This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(230.39999999999998, 33%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERB%3C/text%3E%3C/svg%3E)
Hi guys,
As we know, All the IT companies are doing work from home past 9 months due to COVID.
All our client systems are connected to internal WSUS servers through GPOs to get windows updates.
Now Client systems don't have the connectivity to get updates through internal WSUS servers .
So I have build a wsus server in azure with SSL certificate and i want to route all the WFH laptops to the AZURE WSUS server to get the updates.
Now my question is, I need to write a gpo which need to match below criteria.
1.when the enduser comes to the office, laptop need to get connected with internal wsus server to get updates.
2.when the same enduser is working from home,laptop need to get updates from Azure WSUS server.
3.how it works, when you setup alternate wsus server by using GPO.
4.which wsus server should i kept as primary wsus server ? azure wsus or internal wsus ?? and why.
my thought is, I have not allowed 8531 port in network level firewall, so when enduser is in office he won't get the updates from azure wsus.
Please provide your suggetions.
Note: End-users have VPNs to connect the domain controller.
Thanks,
Ram
This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.
Comments have been turned off. Learn more
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(89.60000000000001, 81%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERA%3C/text%3E%3C/svg%3E)
You may try to create VPN server and ask your users to connect to VPN and this way they will get update access to company's resources, there shouldn't be any problem with retrieve GPO and WSUS from VPN.
The best way to manage WFH scenario is through Windows Intune, you may explore that too and it might be better solution.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(297.6, 24%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERH%3C/text%3E%3C/svg%3E)
Hi RamanjaneyuluButharaju-8253,
Thanks for your posting on Q&A.
In my opinion, the Set the alternate download server option in the Specify intranet Microsoft update service location policy are used for downloading updates. The option means that the clients can download updates from the alternate download server when the clients could not download updates from the WSUS Server. Here is the explain of the option:
An optional server name value can be specified to configure Windows Update agent, and download updates from an alternate download server instead of WSUS Server.
Reference picture:
Reference link:
https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-update#update-updateserviceurlalternate
In my opinion, we could not use the Set the alternate download server option to make the clients connect to the WSUS Server in the Azure when the internal WSUS is disconnected. The WSUS Server could not achieve this feature right now.
I will try the best to deliver the information to the product team to see if they have some additional comments, but not guaranteed. once there is a reply, I will get back to you at the first time. Thank you for your kind understanding.
Thanks for your time.
Regards,
Rita
If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.