To the Microsoft wizards - WSUS options?

[MagicDude4Eva]

We are not really a Microsoft shop (everything is Linux / Mac) and only our back-office staff and call-centre are using Windows (most Windows 10 and a few Windows 7/8).

Can someone explain the most economical option to use WSUS. It is my understanding that although we have Windows client versions licenses (OEM licenses as part of the computer/laptop purchases), in order to use WSUS we require at least Windows ServerStandard 2012R2 (for about 13K) and then for each user a Windows Server CAL license (for 60 users comes to another 33K).

Is this really the most cost-efficient option (i.e. a once-off 50K cost to run cached/in-house update service) or does anyone have any other options? (In contrast - keeping all our OS X and iOS devices up-to-date we use a 7K macMini with a once-off USD29 OS X server license to use OS X caching server).

The main purpose of WSUS in-house is to reduce bandwidth usage and be able to not flood outbound traffic (although we have QoS in place, I find it a complete waste of time/bandwidth when 60 PCs download the same thing).

 

[Cray]

From my understanding, yes, you would need a Server CAL for each user.

Older topic but unless the licensing has changed dramatically...

https://social.technet.microsoft.com/Forums/windowsserver/en-US/82046da9-19ab-4e27-b855-e7c8cfea10a5/wsus-and-cal-licenses?forum=winserverwsus

Every client system in a Windows environment is required to have a Windows Server Client Access License (CAL).

The question is really answered by whether this is the first Windows Server in your environment. If not, then it's likely that somewhere along the way your IT Management has already purchased the necessary Windows CALs in order to allow your desktop systems to access servers in the data center.

However, if this is your first Windows Server, then YES, you will need to acquire 800 Client Access Licenses in order to access the Windows Server 2008 =system=. (Strictly speaking, WSUS does not require any licensing at all; it is the Server OS that requires the CALs.)

 

[MagicDude4Eva]

From my understanding, yes, you would need a Server CAL for each user.

Older topic but unless the licensing has changed dramatically...

https://social.technet.microsoft.com/Forums/windowsserver/en-US/82046da9-19ab-4e27-b855-e7c8cfea10a5/wsus-and-cal-licenses?forum=winserverwsus

Thanks - I am hoping that someone with a MS hat will be able to clarify. At the moment it's just resellers who obviously want to sell us all sorts of stuff which I don't think is necessary (initially it started with the "What? You don't have Active Directory or Exchange?").

 

[bekdik]

A Windows 10 PC can share its updates with other machines on the network.

 

[Cray]

Thanks - I am hoping that someone with a MS hat will be able to clarify. At the moment it's just resellers who obviously want to sell us all sorts of stuff which I don't think is necessary (initially it started with the "What? You don't have Active Directory or Exchange?").

LOL - I can imagine that conversation. It does seem counter intuitive to charge for CALS just for WSUS, but then I gues onse you have the Windows Server you could use it for other "server" type stuff too.

Is it not possible to setup a free Linux proxy that will cache the update files, that way you would only have one machine actually pulling the update files down?

 

[PsyWulf]

Slap a caching proxy in and enable large file caching and a few other tweaks
http://wiki.squid-cache.org/SquidFaq/WindowsUpdate

 

[ponder]

Have a look at these,

http://www.nitrobit.com/updateserver.html
https://wpkg.org/WPKG_with_Samba
http://www.wsusoffline.net/
https://fogproject.org/
http://mybroadband.co.za/vb/showthread.php/195808-Windows-Update-through-a-Linux-server

 

[MagicDude4Eva]

Thanks - some good suggestions. We know about the off-line installers, but WPKG is perhaps something more tangible (i.e. push updates to the client).

The Squid part I tried in my home-network about a year ago and I could never get it reliably to work. I will see if perhaps we can not use the MacMini than as a glorified caching server....

 

[Rickster]

A Windows 10 PC can share its updates with other machines on the network.

Does it actually work though? Never seen it in action.

 

[Rickster]

We are not really a Microsoft shop (everything is Linux / Mac) and only our back-office staff and call-centre are using Windows (most Windows 10 and a few Windows 7/8).

Can someone explain the most economical option to use WSUS. It is my understanding that although we have Windows client versions licenses (OEM licenses as part of the computer/laptop purchases), in order to use WSUS we require at least Windows ServerStandard 2012R2 (for about 13K) and then for each user a Windows Server CAL license (for 60 users comes to another 33K).

