1,128 questions
Setup a downstream replica externally and use that for the laptops
https://www.ajtek.ca/wsus/externally-facing-wsus-servers/
Reporting will flow up to the upstream.
Define Patch Approvals in WSUS but pull patches from Windows Update (Internet)
shockoMS
281
Reputation points
We currently use WSUS to distribute Microsoft patches and also use Solarwinds Patch Manager to push 3rd party patches into WSUS. This allows us to fully patch an endpoint with all MS and 3rd party software patches via Windows Update Agent/WSUS. We now have a fleet of laptops connected back to our Datacenter via a VPN and they are consuming a lot of bandwith during patching cycles.
We have the following challanges:
- We do use some throttling on BITS/Delivery opitmization but have had mixed results
- We have MECM but don't use Cloud Management gatway as was deemed too expensive. we have not moved patching to MECM yet.
- If we use Windows Update for Business we cannot patch 3rd party updates and loose some control around pilot groups and reporting in our estimation
Q: So is there a way for us to continue to define the approved patches/metadata via WSUS but have the system pull the patches files from the internet (Windows Update) source? Perhaps this is possible with MECM?
Microsoft Security | Intune | Configuration Manager | Updates
Windows for business | Windows Server | User experience | Other
20,221 questions
2 answers
Sort by: Most helpful
-
Adam J. Marshall 10,356 Reputation points MVP2024-05-25T13:00:20.2333333+00:00 -
shockoMS 281 Reputation points
2024-05-30T08:37:11.01+00:00 Thanks Adam. I'm not sure I could convince our security teams to put a WSUS server at our Edge though. I'll have a conversation with them.
-
shockoMS 281 Reputation points
2024-10-09T10:01:07.83+00:00 I should have been clearer in that I don't want to host the updates per se and want othe clients to pull the actual update binaries from WIndows Update
-
Adam J. Marshall 10,356 Reputation points MVP
2024-10-09T12:23:15.22+00:00 Answered in "Approvals From Your Upstream & Content From Microsoft." on that page.
Sign in to comment -
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(35.2, 9%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EWL%3C/text%3E%3C/svg%3E)
Wesley Li 11,280 Reputation points2024-05-29T08:00:45.4766667+00:00 Hello
Please check whether the client got the following registry key and the value should be "1".
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU\UseWUServer
Integrate Windows Update for Business - Configuration Manager | Microsoft Learn
Or try the following policies.
Computer Configuration\Administrative Templates\Windows Components\Windows Update\Manage updates offered from Windows Server Update Service\
-
shockoMS 281 Reputation points
2024-05-30T08:40:26.5133333+00:00 Thanks @Wesley Li . I don't see what settings therein though would allow me to define/approve patches in WSUS and for my Windows 10 clients to them pull those patches from Windows Update. Can you elaborate?
-
shockoMS 281 Reputation points
2024-10-09T10:03:58.78+00:00 Hi @Wesley Li . I don't think this achieves what I'm after though does it? It seems to allow me say configure that the client would check for feature updates against Windows update and pull the binaries thereafter from Windows update but not let it check for updates via WSUS and pull the binaires form Windows Update which is what I'm after.
Sign in to comment -