We help IT Professionals succeed at work.

We've partnered with Certified Experts, Carl Webster and Richard Faulkner, to bring you two Citrix podcasts. Learn about 2020 trends and get answers to your biggest Citrix questions!Listen Now


Windows Updates & WSUS Remote Laptops

Medium Priority
Last Modified: 2012-08-14
I'm trying to come up with the best design to keep computers updated on a WAN.  I am looking for suggestions on how to handle this in the best way using GPO's, WSUS, and Windows Update.  Here is what I'm working with:

Office1 - 30 users normally, T1
Office2 - 50 users normally, T1
Office3 - 20 users normally, T1
Office4 - 15 users normally, T1
Collocation - Houses most servers including AD, 5MB
All locations are connected through a VPN on the Firewalls.
300 employees across the US and when not in the office they use a VPN software client to connect their laptop to the VPN core at the collocation.

Office 2 has a server that has an extra 40GB of space I could use, and the Collocation has a server with 300GB free space.  Those are my only 2 options for installing WSUS.  My main concern is with the laptops because they are mostly remote from an office.  My other concern is bandwidth.  For instance, lets say 50 users come into an office and they all try to update at the same time; this would completely fill the internet connection.

My initial thoughts are to install WSUS at the collocation and in Office2.  I would use a GPO to have the collocation update the collocation, office1, office3 then use a GPO to have Office2 update office2 and office4.  I was thinking about putting all laptops in their own OU and have a GPO to had them use Microsoft as their update server (Since they can be remote or in the office)

Has anyone ever dealt with a similar situation or have suggestions?


Watch Question

Hey deadite, your plan sounds very reasonable to me. If you dont have the luxury of putting servers in each site that you can have a downstream wsus server on then the next best thing is put in as many wsus servers as you can and split up the load like you have suggested.

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts

You've got more options... I would put the WSUS at your collocation site as it is your central hub and has the most bandwidth available.  If you don't already have it, install BITS (Background Intelligent Transfer Service)  Then in your domain Group Policy go to Computer Configuration > Administrative Templates > Network > Background Intelligent Transfer Service  and set it to something reasonable, I think it defaulted to something ridiculously low and I was seeing updates fail on my domain computers because the files weren't downloaded yet.  You might have to play with it a little but the settings make sense once you see them.  BITS manages background transfers, like it sounds, which includes Windows updates.

You can find BITS in Add/remove programs, Windows Components, Applications servers, and under IIS
sublifer, your suggestion of putting the wsus server at the collcation site is already what he has himself suggested in addition to putting a downstream server at office2, which would help so that all office2 clients and office4 could pull from office2 and the rest from collcation. Its not very clear if you are suggesting your other options differ from this.
blahphish, why don't you read the rest of my post before you start criticizing in a bad attempt to scrounge points... you shouldn't even be posting anything if its not relevant to the question.  He asked for opinions on those with experience in this matter.  I have 6 locations myself, two connected at 10mb and 4 by T-1's and a few roaming laptops that connect by VPN.  I keep my WSUS server at my main site and let BITS manage the bandwidth of the transfers.  His two main concerns are his laptop users and traffic congestion.  The laptop users are connecting to the collocation anyway so WSUS there only makes sense.  The use of BITS will help keep congestion down and with some fine tuning it may never be an issue.

To add to what I've already said, I wouldn't bother placing a 2nd one at office two, it will complicate your setup and they wouldn't see any great benefit if you have BITS configured.  Its just not worth it for only 50 users.
I wasnt attacking, simply asking for clarification, which you provided..


Thanks for the comments,  I'm doing some testing now and it looks like I can get away with the downstream server.  Won't be complicated to control and can offload traffic and get them patched quicker.  BTW, I am using the default BITS config in my GPO for 8-5 (10mbps) then as much as they can grab after hours
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.


Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.