Is this really the most cost-efficient option (i.e. a once-off 50K cost to run cached/in-house update service) or does anyone have any other options? (In contrast - keeping all our OS X and iOS devices up-to-date we use a 7K macMini with a once-off USD29 OS X server license to use OS X caching server).

The main purpose of WSUS in-house is to reduce bandwidth usage and be able to not flood outbound traffic (although we have QoS in place, I find it a complete waste of time/bandwidth when 60 PCs download the same thing).

You guys sound like you have lots of cash, why not get a decent fibre link? Updates will be done fast.

 

[gregmcc]

Best option would be a squid caching server. If you don't already have one you will also save yourself a fortune in bandwidth and be able to pull some decent reports of who is abusing the internet.

 

[MagicDude4Eva]

You guys sound like you have lots of cash, why not get a decent fibre link? Updates will be done fast.

It's not about the time it takes to download as we can control this with links and QoS. It is just completely unnecessary to break out to the internet for the same thing again and again. And yes, if I can go OpenSource over a commercial option, I would follow it just out of principle.

 

[Rickster]

It's not about the time it takes to download as we can control this with links and QoS. It is just completely unnecessary to break out to the internet for the same thing again and again. And yes, if I can go OpenSource over a commercial option, I would follow it just out of principle.

Id hate to say this but would you consider to sell the windows PC's and replace them with Apple or linux?

 

[MagicDude4Eva]

Id hate to say this but would you consider to sell the windows PC's and replace them with Apple or linux?

It would be tough. We tried Linux before and users really struggled - this was not just in our environment - we did similar projects at some large financial organisations and Linux desktop did not make a break-through (I don't think neither SBSA nor FNB went down that path despite then some heavy Novell involvement). Apple devices are generally too expensive for administrative staff (i.e. a 5-6K Windows laptop vs a 10-14K Mac).

We will probably look at WPKG or Squid running of the mini (we already have Sonicwalls and other network kit for doing QoS/firewall etc in the office network, so there might then be other constraints what we could achieve with Squid).

Since I am always of the "stay mean and lean" principle I prefer to go with minimalist solutions and obviously OSS - that has been one of the core aspects for anything we build and deploy, so this should no different. (Yes, I could be disinterested and just throw a 50-60K Windows installation against the problem, but I would want to try other avenues first).

 

[backstreetboy]

A Windows 10 PC can share its updates with other machines on the network.

+100 why muck about something else? Upgrade the few with 7/8/8.1 to 10 and be done with it.

 

[Thor]

+100 why muck about something else? Upgrade the few with 7/8/8.1 to 10 and be done with it.

It will also share outbound so your upload speed will take a hit. That setting does lan and Internet.


Cant you use samba as a domain controllerer or sorts and configure mirror updates

 

[Jim West]

 

[sajunky]

You need caching proxy on the LAN, but if you think you can cache software updates, you are wrong when clients use secure connections to the server.

I didn't speak about Windows 10 yet, as I don't know what kind of connection Windows client makes to the Microsoft servers, but discussion is stirring up in this direction, so lets say a word. So far I didn't see reports how efficient are options for sharing updates over LAN (as suggested above), but it is irrelevant, as such solutions are appropriate for workgroup environment, not when you use MS server. Microsoft will perhaps suggest to deploy central software depository which definitely solves problem of having multiple clients downloading the same updates. I'd like only to point out that you should also disable automatic updates on every client by group policy editing and (perhaps) restrict users from running/installing programs and restrict functions which require administrative right. Automatic updates can render user machine non-responsive for couple of hours, causing productivity loses. System administrator should decide which programs or software updates must be deployed and when.

 

[MagicDude4Eva]

FWIW - there is a solution which allows you to run WSUS without the CAL impact. This is based on a leased server with on-premise install for the purpose of just WSUS. No requirement for ActiveDirectory and the only requirement is to adjust PC's registry to point to the office WSUS (normally AD would do this automatically). The cost is <R1000/pm (so a fraction of what a regular server + CALs would cost).

 

[MagicDude4Eva]

View attachment 378454

I tried the Win10 sharing - all our Win10 PCs have the option enabled and are patched to the latest version. I then spun up a VMWare image with updates missing and did a Wireshark and all updates come down via external connection although those updates are recent and should have been cached on at least some of the 50 odd PCs. I think the peer-to-peer updates/sharing is just too unpredictable.