WSUS: How do I make WSUS not install itself automatically on networked PC's/Laptops?
I have WSUS Build 2.0.0.2620 installed on a server on my work's network. Whenever I reformat a new PC or remove a PC from our domain and then re-add it, WSUS attaches itself to the machine within a few minutes of being on our domain. It grays out all the options under the Automatic Updates tab (right-click My Computer, Properties) so the user (or admin) cannot change the settings. Right now it defaults everyone's options under Automatic Updates to "Download updates for me, but let me choose when to install them". I would like to change this to "Notify me but don't automatically download or install them". I would also like to make it so that I could somehow choose what machines WSUS manages.
My main problem is with situations like below:
A user needs a laptop configured for them so I reformat and configure the laptop. I add the laptop to our domain and then reboot for the changes to take effect. After I reboot and log in, within a few minutes the yellow '!" shield appears in the task tray and then a message "New Updates are Available" appears above it. I right-click on My Computer, select Properties and then click the Automatic Updates tab and see that all of the options are now grayed out. Now if the user disconnects from our network and goes out of state because they are a remote VPN user, the update options are still all grayed out. The WSUS still has it's grip on the laptop and I'd like to remove it. The user can't recieve updates unless they connect through the VPN. If WSUS was off the laptop, they could update the PC using their home LAN connection and not have to be managed buy WSUS, many miles away.
My main problem is with situations like below:
A user needs a laptop configured for them so I reformat and configure the laptop. I add the laptop to our domain and then reboot for the changes to take effect. After I reboot and log in, within a few minutes the yellow '!" shield appears in the task tray and then a message "New Updates are Available" appears above it. I right-click on My Computer, select Properties and then click the Automatic Updates tab and see that all of the options are now grayed out. Now if the user disconnects from our network and goes out of state because they are a remote VPN user, the update options are still all grayed out. The WSUS still has it's grip on the laptop and I'd like to remove it. The user can't recieve updates unless they connect through the VPN. If WSUS was off the laptop, they could update the PC using their home LAN connection and not have to be managed buy WSUS, many miles away.
WSUS is configured using GPO's. The best bet would be to create an new OU and an associated policy, add the computers that you do not want to have WSUS on, update the policies on these computers and viola!!!
http://blogs.technet.com/robert_hensing/archive/2007/10/24/getting-microsoft-updates-offline.aspx
-saige-
http://blogs.technet.com/robert_hensing/archive/2007/10/24/getting-microsoft-updates-offline.aspx
-saige-
ASKER
Not sure what you mean by the term "GPO". I'm guessing it has to do with Group Policy? My boss set up the whole WSUS system so I'm not sure how she set everything up but she's leaving soon so I'm on my own with this... We have Windows Server 2000 (yea, I know... we have to upgrade) with Active Directory so if it has to do with policies and what not, I can probably get this straightened out but I'll need to get pointed in the right direction...
GPO = Group Policy Object...
And rightly so it is very straightforward...
By creating a new OU (Organizational Unit), you can easily segregate the machines that will not be administered by WSUS from the rest of your domain... You accomplish this by first moving all the computers to the new OU...
After you have moved all effected computers to the OU, you simply create a new GPO and link it to the OU... Inside the settings of the GPO you specify that the computers will receive their updates from Microsoft (this is usually accomplished by disabling the WSUS policies)...
-saige-
And rightly so it is very straightforward...
By creating a new OU (Organizational Unit), you can easily segregate the machines that will not be administered by WSUS from the rest of your domain... You accomplish this by first moving all the computers to the new OU...
After you have moved all effected computers to the OU, you simply create a new GPO and link it to the OU... Inside the settings of the GPO you specify that the computers will receive their updates from Microsoft (this is usually accomplished by disabling the WSUS policies)...
-saige-
ASKER
I just went in to Active Directory, right clicked on "goldlinecontrols.com" and selected New and then Organizational Unit. I looked under the "goldlinecontrols.com" domain where I added that new Organizational Unit (named it "Computers in WSUS") and there's a folder named "Computers" and it has all of the PCs/laptops listed that are in our domain.
You mentioned that I now need to move all of these machines into the "Computers in WSUS" OU that I just created. Will this mess anything up? I don't want to screw up anything with our servers and/or network.
You mentioned that I now need to move all of these machines into the "Computers in WSUS" OU that I just created. Will this mess anything up? I don't want to screw up anything with our servers and/or network.
You wouldn't move the computers you want to keep using WSUS, actually you would do the opposite... Move the computers that you do not want to use WSUS.
-saige-
-saige-
ASKER
Oh alright, that makes sense now. I just moved the 1 laptop that I created this question for (but this will help me down the line as well) to the "Computuer not in WSUS" OU. Now, how do I create a new GPO so that I can link it to the "Computers not in WSUS" OU?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
When I try to install the Group Policy Management Console on my Windows 2000 server I get a message saying:
"You must be running Windows XP SP1 or Windows Server 2003 build 3602 or later to install Microsoft Group Policy Management Console with SP1"
However, under Microsoft's System Requirements section for this download on the page you sent me it says this: "GPMC runs on Windows XP Professional SP1 and Windows Server 2003 computers and can manage Group Policy in either Windows 2000 or Windows Server 2003 domains."
Does that mean I can install it on my Windows XP machine and manage Group Policy in my Windows 2000 domain?
"You must be running Windows XP SP1 or Windows Server 2003 build 3602 or later to install Microsoft Group Policy Management Console with SP1"
However, under Microsoft's System Requirements section for this download on the page you sent me it says this: "GPMC runs on Windows XP Professional SP1 and Windows Server 2003 computers and can manage Group Policy in either Windows 2000 or Windows Server 2003 domains."
Does that mean I can install it on my Windows XP machine and manage Group Policy in my Windows 2000 domain?
Yes
ASKER
https://www.experts-exchange.com/questions/22881592/permanently-remove-sservers-from-WSUS.html?sfQueryTermInfo=1+wsu