Local windows update server

[heymrdj]

At work we have 2 6mbit DSL lines for clients systems. We also have a Windows Server 2003 server for running the 8 computers on our domain that we use to actually conduct business. The lines for the clients systems (when they're being resetup and whatnot) are separated from the internet being piped to the rest of the building (including the server). What can we do to make a local windows update repository? In a way this is our desire to go greener. One local server to provide the updates, instead of doing 15 systems from XP with no Service Pack to SP3 from Microsofts servers. We can't stand that waste of bandwidth. To an extent I imagine we could run a DSL line to another Win2k3 box with WSUS installed then run all the client networks (workstations) from this server. But it would have to have IIS and DNS and DHCP roles running to pass through the rest to the internet wouldn't it? It's a project I could handle (done it many times before) but if I'm doing all that dammit I want a payraise .

Any other options I'm missing?

By the way the client computers can't have to join a domain. And it'd be nice for this to work for 2000-Vista.

 

[imagoon]

Last I recall, Windows update is signed in such a way that it is hard to imitate it. You may be able to use a caching proxy server to actually hold current updates but I am not sure the windows update clients will accept them without having their registry patched.

WSUS 3+ runs as its own service now. DHCP/DNS and all that has to be handled separately.

Registry entries I am referring to:

http://thelazyadmin.com/blogs/...-Active-Directory.aspx

HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate

These five settings control the WSUS enviroment.

* WUServer: Defines the location of the WSUS Server - RegString - http://wsus_server_name
* WUStatus: Defines the location of the WSUS Status Server - RegString - http://wsus_server_name
* TargetGroupEnabled: Enables (1) or disables (0) client side targeting - Reg_DWORD - 1 or 0
* TargetGroup: Defines the name of the target group - Reg_String - Groupname
* ElevateNonAdmins: Enables (1) or disables (0) non-admin users from controlling what updates get installed. - Reg_DWORD - 1 or 0

The next set of options configures Automatic Updates on the client. These options are located in the registry under

HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU

There are alot of options but I am only going to cover the main ones.

* AUOptions: Automatically download and schedule installation. - Reg_DWORD - 4
* ScheduledInstallDay: The day of the week to install the downloaded hotfxes, 0 = everday. - Reg_DWORD - 0
* ScheduledInstallTime: The time of day to install the downloaded hotfixes, n = hour (0-23) - Reg_DWORD - 3 (3:00 AM)
* DetectionFrequencyEnabled: Enables (1) or disables (0) the detection frequency interval - Reg_DWORD - 1
* DetectionFrequency: Specifies the detection frequency interval, n=hours (0-22) - Reg_DWORD - 22
* NoAutoRebootWithLoggedOnUsers: Prevents Automatic Updates from rebooting the computer if a user is logged in. If set to 1 the user will be prompted to reboot, if set to 0 the user will be warned that the PC is rebooting in 5 minutes. - Reg_DWORD - 1
* UseWUServer: This must be present and set to 1 in order for the WSUS Enviroment values to be used. - Reg_DWORD - 1

Make sure that you revert the settings also... if you don't they will never auto patch on their own anymore. The update site however will work.

Also WSUS is designed for auto deployment, you have to issue command line commands to force the clients to try and locate updates and then to patch. "windowsupdate.com" is still windowsupdate.com. Also the update client will not patch more than I think 10 updates at a time so if you have 60+ expect to let the machine sit there and reboot.

WSUS will not deploy initial installs of of things like .net. You must download the admin copy and install it before WSUS will patch it.

 

[heymrdj]

Yup..that's a hell of alot more work than is beneficial. Works great for businesses machines, but our setup is for clients computers going in and out of the shop. Was hoping there was an easy way. Our programmers division has a Debian repository that we set up that works great, was hoping Windows maybe had something just as easy to simply tell it to go elsewhere for the updates, like just typing in a local domain for our local update server and it retrieving them from there since it's "all mighty proprietary microsoft softwares". Ah well....

 

[imagoon]

Well in theory you could do it with a couple of batch files. Build a .reg file with the information for your WSUS server. Save a copy of the .reg of the defaults. Batch script 1 does the import and issues the check for updates and download command. Eventually a little yellow "Updates waiting to be installed" will pop up. tell it to go and let it rip. At the end import the defaults back in.

If you are just imaging machines look at Windows Deployment Services and use that with sysprep to build a network deployable image that is already patched / configured. Failing that, build a custom windows XP CD with nlite (free) with the patches already embedded in the CD/DVD image.

 

[heymrdj]

Originally posted by: imagoon
Well in theory you could do it with a couple of batch files. Build a .reg file with the information for your WSUS server. Save a copy of the .reg of the defaults. Batch script 1 does the import and issues the check for updates and download command. Eventually a little yellow "Updates waiting to be installed" will pop up. tell it to go and let it rip. At the end import the defaults back in.

If you are just imaging machines look at Windows Deployment Services and use that with sysprep to build a network deployable image that is already patched / configured. Failing that, build a custom windows XP CD with nlite (free) with the patches already embedded in the CD/DVD image.

The batch script idea is a very interesting take to it. One of our coworkers is really good at windows batch scripts..he might be able to do that if we deploy via WSUS. The main reason the images won't work is 70% of the computer we work on are restored via partitions or setup discs. Our installs (generic XP's) are redone every 2 months for updates.

 

[Crusty]

Just download the BIG patches like service packs and whatnot and store them locally on a file server or disc or something and let the MS servers handle the rest of the updates. Unless you can do a full blown WSUS setup any other way is a pain

 

[heymrdj]

Originally posted by: Crusty
Just download the BIG patches like service packs and whatnot and store them locally on a file server or disc or something and let the MS servers handle the rest of the updates. Unless you can do a full blown WSUS setup any other way is a pain

We already do this, but like in vista, for HP laptops just 1 year old, there's about 1.2GB of updates that must be gotten before SP1 even pops up for a Ultimate install.

 

[heymrdj]

We're going to get ready and try to deploy WSUS this weekend on our network and see how it performs. Today was a total crash on our network. Business is booming and our 2 6mbit lines to the workstations couldn't keep up with the shear number of updates we needed. 26GB just in an afternoon. We're also going to use IIS to hold our redistributables that are constantly getting used such as .Net, Adobe, Dreamspark Office Ultimate installations (we do tons of work for the GSW college i'm a student of), and others.

Hope we can make this work in our favor. Convinced the boss this can work, I have the support of the staff in making this work, and even the Network Admin thinks this can be worked in easily enough.

Wish me luck, I've done this admin for a computer club, but this will be a first on a Business level for me.

 

[Genx87]

Are you a computer shop or something? If windows updates are an issue join the machines to a domain, get updates from the WSUS server, then take them off the domain when finished.

 

[heymrdj]

Originally posted by: Genx87
Are you a computer shop or something? If windows updates are an issue join the machines to a domain, get updates from the WSUS server, then take them off the domain when finished.

Yes like I said we're constantly re-setting, building, updating and giving maintenance to machines.

Adding them all do a domain is pretty impossible seeing as 90% of them are HOME OS's, not Pro/Ultimate/Business/Enterprise.