Solved

WSUS: How do I make WSUS not install itself automatically on networked PC's/Laptops?

Posted on 2007-12-03
12
227 Views
Last Modified: 2013-12-05
I have WSUS Build 2.0.0.2620 installed on a server on my work's network.  Whenever I reformat a new PC or remove a PC from our domain and then re-add it, WSUS attaches itself to the machine within a few minutes of being on our domain.  It grays out all the options under the Automatic Updates tab (right-click My Computer, Properties) so the user (or admin) cannot change the settings.  Right now it defaults everyone's options under Automatic Updates to "Download updates for me, but let me choose when to install them".  I would like to change this to "Notify me but don't automatically download or install them".  I would also like to make it so that I could somehow choose what machines WSUS manages.

My main problem is with situations like below:
  A user needs a laptop configured for them so I reformat and configure the laptop.  I add the laptop to our domain and then reboot for the changes to take effect.  After I reboot and log in, within a few minutes the yellow '!" shield appears in the task tray and then a message "New Updates are Available" appears above it.  I right-click on My Computer, select Properties and then click the Automatic Updates tab and see that all of the options are now grayed out.  Now if the user disconnects from our network and goes out of state because they are a remote VPN user, the update options are still all grayed out.  The WSUS still has it's grip on the laptop and I'd like to remove it.  The user can't recieve updates unless they connect through the VPN.  If WSUS was off the laptop, they could update the PC using their home LAN connection and not have to be managed buy WSUS, many miles away.
0
Comment
Question by:Swamp_Thing
  • 5
  • 5
12 Comments
 
LVL 2

Author Comment

by:Swamp_Thing
Comment Utility
0
 
LVL 12

Expert Comment

by:weareit
Comment Utility
WSUS is configured using GPO's.  The best bet would be to create an new OU and an associated policy, add the computers that you do not want to have WSUS on, update the policies on these computers and viola!!!

http://blogs.technet.com/robert_hensing/archive/2007/10/24/getting-microsoft-updates-offline.aspx

-saige-
0
 
LVL 2

Author Comment

by:Swamp_Thing
Comment Utility
Not sure what you mean by the term "GPO".  I'm guessing it has to do with Group Policy?  My boss set up the whole WSUS system so I'm not sure how she set everything up but she's leaving soon so I'm on my own with this...  We have Windows Server 2000 (yea, I know... we have to upgrade) with Active Directory so if it has to do with policies and what not, I can probably get this straightened out but I'll need to get pointed in the right direction...
0
 
LVL 12

Expert Comment

by:weareit
Comment Utility
GPO = Group Policy Object...

And rightly so it is very straightforward...

By creating a new OU (Organizational Unit), you can easily segregate the machines that will not be administered by WSUS from the rest of your domain...  You accomplish this by first moving all the computers to the new OU...

After you have moved all effected computers to the OU, you simply create a new GPO and link it to the OU...  Inside the settings of the GPO you specify that the computers will receive their updates from Microsoft (this is usually accomplished by disabling the WSUS policies)...

-saige-
0
 
LVL 2

Author Comment

by:Swamp_Thing
Comment Utility
I just went in to Active Directory, right clicked on "goldlinecontrols.com" and selected New and then Organizational Unit.  I looked under the "goldlinecontrols.com" domain where I added that new Organizational Unit (named it "Computers in WSUS") and there's a folder named "Computers" and it has all of the PCs/laptops listed that are in our domain.

You mentioned that I now need to move all of these machines into the "Computers in WSUS" OU that I just created.  Will this mess anything up?  I don't want to screw up anything with our servers and/or network.
0
Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

 
LVL 12

Expert Comment

by:weareit
Comment Utility
You wouldn't move the computers you want to keep using WSUS, actually you would do the opposite...  Move the computers that you do not want to use WSUS.

-saige-
0
 
LVL 2

Author Comment

by:Swamp_Thing
Comment Utility
Oh alright, that makes sense now.  I just moved the 1 laptop that I created this question for (but this will help me down the line as well) to the "Computuer not in WSUS" OU.  Now, how do I create a new GPO so that I can link it to the "Computers not in WSUS" OU?
0
 
LVL 12

Accepted Solution

by:
weareit earned 150 total points
Comment Utility
If you have not done so already, download and install the Group Policy Management Console:

http://www.microsoft.com/downloads/details.aspx?FamilyID=0a6d4c24-8cbd-4b35-9272-dd3cbfc81887&DisplayLang=en

Once you have this installed, open the group policy management console by goind to Start --> Administrative Tools --> Group Policy Management

You should see a tree on the left and contents on the right.  Expand the tree until you can see the root policies and the OU's directly beneath them.  Right-click on the OU and choose Create and Link a GPO here...

After the GPO is created, right-click on the GPO and modify the Windows Update Components under Computer Configuration --> Administrative Templates --> Windows Components --> Windows Update

Set the Specify intranet Microsoft update service location = Disabled

Close the GPMC (Group Policy Management Console)...

Start --> Run --> GPUPDATE /FORCE

Do not log off...

Start --> Run --> MMC
File --> Add/Remove Snap-in
Click Add
Scroll down through the list, choose Resultant Set of Policy and click Add
Click Close and then Click OK
Right-click on Resultant Set of Policy --> Generate RSoP Data
Click Next
Logging Mode and click Next
If you are on the laptop that you want to have the policy apply to click This computer and click Next
Otherwise, choose the laptop (this may not work based upon security) and click Next
Select Do not display user policy settings and click Next
Click Next
When the RSoP scan finishes, you should be able to browse through the policy to determine if the Policy inheritence is working properly and to determine if the WSUS option is disabled.

-saige-
0
 
LVL 2

Author Comment

by:Swamp_Thing
Comment Utility
When I try to install the Group Policy Management Console on my Windows 2000 server I get a message saying:

"You must be running Windows XP SP1 or Windows Server 2003 build 3602 or later to install Microsoft Group Policy Management Console with SP1"

However, under Microsoft's System Requirements section for this download on the page you sent me it says this: "GPMC runs on Windows XP Professional SP1 and Windows Server 2003 computers and can manage Group Policy in either Windows 2000 or Windows Server 2003 domains."

Does that mean I can install it on my Windows XP machine and manage Group Policy in my Windows 2000 domain?

0
 
LVL 12

Expert Comment

by:weareit
Comment Utility
Yes
0

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

On a regular basis I get questions about slow RDP performance, RDP connection problems, strange errors and even BSOD, remote computers freezing or restarting after initiation of a remote session. In a lot of this cases the quick solutions made b…
Welcome to my series of short tips on migrations. Whilst based on Microsoft migrations the same principles can be applied to any type of migration. My first tip is around source server preparation. No migration is an easy migration, there is a…
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now