8
zymk
7y

Hosted WSUS servers for the DevRant community so we can defer the shitty updates MS forces upon us.

Project Type
Project idea
Summary

Hosted WSUS servers for the DevRant community so we can defer the shitty updates MS forces upon us.

Description
I’m still performing research on this project idea for my IT Services startup and for the viability of this idea as this project needs to work on non-domain computers. I want to build a WSUS farm and additional PowerShell mgmt script(s) to provide to the community. The script(s) would be a simple “upstream update server” config change: 1) to set your PC’s settings to pull updates from my wsus server farm, however the server farm would be set as such that all updates are deferred. Allowing you to then defer updates according to your schedule. 2) another script that re-sets the upstream update servers to Microsoft’s servers so you can then update when you choose. I wanted to get feedback from all you guys and gals to see if the DevRant community might have any interest in something like this for your systems? (provided it can be done; research still in progress.) I’m going to continue working on this project for my IT startup to try and provide some semblance of update control for my smaller customers that don’t have the infrastructure in place for a full in-house WSUS setup, but wanted to reach out here on DevRant to inquire if anyone would be interested in such a ‘service’. I’m not charging anything for it and I’m not pulling any Facebook style crap either. I just want to try and contribute somehow to the community but I’m total rubbish at programming and still feel like a n00b at linux, and I feel like this might be one way for me give something back.
Tech Stack
Microsoft, PowerShell, WUA Api
Current Team Size
Myself
Comments
  • 2
    So you want to make Windows think that there are no updates by creating your own Windows Update Server who always says 'no'?
    Does MS allow this? Are there any predefined libs from MS?
  • 0
    @hypervtechnics short answer yes! 😁

    So far in my research a full WUA (windows update agent) API for custom tooling can be accessed if needed. I’m not good with C++ though so if that extra tooling is needed it’s definitely going to take me some extra tome to figure it out.

    As for whether or not Microsoft allows this all I can definitively say at the moment is this. If you are running Windows Pro or higher the functionality to use a WSUS server exists in the OS and `can` be configured. MS probably wouldn’t want a 3rd party to be “managing” updates for standard consumers. (Just meaning people without an AD/domain) I’ll dig more into whether this is going to get me into hot water with MS to try and give a better answer for you.
  • 2
    Dude. Just open gpedit.msc (aka Group Policy Editor) and look for the Windows Updates settings. You have full control over the REAL update settings, including disabling automatic updates and auto-reboot entirely (no "working hours" bullshit). And you can still update manually if you want to.

    No need to make your own server, just dive deeper into the settings.
    Don't reinvent the wheel.
  • 0
    @endor that was one thought that I had too, and there’s also the option to just blackhole the windows update server urls in there. But I was planning on making something for my startup so I could manage updates for my clients. I do business with a few smaller companies that don’t have the infrastructure in place for a wsus server. I wanted to see if there was any interest by the community to have a “blackhole” update server.

    I guess I could just as easily publish powershell scripts that modify local gpo settings for people 😅. With a script that will undo the gpo settings changes for when people are ready to update. I often overthink things.
  • 1
    You don't even need to undo the settings to update, since all you're disabling is *automatic* updates. You can still manually trigger them, and I'm sure it will be a thing (relatively) easy to script (like "download and install all updates when a signal is sent" or something).

    Imho making your own custom update server would only be a reasonable solution for a large company and/or large enough community that has pre-agreed on a common update policy (good luck with that...).
    Not that it isn't a cool idea, but a little bit overkill imo.

    Just my 0.02$
Add Comment