Setting up branch office WSUS

Jimmy2521 1 Reputation point


I'm wanting to set up a secondary WSUS server where it will download updates directly from the internet, but settings and management of WSUS are done within the primary WSUS in datacenter. I've set up the secondary WSUS and configured it as per below:

Under "update source and proxy server"

  • point the server name to primary WSUS in datacenter using default port 8530
  • other options are "unticked"

Under "update files and languages"

  • download update files to this server only when updates are approved is "ticked" (by default)
  • download files from microsoft update, do not download from upstream server is "ticked"

When I browse to products and classifications I can see that this is greyed out with a message saying "this server is configured to synchronize from an upstream windows server update services server" which looks promising. However, when I look at the updates it's telling me that thousands updates need to be approved. I was hoping that the approvals would have come from the primary WSUS server and nothing needs to be done on the secondary WSUS server.

Also, is it correct to say that I would need to manually add computer groups on secondary WSUS server? The other obvious part is that I would need to configure GPO for computers to point to secondary WSUS so they all receive updates from it.

Anything else I've missed please kindly suggest.

Thanks in advance. James.

Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
11,708 questions
{count} votes

3 answers

Sort by: Most helpful
  1. Adam J. Marshall 7,961 Reputation points MVP

    You either choose a Downstream Replica, or a Downstream Autonomous server. A replica means that all updates, classifications, approvals, etc are all managed from 1 location. An autonomous grabs all products and classifications and updates from the upstream server, however allows individual management of approvals at this level.

    The option to store files locally or download from Microsoft is separate and are radial dots - you can only do 1 or the other. If you select the option to not store updates locally and download from Microsoft, the updates are NOT stored on the WSUS server and each computer will download the updates from Microsoft. If you keep the default option for storing updates locally, the updates will come from the Upstream server.

    If you're using a replica system, ensure that 'Reporting Rollup' is enabled. If you are using an Autonomous server, it's up to you whether you want to allow it to rollup reporting or not.

    0 comments No comments

  2. Jimmy2521 1 Reputation point

    Sounds like I need to be using downstream replica server. How do I set it up so that the replica server downloads updates directly from the internet instead of getting them from an upstream server?

    0 comments No comments

  3. Rita Hu -MSFT 9,516 Reputation points

    Hi James,

    Thanks for your posting on the Q&A.

    I just want to explain the following informations for your first:

    In order to approve updates on the downstream WSUS, there are two files for us to obtain. One update file is metadata which shown in the WSUS console. The other file is the Binary update file which will be downloaded on the wsuscontent folder.

    If you want to build a downstream WSUS server which connects to the upstream WSUS to get the metadata. It's work. We could configure as the following picture on the downstream WSUS:

    If there are any updates about this issue, please inform me.


    If the response is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments No comments