Windows Updates for home network - is WSUS + regmod each PC the best way?

[Kalm_Traveler]

Now that I have my 'server' up and running with a 2016 Windows Server VM, got its file share sorted out, one feature I'd like to add to it if possible is acting as a download source for my home PCs to pull Windows updates from since there are 5 machines here running Windows 10 Pro and it seems like a waste of bandwidth for all 5 of them to download the same data separately through the ISP.

 

I've read that you can setup WSUS on a local server and with a quick registry edit on each PC point it to the server without needing to set up a domain (I don't want a domain since the PCs are not all mine).

 

Do you guys know of any other way this could be set up, or should I just do that?

[Snipergod87]

A steam cache server can do it AFAIK, and Windows will automatically share the updates over the network if allowed to.

I advise against WSUS for a small setup as the sheer amount of disk space it needs its tremendous, some patch tuesdays our work WSUS server would try and download 1.3TB of patches, no joke.

[paddy-stone]

Is using windows update advanced settings not good enough?

 

[Kalm_Traveler]

5 minutes ago, paddy-stone said:

Is using windows update advanced settings not good enough?

 

That doesn't address the goal - unless all 5 machines were on 24/7, it's very likely that say machine 1 gets some updates but is not on when machine 2 is fired up at another time, so machine 2 has to pull them from Microsoft, etc etc

 

My hope is that there's an ideal way to centralize Windows Updates so that the 5 normal machines here don't ever have to all pull the same update over the internet. Since this homelab server machine will be on 24/7, if it can somehow grab the updates and distribute them over my home network as needed that would be great.

[paddy-stone]

2 minutes ago, Kalm_Traveler1 said:

That doesn't address the goal - unless all 5 machines were on 24/7, it's very likely that say machine 1 gets some updates but is not on when machine 2 is fired up at another time, so machine 2 has to pull them from Microsoft, etc etc

 

My hope is that there's an ideal way to centralize Windows Updates so that the 5 normal machines here don't ever have to all pull the same update over the internet. Since this homelab server machine will be on 24/7, if it can somehow grab the updates and distribute them over my home network as needed that would be great.

Yeah, I see what you mean. Don't know if that's possible, I mean even the update server may not get the update before your machines do themselves... AFAIK it's a crapshoot as to when PCs actually get their updates from MS.

[paddy-stone]

Found this, it might be useful.

[leadeater]

Sure you can do this but unless your internet speed isn't that good or you have a data cap I don't see much point. The only real benefit in doing something like that is getting control over when and which updates you release for install to your computers.

[leadeater]

16 minutes ago, paddy-stone said:

Found this, it might be useful.

That's for SCCM which is a huge management product and costs a fair wack of money, nice to use though but really not for home use and better suited for managing hundreds to thousands of computers.

[leadeater]

31 minutes ago, paddy-stone said:

Yeah, I see what you mean. Don't know if that's possible, I mean even the update server may not get the update before your machines do themselves... AFAIK it's a crapshoot as to when PCs actually get their updates from MS.

If the computers are set to use a WSUS server they won't get updates from MS directly, that means you get to decide when, how and what updates get installed. You can still get updates direct from the internet but you have to manually go in to Settings and Updates and manually tell it to, it won't ever do it itself while configured to use a local WSUS server.

[Acedia]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate]

"WUServer"="http://IPOfWsus:8530"

"WUStatusServer"="http://IPOfWsus:8530"

"TargetGroupEnabled"=dword:00000001

"TargetGroup"="Server Install"



[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU] 

"NoAutoUpdate"=dword:00000000

"AUOptions"=dword:00000004

"ScheduledInstallDay"=dword:00000000

"ScheduledInstallTime"=dword:00000003

"RescheduleWaitTime"=dword:00000001

"UseWUServer"=dword:00000001

"DetectionFrequencyEnabled"=dword:00000001

"DetectionFrequency"=dword:00000004

"AutoInstallMinorUpdates"=dword:00000001

 

[Kalm_Traveler]

31 minutes ago, leadeater said:

If the computers are set to use a WSUS server they won't get updates from MS directly, that means you get to decide when, how and what updates get installed. You can still get updates direct from the internet but you have to manually go in to Settings and Updates and manually tell it to, it won't ever do it itself while configured to use a local WSUS server.

Now that you mention it, that might actually be a really good thing - no more creators update deleting user files  nonsense if they won't automagically pull updates from Microsoft. 

 

Sounds like running WSUS on this homelab server and just manually applying that registry edit to all 5 computers is probably the way to go then - i'll just have to keep on top of making sure the WSUS server pulls things down semi-regularly. I think you can tell it what OS's and types of updates to pull though (was a jr sys admin for a few years, moved to security so I've forgotten a lot of that stuff).

 

Thanks everyone!

[Kalm_Traveler]

45 minutes ago, leadeater said:

Sure you can do this but unless your internet speed isn't that good or you have a data cap I don't see much point. The only real benefit in doing something like that is getting control over when and which updates you release for install to your computers.

Since you pointed out that with the regmod done, the machines will not auto-pull anything from Microsoft this kind of achieves 3 benefits to me... no more auto updates, and technically it will be faster to get all 5 updated pulling locally (I've only got 1gbit home network but that's still much faster than the machines usually pull from Microsoft even though the fiber internet is also 1gbit symmetric).

 

I think the data cap is 4tb per month, and I never have hit it but no reason to waste bandwidth I guess as well.

[leadeater]

1 hour ago, Kalm_Traveler1 said:

Since you pointed out that with the regmod done, the machines will not auto-pull anything from Microsoft this kind of achieves 3 benefits to me... no more auto updates, and technically it will be faster to get all 5 updated pulling locally (I've only got 1gbit home network but that's still much faster than the machines usually pull from Microsoft even though the fiber internet is also 1gbit symmetric).

