Combine WSUS and Patchdeck

Windows Server Update Services (WSUS) is a Microsoft-solution for providing a local server for Microsoft Updates. This can have the benefit of caching Microsoft updates locally in your environment before delivering them to endpoints and controlling which updates are available to endpoints. WSUS has also some drawbacks, however, and whether it makes sense for an environment depends on several factors. For a more in-depth discussion see our blog post. Patchdeck is designed to work alongside WSUS and our Windows agent can be configured to use a WSUS server as update source.

In the default configuration the Patchdeck Windows agent will use the Microsoft Update online service as source for new updates. This is the recommended setting because it makes sure that you always get the newest updates. However, if your environment needs to use a local WSUS server you can¬†configure the Patchdeck Windows agent to be used together with WSUS by adding the “–use-wsus” command line option when running the “–install” command to register the agent with the backend for the first time. If you have already installed the agent but want to turn on WSUS mode you need to open an administrative Powershell session, change into the installation directory of the agent (normally C:/Program Files/PatchdeckWindowsAgent) and run the following command:

./PatchdeckWindowsAgentService.exe --use-wsus

If you want to change back to the standard Windows Update service as update source run the command:

./PatchdeckWindowsAgentService.exe --use-online-updates

 You can always check which update source is currently configured with the command:

./PatchdeckWindowsAgentService.exe --check-update-source

You will also need to configure the WSUS server and register it with your Windows clients. Please see the relevant Microsoft documentation on how to do this.

Please note that if the Patchdeck Windows agent is running in WSUS mode only updates that are available on the WSUS server will be picked up by the agent. Also, if an endpoint cannot reach the WSUS server, e.g. because it is outside the corporate network or not connected via VPN, it could miss important updates. For endpoints that are mainly used outside your network, e.g. systems of remote employees, we recommend using Microsoft Update online service as update source (the default setting).