WSUS Onsite - Windows update Offsite

I got a WSUS server 3.0 running at a company, basically to save external bandwidth, now i got this request that when users bring their laptops outside the office and works off-site, windows will get the updates from microsoft instead, as if there are 2 servers pre-configured. I ´can´t see how this would actually work without doing some registry hack to "manually" change from wsus server back to windows update, or do a manual windows update and click on "check online for updates from microsoft update". All machines are running Windows 7. They are recieving updates when they connect thru VPN back to the office, but i will block port 8530 to avoid that from happening.

The request is, it should happen quietly and unnoticable without user interaction....

is it possible ?

Find more posts tagged with

Save $250 on 2025 certification boot camps from Infosec!

Book now with code EOY2025

Button

Comments

gateway

Not sure but would like to know myself. I often run into this problem especially when people decide to work from home and don't come back into the office for a while. It's one of those things I have just not got round to researching - shame on me!

EDIT: welcome to TE!

blargoe

I have a WSUS server in my DMZ that is a child of my main WSUS server. I have the DMZ server set to pull synchronization from the main WSUS server, but clients that connect to it download updates from Microsoft Update. Then we punched a hole in the firewall, set up the PAT, and in the Internet DNS, created a name record, assigning the public IP address of the DMZ WSUS server a hostname that matches the hostname that is passed out in the group policy for internal usage. Works great. Roaming users report in to our WSUS infrastructure, but download the updates from MS.

For the hostname, I did a cname internally of "update.company.com" instead of using the real server name, so I wouldn't have to publish the real hostname of my internal server on the Internet.

gateway

Thanks for that Blargoe, unfortunately my current infrastructure doesn't allow me to have another WSUS server, also as my office is a branch office there is no DMZ configured. WSUS is internal only. I like the sound of your setup though, clever solution.

Claymoore

You could create a GPO that defines the internal update site and assign it to your active directory sites instead of an OU. When a client is on one of your defined subnets, they will use your internal WSUS server. When they are at home, they will use Windows Update. Automatic updating will use Windows Update by default, so the internal server setting just overrides the default.

From the Help information on that setting:

If the status is set to Enabled, the Automatic Updates client connects to the specified intranet Microsoft update service, instead of Windows Update, to search for and download updates. Enabling this setting means that end users in your organization don't have to go through a firewall to get updates, and it gives you the opportunity to test updates before deploying them.

If the status is set to Disabled or Not Configured, and if Automatic Updates is not disabled by policy or user preference, the Automatic Updates client connects directly to the Windows Update site on the Internet.

You will still want to enable Automatic Updating in another GPO that is assigned to make sure your users don't turn off updates.

it_consultant

I was going to suggest something similar. Configure a separate GPO for your laptop clients, have them download directly from MS. That way when they are on there quick home internet connections they will still get updates. How many laptop / home users are we talking about?