Save Bandwidth: Use Penn State’s WSUS Server for Windows Updates
At the last SACITS meeting, someone brought up an interesting idea for saving commodity internetbandwidth in the residence halls. Because ResCom counts all internet traffic outside of Penn State against a student’s bandwidth limit, any Windows Updates also get counted against this limit. The reality is that there doesn’t seem to be any way to exclude the Windows Updates website from counting against bandwidth limits. This is where the Windows Server Update Service (WSUS) may be able to fix the problem. WSUS allows client computers to download updates from a server on the LAN instead of windowsupdate.microsoft.com. If a WSUS server were placed on the Penn State network for students living in the residence halls to use, it would allow them to download Windows Updates without facing the possibility of bandwidth penalties.
WSUS has a lot of great features that System Administrators can take advantage of. More information on it is available at this address: http://technet.microsoft.com/en-us/wsus/default.aspx
One of the interesting outcomes of the SACITS meetings was that ITS has already looked at providing this service to users. In fact, the service is already being offered: http://aset.its.psu.edu/docs/windows/windows_sus . So why isn’t it advertised to students? The answer at the meeting seemed to be that there wasn’t a easy, foolproof way for students to configure their machine to use the Penn State WSUS server. Additionally, there wasn’t an easy way to set the update configuration such that when students took their machines off the Penn State network, the configuration would automatically revert back to Microsoft’s servers. I disagree.
In fact, I’m pretty sure that all of this can be configured easily using a few registry tweaks and a batch file, maybe two.
IMPORTANT: I haven’t confirmed that all of this works flawlessly yet, mainly because I don’t live in a residence hall. If you try it and run in to problems, please post them in the comments. This will only work in Windows XP/Vista
DISCLAIMER: How to Break Your Computer
It’s no secret that improperly making changes to the system registry can really mess things up on your computer. While making registry changes is normally straightforward, it isn’t foolproof. However, a small application or batch file can be written that helps automate the registry changes that need to be done to configure WSUS. An example is below. If you decide to make any changes manually, please do so at your own risk.
Also, if you decide to use any text or files from this article, please do so at your own risk. I take no responsibility for any problems you encounter with this information. By using the batch files on this page, you agree that I hold no responsibility for unintentional damage caused. You also agree that I am not obligated to provide technical support regarding this article or any files included in it. Sorry, had to get that out there.
We Don’t Need No GPO
For system administrators that manage computers through an Active Directory environment, configuring clients to use a WSUS server involves creating a fairly simple Group Policy Object (GPO). However, users in the residence halls aren’t joined to a domain, for better or worse. Fortunately, machines can still be manually configured to use a WSUS server by modifying the registry: http://technet2.microsoft.com/windowsserver/en/library/75ee9da8-0ffd-400c-b722-aeafdb68ceb31033.mspx?mfr=true. Once the needed registry settings are applied, the Automatic updates service needs to be restarted.
The Building Blocks
For this task, writing a small batch file is quicker (but also dirtier) than writing an actual program. We can use commands that are readily available in DOS to make changes to the registry. The REG ADD command makes adding/updating registry entries easily scriptable.
NET STOP wuauserv
REG ADD HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate /v ElevateNonAdmins /t REG_DWORD /d 0 /f
REG ADD HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate /v TargetGroupEnabled /t REG_DWORD /d 0 /f
REG ADD HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate /v WUServer /t REG_SZ /d http://windowsupdate.aset.psu.edu /f
REG ADD HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate /v WUStatusServer /t REG_SZ /d http://windowsupdate.aset.psu.edu /f
REG ADD HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU /v UseWUServer /t REG_DWORD /d 1 /f
NET START wuauserv
The last REG ADD command adds (or updates) the UseWUServer value. When this value is set to 1, the Automatic Updates service should use WSUS servers (if they have been specified). When set to 0, Microsoft Windows Update servers should be used. Finally, for the configuration to take effect, the Automatic Updates service (wuauserv) needs to be restarted using the NET STOP and NET START commands as shown above. The above code would be great if we wanted to always use the Penn State WSUS server. However, we want to use microsoft’s servers when we aren’t on campus. Also, Penn State may decide to block internet traffic from using the WSUS server in the future. This could potentially lead to a lot of missed updates. Alright, this will makes it a bit more complicated.
