Define Patch Approvals in WSUS but pull patches from Internet

Question

We currently use WSUS to distribute Microsoft patches and also use Solarwinds Patch Manager to push 3rd party patches into WSUS. This allows us to fully patch an endpoint with all MS and 3rd party software patches via Windows Update Agent/WSUS. We now have a fleet of laptops connected back to our Datacenter via a VPN and they are consuming a lot of bandwith during patching cycles.

We have the following challanges:

• We do use some throttling on BITS/Delivery opitmization but have had mixed results
• We have MECM but don't use Cloud Management gatway as was deemed too expensive. we have not moved patching to MECM yet.
• If we use Windows Update for Business we cannot patch 3rd party updates and loose some control around pilot groups and reporting in our estimation

Q: So is there a way for us to continue to define the approved patches/metadata via WSUS but have the system pull the patches files from the internet (Windows Update) source? Perhaps this is possible with MECM?

Answer 1

Setup a downstream replica externally and use that for the laptops

https://www.ajtek.ca/wsus/externally-facing-wsus-servers/

Reporting will flow up to the upstream.

Answer 2

Hello

Please check whether the client got the following registry key and the value should be "1".

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU\UseWUServer

Integrate Windows Update for Business - Configuration Manager | Microsoft Learn

Or try the following policies.

Computer Configuration\Administrative Templates\Windows Components\Windows Update\Manage updates offered from Windows Server Update Service\

Use Windows Update for Business and Windows Server Update Services (WSUS) together - Windows Deployment | Microsoft Learn