[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now


Windows Updates & WSUS Remote Laptops

Posted on 2009-02-12
Medium Priority
Last Modified: 2012-08-14
I'm trying to come up with the best design to keep computers updated on a WAN.  I am looking for suggestions on how to handle this in the best way using GPO's, WSUS, and Windows Update.  Here is what I'm working with:

Office1 - 30 users normally, T1
Office2 - 50 users normally, T1
Office3 - 20 users normally, T1
Office4 - 15 users normally, T1
Collocation - Houses most servers including AD, 5MB
All locations are connected through a VPN on the Firewalls.
300 employees across the US and when not in the office they use a VPN software client to connect their laptop to the VPN core at the collocation.

Office 2 has a server that has an extra 40GB of space I could use, and the Collocation has a server with 300GB free space.  Those are my only 2 options for installing WSUS.  My main concern is with the laptops because they are mostly remote from an office.  My other concern is bandwidth.  For instance, lets say 50 users come into an office and they all try to update at the same time; this would completely fill the internet connection.

My initial thoughts are to install WSUS at the collocation and in Office2.  I would use a GPO to have the collocation update the collocation, office1, office3 then use a GPO to have Office2 update office2 and office4.  I was thinking about putting all laptops in their own OU and have a GPO to had them use Microsoft as their update server (Since they can be remote or in the office)

Has anyone ever dealt with a similar situation or have suggestions?


Question by:deadite
  • 3
  • 2

Accepted Solution

blahphish earned 1000 total points
ID: 23627674
Hey deadite, your plan sounds very reasonable to me. If you dont have the luxury of putting servers in each site that you can have a downstream wsus server on then the next best thing is put in as many wsus servers as you can and split up the load like you have suggested.
LVL 10

Expert Comment

ID: 23664739
You've got more options... I would put the WSUS at your collocation site as it is your central hub and has the most bandwidth available.  If you don't already have it, install BITS (Background Intelligent Transfer Service)  Then in your domain Group Policy go to Computer Configuration > Administrative Templates > Network > Background Intelligent Transfer Service  and set it to something reasonable, I think it defaulted to something ridiculously low and I was seeing updates fail on my domain computers because the files weren't downloaded yet.  You might have to play with it a little but the settings make sense once you see them.  BITS manages background transfers, like it sounds, which includes Windows updates.

You can find BITS in Add/remove programs, Windows Components, Applications servers, and under IIS

Expert Comment

ID: 23665081
sublifer, your suggestion of putting the wsus server at the collcation site is already what he has himself suggested in addition to putting a downstream server at office2, which would help so that all office2 clients and office4 could pull from office2 and the rest from collcation. Its not very clear if you are suggesting your other options differ from this.
2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

LVL 10

Assisted Solution

sublifer earned 1000 total points
ID: 23669702
blahphish, why don't you read the rest of my post before you start criticizing in a bad attempt to scrounge points... you shouldn't even be posting anything if its not relevant to the question.  He asked for opinions on those with experience in this matter.  I have 6 locations myself, two connected at 10mb and 4 by T-1's and a few roaming laptops that connect by VPN.  I keep my WSUS server at my main site and let BITS manage the bandwidth of the transfers.  His two main concerns are his laptop users and traffic congestion.  The laptop users are connecting to the collocation anyway so WSUS there only makes sense.  The use of BITS will help keep congestion down and with some fine tuning it may never be an issue.

To add to what I've already said, I wouldn't bother placing a 2nd one at office two, it will complicate your setup and they wouldn't see any great benefit if you have BITS configured.  Its just not worth it for only 50 users.

Expert Comment

ID: 23669906
I wasnt attacking, simply asking for clarification, which you provided..

Author Closing Comment

ID: 31546346
Thanks for the comments,  I'm doing some testing now and it looks like I can get away with the downstream server.  Won't be complicated to control and can offload traffic and get them patched quicker.  BTW, I am using the default BITS config in my GPO for 8-5 (10mbps) then as much as they can grab after hours

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

David Varnum recently wrote up his impressions of PRTG, based on a presentation by my colleague Christian at Tech Field Day at VMworld in Barcelona. Thanks David, for your detailed and honest evaluation!
Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
Suggested Courses

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question