forest (test environment) and so far, everything has been working as expected.
I guess answer to the following question is no (hopefully someone can prove me wrong) - can Azure Update Manager handle patching of 3rd party apps installed on servers without local WSUS instance? In production, we use Configuration Manager with 3rd party apps updates published to WSUS using Patch My PC Publishing Service.
An Azure service to centrally manages updates and compliance at scale.
Ok, if WSUS is in other forest (managed by Configuration Manager) without trust in place, will this work?
I assume not: There are some limitations to enabling authentication. Any WSUS server you want to authenticate must be in an Active Directory environment. Also, if the WSUS servers are in different forests, there has to be trust between forests for this authentication method to succeed.
Then I can't make this work definitely because servers I'd like to patch 3rd party apps on belong to forest not having any trust with forest hosting WSUS (MCM SUP role).
Than I would recommend to use Machine Configuration with the following DSC Configuration: https://github.com/dsccommunity/xPSDesiredStateConfiguration/wiki/xMsiPackage
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(256, 20%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPR%3C/text%3E%3C/svg%3E)
Hi Bojan Zivkovic
If you had a chance to see my comment to your question. If it was helpful, please click "Upvote" on my post let us know Thank you...!
Hi Bojan Zivkovic
We haven't heard back from you. Please reply if you have any questions in this matter and we will gladly continue the discussion.
I assume not: There are some limitations to enabling authentication. Any WSUS server you want to authenticate must be in an Active Directory environment. Also, if the WSUS servers are in different forests, there has to be trust between forests for this authentication method to succeed.
Unfortunately you are right, Azure Update Manager can't handle 3rd Party Apps without WSUS.Other solutions would be to use Machine Configuration in Combination with xPSDesiredStateConfiguration - using the xMsiPackage: https://github.com/dsccommunity/xPSDesiredStateConfiguration/wiki/xMsiPackage
For Windows Server 2025 you could use as well winget.
Welcome to the Microsoft Q&A Platform! Thank you for asking your question here.
Azure Update Manager uses WSUS to manage updates for both first-party and third-party applications. For third-party apps, you need to publish the updates to WSUS, which will then allow Azure Update Manager to detect and install them.
https://learn.microsoft.com/en-us/azure/update-manager/guidance-migration-azure
If you use Patch My PC to send third-party updates to WSUS, Azure Update Manager can use it. But without WSUS, Azure Update Manager can't manage or update third-party apps.
https://azure.microsoft.com/en-us/products/azure-update-management-center/
Right now, Azure Update Manager can't handle third-party patching without WSUS. So, you need a WSUS instance for complete patch management, including third-party apps.
If you have any further queries, do let us know.
If the answer is helpful, please and "Upvote it".