 

I think the data cap is 4tb per month, and I never have hit it but no reason to waste bandwidth I guess as well.

There's a better way then using the reg keys. If you have something better than Windows Home you can use local GPO to set the WSUS server target as well as set how often you want the computers checking for updates from your WSUS server and when to install them etc.

 

You could setup WSUS to auto approval every update as they get released but set the GPO on each computer to only download them and never install them, then you manually update the computers when you want to.

 

See below, there's a lot of configuration you can set. These actually also apply to direct updates from Microsoft too, so you could still use direct from internet but disable auto install or choose when rather than random whenever the computer wants to.

 

GPEdit.msc

 

 

 

[Kalm_Traveler]

22 minutes ago, leadeater said:

There's a better way then using the reg keys. If you have something better than Windows Home you can use local GPO to set the WSUS server target as well as set how often you want the computers checking for updates from your WSUS server and when to install them etc.

 

You could setup WSUS to auto approval every update as they get released but set the GPO on each computer to only download them and never install them, then you manually update the computers when you want to.

 

See below, there's a lot of configuration you can set. These actually also apply to direct updates from Microsoft too, so you could still use direct from internet but disable auto install or choose when rather than random whenever the computer wants to.

 

GPEdit.msc

 

 

 

Perfect thank you! That will work as well - all 5 machines are running Windows 10 Pro so editing local group policy should be a great way to do this.

 

Don't suppose you have any good way to filter WSUS updates by platform? lol I picked the software I want and update categories but it keeps suggesting updates for ARM64-based OSs, and as far as the OS itself all 5 machines are 64bit so I don't want 32bit Windows 10 anything (OS-level I mean).

[leadeater]

2 hours ago, Kalm_Traveler1 said:

Don't suppose you have any good way to filter WSUS updates by platform? lol I picked the software I want and update categories but it keeps suggesting updates for ARM64-based OSs, and as far as the OS itself all 5 machines are 64bit so I don't want 32bit Windows 10 anything (OS-level I mean).

Not really, you'd have to use PowerShell to approve updates and add in filters to exclude things like ARM64 and IA64 etc. Can be done but it's whether or not you want to spend the time creating the PowerShell script to do it.

[vrod]

WSUS is a bit of work for such small network. It would probably be easier to just get a http proxy like squid which could cache the contents.

[Kalm_Traveler]

7 hours ago, vrod said:

WSUS is a bit of work for such small network. It would probably be easier to just get a http proxy like squid which could cache the contents.

Thank you, I'll look into squid. Just got WSUS set up I think how I want it last night but if it ends up being more work I'll definitely consider a switch! 

[Mikensan]

WSUS is a nightmare and damn near full time job. It's super old and prone to corruption.

 

Server 2016 is windows 10 with lipstick and more services, so a lot of updates are actually shared. Your Windows 10 boxes, if on the same subnet, should in theory pull a good portion of updates from your 2016 box. 

 

If that's not enough then enable Hyper-V and install Windows 10 on a VM and run that 24/7.

 

If you're really dead-set on self torture, look at this guy's post on wsus. It's a really good idea to maintane WSUS.

https://gal.vin/2018/04/19/wsus-windows-server-core-walkthrough/

 

Not a bad read either:

https://blogs.technet.microsoft.com/configurationmgr/2016/01/26/the-complete-guide-to-microsoft-wsus-and-configuration-manager-sup-maintenance/

[Kalm_Traveler]

26 minutes ago, Mikensan said:

WSUS is a nightmare and damn near full time job. It's super old and prone to corruption.

 

Server 2016 is windows 10 with lipstick and more services, so a lot of updates are actually shared. Your Windows 10 boxes, if on the same subnet, should in theory pull a good portion of updates from your 2016 box. 

 

If that's not enough then enable Hyper-V and install Windows 10 on a VM and run that 24/7.

 

If you're really dead-set on self torture, look at this guy's post on wsus. It's a really good idea to maintane WSUS.

https://gal.vin/2018/04/19/wsus-windows-server-core-walkthrough/

 

Not a bad read either:

https://blogs.technet.microsoft.com/configurationmgr/2016/01/26/the-complete-guide-to-microsoft-wsus-and-configuration-manager-sup-maintenance/

haha thank you for those! I'm not quite ready to jump to Core as my PowerShell-fu is very lacking but that'd be a fun one I bet.

 

So far this 2016 Datacenter setup seems fine, it's not using much of the resources provisioned in ESXi and I'd be surprised if it ever does given the size of my home network but I'll definitely keep your suggestions in mind if maintaining WSUS ends up feeling like a chore. Worst case I can just do like you said and leave a barebones Windows 10 VM on 24/7 for update distribution.

[Mikensan]

4 minutes ago, Kalm_Traveler1 said:

haha thank you for those! I'm not quite ready to jump to Core as my PowerShell-fu is very lacking but that'd be a fun one I bet.

 

So far this 2016 Datacenter setup seems fine, it's not using much of the resources provisioned in ESXi and I'd be surprised if it ever does given the size of my home network but I'll definitely keep your suggestions in mind if maintaining WSUS ends up feeling like a chore. Worst case I can just do like you said and leave a barebones Windows 10 VM on 24/7 for update distribution.

You don't have to use core, it still applies to the desktop-experience version. The link to his script may be all you need, but a good read. Always good to have options

 

On your other question about filtering out ARM64 etc... - WSUS should only download what you approve, and when previewing pending updates you can filter by "needed" which should show only requested updates from clients. It doesn't just auto-download everything under the sun thankfully. There was an issue with I believe 1607 and WSUS which required a manual patch, if you're already above that then don't worry about it, 1803+ should be fine.

[soulreaper11207]

Could just use wsus offline.