Define Patch Approvals in WSUS but pull patches from Internet

shockoMS 276 Reputation points
2024-05-25T08:12:17.6966667+00:00

We currently use WSUS to distribute Microsoft patches and also use Solarwinds Patch Manager to push 3rd party patches into WSUS. This allows us to fully patch an endpoint with all MS and 3rd party software patches via Windows Update Agent/WSUS. We now have a fleet of laptops connected back to our Datacenter via a VPN and they are consuming a lot of bandwith during patching cycles.

We have the following challanges:

  • We do use some throttling on BITS/Delivery opitmization but have had mixed results
  • We have MECM but don't use Cloud Management gatway as was deemed too expensive. we have not moved patching to MECM yet.
  • If we use Windows Update for Business we cannot patch 3rd party updates and loose some control around pilot groups and reporting in our estimation

Q: So is there a way for us to continue to define the approved patches/metadata via WSUS but have the system pull the patches files from the internet (Windows Update) source? Perhaps this is possible with MECM?

Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,454 questions
Microsoft Configuration Manager Updates
Microsoft Configuration Manager Updates
Microsoft Configuration Manager: An integrated solution for for managing large groups of personal computers and servers.Updates: Broadly released fixes addressing specific issue(s) or related bug(s). Updates may also include new or modified features (i.e. changing default behavior).
999 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Adam J. Marshall 9,041 Reputation points MVP
    2024-05-25T13:00:20.2333333+00:00

    Setup a downstream replica externally and use that for the laptops

    https://www.ajtek.ca/wsus/externally-facing-wsus-servers/

    Reporting will flow up to the upstream.


  2. Wesley Li 5,955 Reputation points
    2024-05-29T08:00:45.4766667+00:00

    Hello

    Please check whether the client got the following registry key and the value should be "1".

    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU\UseWUServer

    Integrate Windows Update for Business - Configuration Manager | Microsoft Learn

    Or try the following policies.

    Computer Configuration\Administrative Templates\Windows Components\Windows Update\Manage updates offered from Windows Server Update Service\

    Use Windows Update for Business and Windows Server Update Services (WSUS) together - Windows Deployment | Microsoft Learn