Share via

Azure Update Manager & WSUS (patching 3rd party apps on Arc-enabled servers)

Bojan Zivkovic 526 Reputation points
2025-01-29T07:18:23.24+00:00

Hi, I'd like to get this clarified - to patch 3rd party apps on Arc-enabled servers with AUM I need local instance of WSUS so I have 2 questions:

  1. Does WSUS have to be standalone, or it can be WSUS managed by Configuration Manager (SUP role)?
  2. If Arc-enabled servers are in other forest than WSUS' one, does that matter since I found this:

User's image

I have a line of sight from Arc-enabled servers to WSUS (tcp/8530, 8531) managed by Configuration Manager and deployed WSUS CA chain to TRCA store on all Arc-enabled servers with GPO but having completed assessment on one of the Arc-enabled servers I do not see updates for WireShark.

Azure Update Manager
Azure Update Manager
An Azure service to centrally manages updates and compliance at scale.
353 questions

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Stanislav Zhelyazkov 26,361 Reputation points MVP
    2025-01-29T09:01:29.8233333+00:00

    Hi,

    Azure Update Manager does not support patching third party apps. Can you specify where you got that statement from? Additionally I believe WSUS also cannot patch third party apps so your only option is SCCM. As you you have opened this question with Azure Update Manager tag if you have questions for WSUS or SCCM to open new ones with the corresponding tags.

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

  2. Jeff Pigott 245 Reputation points Microsoft Employee
    2025-02-13T23:15:07.6033333+00:00

    Hello! To clarify your questions regarding patching 3rd party apps on Arc-enabled servers with Azure Update Management (AUM) using a local instance of WSUS: 1. WSUS can be standalone or managed by Configuration Manager (SUP role). As long as the WSUS server is properly configured and accessible by the Arc-enabled servers, you can use it for patching. 2. If the Arc-enabled servers are in a different forest than the WSUS server, it can still work as long as there is proper network connectivity and communication between the servers. The image you provided shows that you have set up the necessary communication ports (tcp/8530, 8531) and deployed the WSUS CA chain to the TRCA store on all Arc-enabled servers with GPO. However, if you are not seeing updates for WireShark after completing the assessment, there may be other factors to consider. If you are not seeing updates for WireShark after completing the assessment, it could be due to various reasons such as the updates not being approved in WSUS, the updates not being applicable to the specific server, or other configuration issues. I recommend checking the WSUS server logs, the update approval status, and ensuring that the updates are applicable to the Arc-enabled servers. If you need further assistance or clarification, please provide more details. As far as using WSUS with third party patches, check out this open source tool. WSUS Package Publisher from GitHub. Thank you.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.