To optimize speed and bandwidth utilization, we would like laptops to pull updates from our local WSUS content store when they are brought into the office and are connected to the LAN. When
the same laptops are taken offsite we would like those laptops to download updates from Microsoft Update servers on the Internet.
We don't want laptops on the Internet having to pull updates from our internal WSUS and we don't want laptops on the LAN pulling updates from Microsoft.
What's the best way to do this reliably?
What about setting the Group Policy that configures Windows Update location at the site level instead of at the OU level and then setting the VPN network on a different AD site? That way when the laptop connects to VPN and refreshes group policy, the
Windows Update policy would point to downloading from Microsoft, and when the same laptop is brought on the corporate LAN, the group policy would change to the internal WSUS server.
This seems like it could possibly work, but I see some problems because the policy update change may not be timely.
What if the laptop is on the LAN set to check approvals and download updates from our Internal WSUS, but is then taken offsite and used on the Internet, but not connected to VPN? In that case it would still be configured for WSUS and because it never
received a group policy change, it would keep trying and failing to check in to the configured WSUS sercer and would never update again until it connected to VPN or was brought into the office again.
Is there some way handle this situation such as some kind of location aware reconfiguration or configuring an automatic failover to get updates from Microsoft when WSUS is not available? We do this with our antivirus. When the system is able to
contact our internal AV management server, it pulls definition updates from there and if cannot reach it, it pulls the updates from the antivirus vendor's site over the Internet.