locked
Throttle WSUS RRS feed

  • Question

  • Hello,

    Our WSUS server downloaded many updates last night and is pushing them out this morning (auto approve) and some WAN links are slow, how can I limit how many PC it updates or can I throttle this some how?

    Thanks

    Wednesday, September 13, 2017 8:42 AM

All replies

  • Or is there a method where users can get their updates direct from Microsoft should they not be on the corp network?

    Or I see we can use something called Branch office?  I think workstations can get their updates from other workstations on that same local network?

    I guess we could use QoS to the link doesn't get max'd out too.

    Wednesday, September 13, 2017 11:29 AM
  • There is a couple of options you may consider:

    1. You can limit maximum bandwidth that BITS can use on WSUS server. See Network\Background Intelligent Transfer policy in GPO.

    2. Use group policy to decrease update detection frequency (increase interval between checks) on clients. Windows update client randomizes check for updates within 20% window of specified interval. So if you increase interval from 1 hour to 40 hours then the update check window will increase from 12 minutes to 8 hours

    3. use traffic shaping / prioritization capabilities in your network to throttle down traffic to/from update server.

    4. take a look at branch cache feature, it can help to offload wsus


    Gleb.

    Wednesday, September 13, 2017 11:59 AM
  • Hi Nedim,

    I'm applied that BITS GPO now for 800kbs each way for 7am-7pm so will see how it does.

    Most offices have 20/20mbps links and today 2 windows 10 user managed to bring the line to a halt as they need around 1GB each.

    Wednesday, September 13, 2017 1:40 PM
  • Option 1 and 2 applied now, hopefully that will help.  The update detection was set to 1 hour, so I changed this to 8.

    For the BITS I've set the transfer to 800kbps.

    I guess I can increase or lower this should there be more issues, not easy to test until more updates are released.

    Wednesday, September 13, 2017 2:21 PM
  • Can I get the users to download updates when they are at home too?  At the moment they have to get to our internal wsus 2016 server.
    Thursday, September 14, 2017 10:39 AM
  • Is this server built in just the same way as the Internal one?

    I found this article I guess it applies to 2016?

    http://www.vkernel.ro/blog/configuring-and-managing-wsus-downstream-replica-servers

    As it will be in the DMZ can it be a member server?

    Thanks


    • Edited by TB303 Thursday, September 14, 2017 2:10 PM
    Thursday, September 14, 2017 2:03 PM
  • Hello,

    Does the downstream server in the DMZ need to be on the domain?

    Friday, September 15, 2017 9:50 AM
  • I have a 2nd server in the DMZ now:

    1. Should it be on the domain or just a member server
    2. How would the PC know whether to use the server in the DMZ or not and get the approved updates from MS?

    Thanks

    Friday, September 15, 2017 10:20 AM
  • Hello,

    Domain membership is not a requirement for an upstream/downstream server relationship. 

    You should point your PC to the downstream WSUS server, so they can get updates from that server. 

    Regards,

    Yan


    Please remember to mark the replies as answers if they help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Proposed as answer by Yan Li_ Wednesday, September 27, 2017 8:46 AM
    Tuesday, September 19, 2017 8:00 AM