Is patch management through local server possible?Solved

@aurora , This is a common scaling pain point, especially with the size of modern Windows updates. You don’t necessarily need a full WSUS server at every site. What you’re looking for is a Local Distribution Point strategy. 

The most effective way to do this using an MDM is to use the platform as the ‘Command Center’ and a local machine at the site as the ‘Heavy Lifter‘. 

Here is how you can set it up in three steps: 

1. Set up a Lightweight Staging Point 

You don’t need a massive server. You can use a single, high-uptime Windows machine at each branch to act as a Microsoft Connected Cache (MCC) node or a simple WSUS Downstream server. This machine downloads the update once from the internet. 

2. Use the MDM to ‘Redirect’ the Traffic 

Instead of the MDM pushing the update itself—which would just choke the network again—you use it to push a PowerShell script to the devices at that specific branch. This script modifies the Registry to tell the Windows Update Agent: ‘Stop looking at Microsoft’s public servers and start looking at this local IP.’ 

3. Target by Subnet or IP 

In your MDM, you can create Device Groups based on the IP range of each office. Push the ‘Office A Script’ (pointing to Office A’s local server) only to the devices in that range to optimize the process.

@cullen , You handle that with ‘Dual Scan‘ or ‘Fallback‘ logic in your script. You can configure the Windows Update Policy so that if the primary WSUServer (your local one) is unreachable, the device waits for a specific period and then automatically ‘fails back’ to the official Microsoft Windows Update servers. 

By doing this, you’re only using about 4GB of WAN bandwidth per branch (for the server to get the update) instead of 4GB for each device. It’s a massive win for your network stability.