A Bit More Thorough
The above commands are probably the easiest way to do a one-time configuration of WSUS. However, if we want a “set it and forget it” approach that uses Windows Update when off-campus, things need to be a bit more advanced. The plan: write a batch file will “install” a scheduled task that checks to see if we’re in or out of the Penn State network. This one batch file should take care of installation and configuration:
Note: to use the code below, copy it and then paste it into blank notepad file. Save the file with a .BAT extension (ex: PSUWSUS.BAT). Then, browse to the file and double click it.
@ECHO OFF
ECHO WSUS Config Check Installer
ECHO Creating batch file in C:\WSUSCHECK.BAT
ECHO ping udrive.win.psu.edu > C:\WSUSCHECK.BAT
ECHO IF %%ERRORLEVEL%% NEQ 0 GOTO OFFCAMPUS >> C:\WSUSCHECK.BAT
ECHO IF %%ERRORLEVEL%% EQU 0 GOTO ONCAMPUS >> C:\WSUSCHECK.BAT
ECHO. >> C:\WSUSCHECK.BAT
ECHO :OFFCAMPUS >> C:\WSUSCHECK.BAT
ECHO NET STOP wuauserv >> C:\WSUSCHECK.BAT
ECHO REG ADD HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU /v UseWUServer /t REG_DWORD /d 0 /f >> C:\WSUSCHECK.BAT
ECHO NET START wuauserv >> C:\WSUSCHECK.BAT
ECHO GOTO END >> C:\WSUSCHECK.BAT
ECHO. >> C:\WSUSCHECK.BAT
ECHO :ONCAMPUS >> C:\WSUSCHECK.BAT
ECHO NET STOP wuauserv >> C:\WSUSCHECK.BAT
ECHO REG ADD HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU /v UseWUServer /t REG_DWORD /d 1 /f >> C:\WSUSCHECK.BAT
ECHO NET START wuauserv >> C:\WSUSCHECK.BAT
ECHO GOTO END >> C:\WSUSCHECK.BATECHO :END >> C:\WSUSCHECK.BAT
ECHO Creating a Scheduled Task…
schtasks /create /tn WSUSCheck /tr c:\WSUSCHECK.BAT /sc hourly /mo 8 /ru SYSTEMECHO Applying WSUS Settings…
NET STOP wuauserv
REG ADD HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate /v ElevateNonAdmins /t REG_DWORD /d 0 /f
REG ADD HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate /v TargetGroupEnabled /t REG_DWORD /d 0 /f
REG ADD HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate /v WUServer /t REG_SZ /d http://windowsupdate.aset.psu.edu /f
REG ADD HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate /v WUStatusServer /t REG_SZ /d http://windowsupdate.aset.psu.edu /f
REG ADD HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU /v UseWUServer /t REG_DWORD /d 1 /f
NET START wuauserv
ECHO Installation Complete. Please look through the script for errors and report them if necessary.
pause
To summarize, this script outputs text to C:\WSUSCHECK.BAT. This text, when executed, is what actually checks to see if the machine is on campus or off campus. The check is done by pinging udrive.win.psu.edu. This is a server uses a private, non-routable IP address that should only respond to ping when the machine is connected to the Penn State network. The script adds the Penn State WSUS server to the registry and creates scheduled task that runs C:\WSUSCHECK.BAT every 8 hours.
A Few Notes
There is one caveat to this batch file: If for some reason the ‘udrive.win.psu.edu’ stops responding to ping requests, the batch file will always think that it is off the Penn State network. This is not the perfect solution but instead a working example of how one might approach the problem. If you have a better method, please post it in the comments. Ping was just the first thing to come to mind.
Another thing I don’t like about this batch file is that it restarts the Automatic Update service every 8 hours regardless of whether or not settings are modified. I debated trying to make the batch file smarter by checking if the UseWUServer is actually being set to a different value and then restarting the service if it is. However, I couldn’t find any reason why restarting the Automatic Update service periodically would be a bad thing. Feel free to convince me otherwise in case I missed something.
![[del.icio.us]](http://iboyd.net/wp-content/plugins/bookmarkify/delicious.png)
![[Digg]](http://iboyd.net/wp-content/plugins/bookmarkify/digg.png)
![[Facebook]](http://iboyd.net/wp-content/plugins/bookmarkify/facebook.png)
![[StumbleUpon]](http://iboyd.net/wp-content/plugins/bookmarkify/stumbleupon.png)
![[Twitter]](http://iboyd.net/wp-content/plugins/bookmarkify/twitter.png)
Themocracy