Forum Discussion
Define Patch Approvals in WSUS but pull patches from Windows Update (Internet)
We currently use WSUS to distribute Microsoft patches and also use Solarwinds Patch Manager to push 3rd party patches into WSUS. This allows us to fully patch an endpoint with all MS and 3rd party software patches via Windows Update Agent/WSUS. We now have a fleet of laptops connected back to our Datacenter via a VPN and they are consuming a lot of bandwith during patching cycles.
We have the following challanges:
- We do use some throttling on BITS/Delivery opitmization but have had mixed results
- We have MECM but don't use Cloud Management gatway as was deemed too expensive. we have not moved patching to MECM yet.
- If we use Windows Update for Business we cannot patch 3rd party updates and loose some control around pilot groups and reporting in our estimation
Q: So is there a way for us to continue to define the approved patches/metadata via WSUS but have the system pull the patches files from the internet (Windows Update) source? Perhaps this is possible with MECM?
So is there a way for us to continue to define the approved patches/metadata via WSUS but have the system pull the patches files from the internet (Windows Update) source? Perhaps this is possible with MECM?
Yes, if you are managing updates with MECM, it is possible to have your endpoints download the content from Microsoft Update. See the "If software updates are not available on distribution point in current, neighbor or site boundary groups, download content from Microsoft Updates" setting documented at Manually deploy software updates - Configuration Manager | Microsoft Learn.
That being said, I would recommend taking a closer look at Windows Update for Business. You can use it alongside Software Updates in MECM. I think you can even use it alongside WSUS by configuring a Scan Source policy: Use Windows Update for Business and Windows Server Update Services (WSUS) together | Microsoft Learn
It will be incompatible, you may use WUfB (updates from Microsoft CDN). And run a script with scheduled tasks that sets temporary HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU!UseWuServer to your WSUS instance and run Windows Update Powershell cmdlet and filter-in 3rd party updates only.
Also try to deploy updates for one day each group of computers/OU.
A better option is to patch these with Intune or autoupdate apps if vendor provides such functionality. Cloud MGMT GW would be desired.
You have to weight out costs between a higher WAN/VPN, Intune, or CloudMGMT GW. I would say that if your environment is not large, upgrading WAN/VPN would be wise.
