How to configure a branch office WSUS server to get approvals centrally but download updates from Microsoft Update.

The basic WSUS architecture is to have either autonomous or replica WSUS servers. An autonomous WSUS server downloads its updates from Microsoft Update and these updates have to be approved (either manually or through automatic approval rules) by a WSUS administrator. A replica WSUS server gets all its updates and approvals from an upstream WSUS server.

At its most basic this allows you to deploy updates to all computers in your organization centrally. Just plonk a replica WSUS server out at each branch office. Approve updates once centrally. They are deployed everywhere. Bob is your uncle.

This basic configuration setting is great unless you want to “approve once” but, but don’t want update traffic itself coming across your WAN links. By default a replica WSUS server will drag updates across the WAN link. Which is great, except that your branch office site probably has a faster direct Internet connection than WAN link.

Branch office WSUS servers can be configured to still get their list of approved updates from an upstream server, but to download those updates from Microsoft Update, rather than over the WAN link.

To configure a branch office WSUS server to get updates from an upstream server, but download updates from the Internet, do the following.

  1. Open the WSUS console and expand the server node.
  2. Click on Options.
  3. Click on Update Source and Proxy Server.
  4. Select the Synchronize From Another Windows Server Update Services Server and enter the address of the central WSUS server that will be used to manage approvals like you can see in the figure below. Ensure that you do not choose the This Server Is A Replica Of The Upstream Server checkbox!
  5. Now click on the Update Files and Languages item. Choose the Store Update Files Locally On This Server and ensure that you check the Download Files From Microsoft Update; Do Not Download From Upstream Server checkbox as shown in the figure.

Because the option not to download from Microsoft Update is located in Update Files and Languages rather than the Update Source and Proxy Server area of the options panel, a lot of administrators miss it.

