Windows Updates & WSUS Remote Laptops

Posted on 2009-02-12
Last Modified: 2012-08-14
I'm trying to come up with the best design to keep computers updated on a WAN.  I am looking for suggestions on how to handle this in the best way using GPO's, WSUS, and Windows Update.  Here is what I'm working with:

Office1 - 30 users normally, T1
Office2 - 50 users normally, T1
Office3 - 20 users normally, T1
Office4 - 15 users normally, T1
Collocation - Houses most servers including AD, 5MB
All locations are connected through a VPN on the Firewalls.
300 employees across the US and when not in the office they use a VPN software client to connect their laptop to the VPN core at the collocation.

Office 2 has a server that has an extra 40GB of space I could use, and the Collocation has a server with 300GB free space.  Those are my only 2 options for installing WSUS.  My main concern is with the laptops because they are mostly remote from an office.  My other concern is bandwidth.  For instance, lets say 50 users come into an office and they all try to update at the same time; this would completely fill the internet connection.

My initial thoughts are to install WSUS at the collocation and in Office2.  I would use a GPO to have the collocation update the collocation, office1, office3 then use a GPO to have Office2 update office2 and office4.  I was thinking about putting all laptops in their own OU and have a GPO to had them use Microsoft as their update server (Since they can be remote or in the office)

Has anyone ever dealt with a similar situation or have suggestions?


Question by:deadite
    LVL 5

    Accepted Solution

    Hey deadite, your plan sounds very reasonable to me. If you dont have the luxury of putting servers in each site that you can have a downstream wsus server on then the next best thing is put in as many wsus servers as you can and split up the load like you have suggested.
    LVL 10

    Expert Comment

    You've got more options... I would put the WSUS at your collocation site as it is your central hub and has the most bandwidth available.  If you don't already have it, install BITS (Background Intelligent Transfer Service)  Then in your domain Group Policy go to Computer Configuration > Administrative Templates > Network > Background Intelligent Transfer Service  and set it to something reasonable, I think it defaulted to something ridiculously low and I was seeing updates fail on my domain computers because the files weren't downloaded yet.  You might have to play with it a little but the settings make sense once you see them.  BITS manages background transfers, like it sounds, which includes Windows updates.

    You can find BITS in Add/remove programs, Windows Components, Applications servers, and under IIS
    LVL 5

    Expert Comment

    sublifer, your suggestion of putting the wsus server at the collcation site is already what he has himself suggested in addition to putting a downstream server at office2, which would help so that all office2 clients and office4 could pull from office2 and the rest from collcation. Its not very clear if you are suggesting your other options differ from this.
    LVL 10

    Assisted Solution

    blahphish, why don't you read the rest of my post before you start criticizing in a bad attempt to scrounge points... you shouldn't even be posting anything if its not relevant to the question.  He asked for opinions on those with experience in this matter.  I have 6 locations myself, two connected at 10mb and 4 by T-1's and a few roaming laptops that connect by VPN.  I keep my WSUS server at my main site and let BITS manage the bandwidth of the transfers.  His two main concerns are his laptop users and traffic congestion.  The laptop users are connecting to the collocation anyway so WSUS there only makes sense.  The use of BITS will help keep congestion down and with some fine tuning it may never be an issue.

    To add to what I've already said, I wouldn't bother placing a 2nd one at office two, it will complicate your setup and they wouldn't see any great benefit if you have BITS configured.  Its just not worth it for only 50 users.
    LVL 5

    Expert Comment

    I wasnt attacking, simply asking for clarification, which you provided..
    LVL 8

    Author Closing Comment

    Thanks for the comments,  I'm doing some testing now and it looks like I can get away with the downstream server.  Won't be complicated to control and can offload traffic and get them patched quicker.  BTW, I am using the default BITS config in my GPO for 8-5 (10mbps) then as much as they can grab after hours

    Featured Post

    Are your corporate email signatures appalling?

    Is it scary how unprofessional your email signatures look? Do users create their own terrible designs and give themselves stupid job titles? You can make this a lot easier for yourself by choosing an email signature management solution from Exclaimer today.

    Join & Write a Comment

    This is the first one of a series of articles I’ll be writing to address technical issues that are always referred to as network problems. The network boundaries have changed, therefore having an understanding of how each piece in the network  puzzl…
    The use of stolen credentials is a hot commodity this year allowing threat actors to move laterally within the network in order to avoid breach detection.
    Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
    In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor ( If you're interested in additional methods for monitoring bandwidt…

    733 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    17 Experts available now in Live!

    Get 1:1 Help Now