WSUS
-
Integration with WSUS provides a way you can cache Microsoft updates on-premise to reduce download bandwidth.
-
Third-party application updates are not stored in WSUS, and instead, they are downloaded directly from the internet.
-
WSUS settings are typically enforced on a device via group policy (GPO). When the policy object is applied to the device, it will inherit specific registry keys that point the device to the WSUS server instead of Windows update.
-
In order for Automox to work in tandem with WSUS, you must specify the Windows Update Source and Server Address values under OS Patch Management. This setting can be found at the Group level within Automox:
-
When the Windows Update Source is set to WSUS and you define the WSUS Server Address, the device will scan for Microsoft-based updates and determine compliance and applicability using your WSUS server as the update source. (Note: you can also use the “Keep Device Settings” options if WSUS policies are already applied via group policy and preferred).
-
GPO and Automox Group Patch Management settings can conflict. GPO Windows Update settings will apply based on the domain schedule (default every 90 minutes). Automox Patch Management Settings will apply based on the group-defined scan interval. If they are different, your device could toggle between patch sources, or temporarily go to default. This can cause misalignment in needed patches and potentially install updates or feature updates directly from the internet.
Tip: If you configure your group to use WSUS, your device MUST have access to your WSUS server when scans and policies run. In other words, if the device is remote and requires intranet access to reach the WSUS server, it must be on VPN.
-
If you are intending on using WSUS with Automox, make sure to configure Classifications and Products on the WSUS server to include everything needed, as only the patch metadata available in the WSUS Database (the patches included in the cab downloaded from WSUS) will be used to determine what patches are available for compliance or download.
Finding rogue GPOs that are enforcing WSUS settings
As noted, it is recommended that the customer turn off the GPO pushing their WSUS settings and instead manage it directly through the Automox Group’s Patch Management Settings.
For some environments, hunting down the GPO itself can be tricky. The first check is to see if the registry values for UseWUSServer, WUServer, and WUStatusServer exist on the affected device.
Source: Registry keys for configuring Automatic Updates & WSUS · vFense/vFenseAgent-win Wiki
These registry values can be seen within an Automox health check report.
If those values are found and are pointing to their WSUS server, then it is an indicator that Group Policy is in fact enforcing the WSUS configuration, and they'll need to scrub their GPOs and look for the specific policy(s) that is pushing them.
The bulk of those GPOs are found under Computer Configuration -> Policies –> Administrative templates-> Windows Component-> Windows Update.
Source: WSUS Group Policy Settings to Deploy Updates | Windows OS Hub
Additionally, you can run the following command on the affected device to see the GPOs that it is inheriting:
gpresult /r /scope:computer