Share via

WSUS approvals only distribtion?

Svetlomir Petrov 1 Reputation point
2020-08-26T13:42:57.617+00:00

Hello,

I have a question regarding a WSUS setup.

Is it possible for a WSUS server to have two upstream servers for two different purposes?

The idea is to have a WSUS (branch) instance which fetches the approval for updates from one source (internal),
but the actual content/updates from another one that is external (even the Internet).
Something like this.

WSUS (approvals)          WSUS (content)
    Internal             External/Public  
          |                    |
          |                    |
          |                    |
          >--------------------<

                     |
                    WSUS
                   branch
                     |
                     |
                  Targets

My humble research resulted in having the option "Do not update files locally; computers install from Microsoft Update" activated on the approval WSUS server.
And then have a GPO for the branch WSUS which points to the exact location. However, my concern is that this setting is for the actual targets but not for the downstream WSUS instance.

I would highly appreciate any help or possible solution on this topic!

Windows for business | Windows Server | User experience | Other
0 comments

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Rita Hu -MSFT 9,666 Reputation points
    2020-09-07T03:11:45.717+00:00

    Hi SvetlomirPetrov-9368,

    Thanks for your response.

    Please allow me to explain here the relevant files about WSUS approving updates to clients.
    1. Metadata
    2. Binary update file

    The updates shown in the WSUS console are metadata. Here is a related picture about metadata for your reference:
    22869-1.png

    The Binary update file will be download after approving and it will store in the wsuscontent folder.
    22971-2.png

    In my opinion, if we check the option- Do not store update files locally; computer install from Microsoft Update, the downstream WSUS server will sync metadata and get the Binary update file from Microsoft Update in Autonomous mode.

    Regards,
    Rita

    If the response is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments
  2. Rita Hu -MSFT 9,666 Reputation points
    2020-08-27T03:06:42.617+00:00

    Hi SvetlomirPetrov-9368,

    Thanks for your posting on Q&A.

    What is the purpose of the above? In my opinion, a WSUS server could not have two upstream servers. But an upstream can have multiple downstream WSUS servers.

    And the option "Do not update files locally; computers install from Microsoft Update" are used for computers which means that the WSUS Server approves updates for the clients and the clients get updates from the Internet. The WSUS doesn't store updates locally.

    Reference picture:
    20776-1.png

    Regards,
    Rita

    If the response is helpful, please click "Accept Answer" and upvote it.

  3. Adam J. Marshall 10,696 Reputation points MVP
    2020-08-26T14:04:35.24+00:00

    I would venture to re-organize the flow. Single Upstream with full content, downstream replica in the DMZ, branch office either replica with storing updates or without storing updates and an alternative download server of the DMZ or not.

    Why are you looking for this flow?

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.