Secondary update source when WSUS is unavailable?


Is there a way that we can add a secondary update source when local WSUS is not available?

We have a selection of users who do not come into the office very often and cannot talk to the local WSUS externally.

Is there a way that in group policy we can say use Windows update if they cannot talk to WSUS?

timb551IT ManagerAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Hello ThereSystem AdministratorCommented:
You can have two WSUS in network... Configured in two different GPOs.
timb551IT ManagerAuthor Commented:
Thanks, how would that help for external users?
Shaun VermaakTechnical SpecialistCommented:
They can still check online when WSUS is not available.
Microsoft Azure 2017

Azure has a changed a lot since it was originally introduce by adding new services and features. Do you know everything you need to about Azure? This course will teach you about the Azure App Service, monitoring and application insights, DevOps, and Team Services.

I'd start from the question, what is it you want to address?
One option as was suggested is to have two WSUS server with one the primary while the other is a replica and the GPO will point the clients to a DNS record,
The settings on the WSUS replica is to rollup, meaning when clients will connect to the replica, the replica will relay the client information to the primary WSUS. In this setup, the content will be duplicated and will exist on both.
Should the Primary fail, it is fairly simple to convert the replica to be the Primary which will retain all prior approved/downloaded updates.

The clients will not distinguish to which they are connecting.

Transitioning to a new WSUS on a new system is ....... subordinate the new WSUS to an existing, once it is sync UP, the new can become primary when the ... DNS records will need to be updated ahead of the transition to include the new WSUS IP in the listing.
timb551IT ManagerAuthor Commented:
Are you talking about having a WSUS open to the web?
No, using a name does not open it to the web.
instead of publishing an IP for the intranet where the WSUS server is, in your local DNS create a record such as and point it to the IP of each of your WSUS servers. this way should you need to transition from one to a new one, you would not have the delay because you have to update the GPO to point to a new intranet server, or have the issue that some seem to use which is reuse the IP of the existing on the new limiting one's ability to have both on at the same time, to handle a seamless transition......

              intranet update:
add a port if that it your setup
this way the client will check with DNS to determine where the WSUS server is.
THE TTL on the update record in the DNS section should be set to an amount of time that will allow the transition, for WSUS potentially your systems are set to check once a day, a 12 hour TTL should be fine.
timb551IT ManagerAuthor Commented:
I have just created a second group policy for the users who dont come into the office much and set them to go direct to windows update rather than our internal wsus server.

Not perfect but will get the job done for the time being.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
People who do not come into the office, do not have GPOs applied.

Using two wsus instances where one is a replica that does not save the update contents seems to be the option you are looking for where theses excluded users will check in with the replica, but retrieve the approved updates directly from Microsoft.
timb551IT ManagerAuthor Commented:
When the laptop is setup it will pick up the standard company group polices including this new one.

I will read you replica answers further to see if this is something i can do.  But didnt really want to have to have another server on the network to look after a few users that have laptops.

GPOs only apply when the system is on the LAN or if connected via VPN and the connection speed determination is faster than 500kb, slow link detection)

In the absence of a GPO applying, the laptops offsite will get their updates from ms updates.

When on the lan, they should use the local wsus to avoid saturating your wan in the event they retrieve update data while on the LAN.
Seth SimmonsSr. Systems AdministratorCommented:
No comment has been added to this question in more than 21 days, so it is now classified as abandoned.

I have recommended this question be closed as follows:

Accept: timb551 (https:#a42467380)

If you feel this question should be closed differently, post an objection and the moderators will review all objections and close it as they feel fit. If no one objects, this question will be closed automatically the way described above.

Experts-Exchange Cleanup Volunteer
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows OS

From novice to tech pro — start learning today.