Submit a ticketCall us

Training ClassThe Orion® Platform Instructor-led Classes

Provided by SolarWinds® Academy, these trainings will introduce users to the Orion Platform and its features, management, and navigation. These courses are suitable for users looking to discover new tips, tricks, and ways to adapt their Orion products to better suit their monitoring needs:
Deploying the Orion Platform
Configuring Orion views, maps, and accounts
Configuring Orion alerts and reports

Reserve your seat.

Home > Success Center > Patch Manager > Patch Manager - Knowledgebase Articles > Best practices for patching laptops that are not always connected to the Intranet

Best practices for patching laptops that are not always connected to the Intranet

Table of contents

Updated June 13, 2018


This article provides guidelines and best practices to manage and patch laptops that are not always connected to the Intranet. It also describes three different environments and discusses the best solutions for customers in those scenarios.


  • Patch Manager all versions
  • Laptops with currently supported versions of Microsoft® Windows


There are few ways to approach the patching of laptops via Patch Manager. The optimal solution depends on your environment size, the human capital allocated to patching, and applicable security policies. 


Scenario 1

If security is not a high priority in your environment and there are very few laptops to manage, getting updates directly from Microsoft Windows Server Update Services (WSUS) is ideal. (Patches do not need to be tested before they are applied on a managed client.)


Scenario 2

For customers with high priority security needs who can apply patches only after they have been tested first in a test environment, there is unfortunately no easy way to manage laptops. You will need a replica WSUS server from which laptops can get updates. The port should be publicly opened.


Scenario 3

Another potential scenario is that your company allows installation of updates from WSUS, but they are approved through the Patch Manager Administrator Console and reported to the WSUS Intranet server locally.


In this case, you will need a secondary replica WSUS server. The managed laptops must be configured through a separate WSUS update policy that is different from the main WSUS group policy objects (GPOs) configured for your Intranet machines.


To do this, configure the WSUS server to have NO local content store. As a result, client systems will be forced to download content directly from Microsoft. This topic is discussed in the section Determine Where to Store WSUS Updates of the WSUS Deployment Guide. (© 2018 Microsoft Corporation., available at, obtained on June 13, 2018)


You cannot patch third-party updates via Patch Manager in any of these three scenarios unless the managed laptops are connected to the Intranet. 


External References:


Disclaimer: Please note, any content posted herein is provided as a suggestion or recommendation to you for your internal use. This is not part of the SolarWinds software or documentation that you purchased from SolarWinds, and the information set forth herein may come from third parties. Your organization should internally review and assess to what extent, if any, such custom scripts or recommendations will be incorporated into your environment.  You elect to use third party content at your own risk, and you will be solely responsible for the incorporation of the same, if any.



Last modified


This page has no custom tags.