Anybody run their own local Windows update server using WSUS?
- Thread starter Fritz
- Start date
Notice: Page may contain affiliate links for which we may earn a small commission through services like Amazon Affiliates or Skimlinks.
It's not that hard to setup but you need lots of patience waiting for the first sync to complete. The biggest things to do or avoid doing are: don't do driver updates and use a good cleanup/maintenance script. Optional but strongly recommended, use a separate MS SQL server instead of the built in database.
To answer your question, I have been running a WSUS server at home for over a decade. It's easier for the systems that don't need internet access.
To answer your question, I have been running a WSUS server at home for over a decade. It's easier for the systems that don't need internet access.
I tried and failed back then with server 2008 r2 
For a long time I used the wsus offline update tool instead (initially created by people from c't). It's basically a collections of scripts that use wget to analyse all the xml files that microsoft uses (or used?) to determine what updated exist for which os/software and downloads the files for it.
But since microsoft started to offer the cumulative updates and updated iso/installation files I don't need to have the updates locally anymore
For a long time I used the wsus offline update tool instead (initially created by people from c't). It's basically a collections of scripts that use wget to analyse all the xml files that microsoft uses (or used?) to determine what updated exist for which os/software and downloads the files for it.
But since microsoft started to offer the cumulative updates and updated iso/installation files I don't need to have the updates locally anymore
take a look at LanCache.NET
pros over wsus
it requires no client config, just change DNS settings in dhcp to point at lancache
It would cache other stuff like steam games
Con over wsus
it does not pre-download the updates. A client has to request the file the first time and it would be cache as it is feed to the client. The next client the requests the same file would get it from cache.
I use lancache at home and it even works with just my 3 windows 10 clients.
pros over wsus
it requires no client config, just change DNS settings in dhcp to point at lancache
It would cache other stuff like steam games
Con over wsus
it does not pre-download the updates. A client has to request the file the first time and it would be cache as it is feed to the client. The next client the requests the same file would get it from cache.
I use lancache at home and it even works with just my 3 windows 10 clients.
Last edited:
I have been running a local WSUS for years. My experience so far, in line with what others said here:
1) WSUS has no CPU platform parameter (!) so it downloads updates for all platforms including completely obsolete stuff like Itanium. Hence i have this in my script:
…and yes, Microsoft uses different names for the same thing, sometimes.
2) Unused versions and editions of operating systems can be recognized only by their names:
3) Localized names: If you use anything else than English, to a great surprise, again that has no parameter in WSUS and the names of products are sometimes localized. Consider this ("consumer editions" translated in Czech):
4) Manually decline obsolete and superseded updates.
5) Manually clean up (remove) updates that were obsoleted or are unneeded
I have all this scheduled to run daily. My PowerShell script is attached. Credit goes to someone somewhere on the Internet for a head start on this.
P.S. Be very patient. The WSUS GUI is just incredibly slow.
- use a separate MS SQL instance and follow this Microsoft guide to improve WSUS DB's performance (just ignore the Configuration Manager part and do the SQL part)
- give it a plenty of disk space (I have 2 TB)
- schedule a weekly reboot of the WSUS machine — this tremendously helped improve stability and availability for me
- be selective regarding the software and versions it shall download — keep it at the bare minimum for your actual infrastructure, and when a new software or version is introduced in your infra, update WSUS settings
- have a custom cleanup script to get rid of the trash it keeps downloading
1) WSUS has no CPU platform parameter (!) so it downloads updates for all platforms including completely obsolete stuff like Itanium. Hence i have this in my script:
Code:
# Decline all ARM64 Updates
Write-Host "Declining ARM64 updates"
SearchAndDecline(‘ARM64-based Systems’)
SearchAndDecline(‘ARM64’)
# Decline all Itanium / IA64 updates (although there shouldn't be any these days)
Write-Host "Declining IA64 updates"
SearchAndDecline(‘Itanium’)
SearchAndDecline(‘IA64’)2) Unused versions and editions of operating systems can be recognized only by their names:
Code:
# Decline updates for old releases of Windows 10 (add more as time progresses)
Write-Host "Declining outdated Windows 10 updates"
SearchAndDecline(‘Windows 10 Version 1507’)
SearchAndDecline(‘Windows 10 Version 1511’)
SearchAndDecline(‘Windows 10 Version 1607’)
SearchAndDecline(‘Windows 10 Version 1703’)
Code:
# Decline unnecessary Windows 10 updates
Write-Host "Declining unnecessary Windows 10 updates"
SearchAndDecline("Windows 10 (uživatelské edice)")
SearchAndDecline("Windows 10 (consumer editions)")5) Manually clean up (remove) updates that were obsoleted or are unneeded
I have all this scheduled to run daily. My PowerShell script is attached. Credit goes to someone somewhere on the Internet for a head start on this.
P.S. Be very patient. The WSUS GUI is just incredibly slow.