Standalone WSUS Mode

Applies to: Patch My PC Publisher

Overview

Standalone WSUS Mode is used when the Publisher is integrated directly with WSUS without ConfigMgr.

This mode is intended only for environments that manage updates using WSUS standalone. It is not required and should not be enabled when ConfigMgr is used to manage software updates.

Standalone WSUS Mode controls whether locally published third party updates are visible in the WSUS console. When this mode is enabled, the Publisher marks updates as locally published so they appear in the WSUS console and can be viewed and managed directly in WSUS.

Important

If ConfigMgr is present and managing software updates, WSUS Standalone Mode should remain disabled.

Use SYSTEM Account

The Use SYSTEM account option controls how the Publisher connects with the WSUS SQL database when WSUS Standalone Mode is enabled.

Tip

If your WSUS database uses the Windows Internal Database (WID), the database connection options are read only. In this scenario, no SQL credentials are required or used.

When selected, the Publisher connects to the WSUS database using the local SYSTEM account of the machine where the Publisher is installed. This is the recommended and default option for most WSUS standalone deployments, as the SYSTEM account typically already has the required permissions to access the WSUS database.

If this option is not selected, you can specify a custom SQL login instead. This may be required in environments where WSUS uses a remote SQL Server or where security policies restrict SYSTEM account access. In that case, the specified SQL account must have sufficient permissions to read and update the WSUS database.

Note

For updates published before WSUS Standalone mode was enabled, use the Modify Updates Wizard to make those updates appear in the WSUS console uising the Show in WSUS option.

SQL Permissions Required

When the Publisher Sync runs, if the SUSDB is remote from the WSUS Standalone server, you would have to grant specific permissions to the computer account where the Publisher is installed for it to be able to update information.

The script below can be used to grant the required permissions. Replace the computer account values with the ones appropriate to your environment.

Edit the script as needed and run it as a SQL query using SQL Server Management Studio.

USE SUSDB
GO

-- Replace CONTOSO\ServerName$ with the appropriate value for your environment
DECLARE @UserName nvarchar(128) = 'CONTOSO\ServerName$'

DECLARE @QuotedUserToGrant nvarchar(128) = QUOTENAME(@UserName);

IF NOT EXISTS(SELECT principal_id FROM sys.server_principals WHERE name = @UserName) BEGIN
DECLARE @LoginSQL as varchar(500);
SET @LoginSQL = 'CREATE LOGIN '+ @QuotedUserToGrant + ' FROM WINDOWS';
EXEC (@LoginSQL);
END

IF NOT EXISTS(SELECT principal_id FROM sys.database_principals WHERE name = @UserName) BEGIN
DECLARE @UserSQL as varchar(500);
SET @UserSQL = 'CREATE USER ' + @QuotedUserToGrant + ' FOR LOGIN ' + @QuotedUserToGrant;
EXEC (@UserSQL);
END

DECLARE @PermissionsSQL as varchar(500);
SET @PermissionsSQL = 'GRANT UPDATE ON [dbo].[tbUpdate] ([IsLocallyPublished]) TO ' + @QuotedUserToGrant +
'GRANT SELECT ON [dbo].[tbUpdate] ([UpdateID]) TO ' + @QuotedUserToGrant;
EXEC (@PermissionsSQL);

PreviousWSUS Maintenance NextConfigMgr Apps

Last updated 1 month ago

Was this helpful?

hashtagOverview

hashtagUse SYSTEM Account

hashtagSQL Permissions Required

Overview

Use SYSTEM Account

SQL Permissions Required