• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 240
  • Last Modified:

WSUS: How do I make WSUS not install itself automatically on networked PC's/Laptops?

I have WSUS Build 2.0.0.2620 installed on a server on my work's network.  Whenever I reformat a new PC or remove a PC from our domain and then re-add it, WSUS attaches itself to the machine within a few minutes of being on our domain.  It grays out all the options under the Automatic Updates tab (right-click My Computer, Properties) so the user (or admin) cannot change the settings.  Right now it defaults everyone's options under Automatic Updates to "Download updates for me, but let me choose when to install them".  I would like to change this to "Notify me but don't automatically download or install them".  I would also like to make it so that I could somehow choose what machines WSUS manages.

My main problem is with situations like below:
  A user needs a laptop configured for them so I reformat and configure the laptop.  I add the laptop to our domain and then reboot for the changes to take effect.  After I reboot and log in, within a few minutes the yellow '!" shield appears in the task tray and then a message "New Updates are Available" appears above it.  I right-click on My Computer, select Properties and then click the Automatic Updates tab and see that all of the options are now grayed out.  Now if the user disconnects from our network and goes out of state because they are a remote VPN user, the update options are still all grayed out.  The WSUS still has it's grip on the laptop and I'd like to remove it.  The user can't recieve updates unless they connect through the VPN.  If WSUS was off the laptop, they could update the PC using their home LAN connection and not have to be managed buy WSUS, many miles away.
0
Swamp_Thing
Asked:
Swamp_Thing
  • 5
  • 5
1 Solution
 
Swamp_ThingAuthor Commented:
0
 
weareitCommented:
WSUS is configured using GPO's.  The best bet would be to create an new OU and an associated policy, add the computers that you do not want to have WSUS on, update the policies on these computers and viola!!!

http://blogs.technet.com/robert_hensing/archive/2007/10/24/getting-microsoft-updates-offline.aspx

-saige-
0
 
Swamp_ThingAuthor Commented:
Not sure what you mean by the term "GPO".  I'm guessing it has to do with Group Policy?  My boss set up the whole WSUS system so I'm not sure how she set everything up but she's leaving soon so I'm on my own with this...  We have Windows Server 2000 (yea, I know... we have to upgrade) with Active Directory so if it has to do with policies and what not, I can probably get this straightened out but I'll need to get pointed in the right direction...
0
Upgrade your Question Security!

Add Premium security features to your question to ensure its privacy or anonymity. Learn more about your ability to control Question Security today.

 
weareitCommented:
GPO = Group Policy Object...

And rightly so it is very straightforward...

By creating a new OU (Organizational Unit), you can easily segregate the machines that will not be administered by WSUS from the rest of your domain...  You accomplish this by first moving all the computers to the new OU...

After you have moved all effected computers to the OU, you simply create a new GPO and link it to the OU...  Inside the settings of the GPO you specify that the computers will receive their updates from Microsoft (this is usually accomplished by disabling the WSUS policies)...

-saige-
0
 
Swamp_ThingAuthor Commented:
I just went in to Active Directory, right clicked on "goldlinecontrols.com" and selected New and then Organizational Unit.  I looked under the "goldlinecontrols.com" domain where I added that new Organizational Unit (named it "Computers in WSUS") and there's a folder named "Computers" and it has all of the PCs/laptops listed that are in our domain.

You mentioned that I now need to move all of these machines into the "Computers in WSUS" OU that I just created.  Will this mess anything up?  I don't want to screw up anything with our servers and/or network.
0
 
weareitCommented:
You wouldn't move the computers you want to keep using WSUS, actually you would do the opposite...  Move the computers that you do not want to use WSUS.

-saige-
0
 
Swamp_ThingAuthor Commented:
Oh alright, that makes sense now.  I just moved the 1 laptop that I created this question for (but this will help me down the line as well) to the "Computuer not in WSUS" OU.  Now, how do I create a new GPO so that I can link it to the "Computers not in WSUS" OU?
0
 
weareitCommented:
If you have not done so already, download and install the Group Policy Management Console:

http://www.microsoft.com/downloads/details.aspx?FamilyID=0a6d4c24-8cbd-4b35-9272-dd3cbfc81887&DisplayLang=en

Once you have this installed, open the group policy management console by goind to Start --> Administrative Tools --> Group Policy Management

You should see a tree on the left and contents on the right.  Expand the tree until you can see the root policies and the OU's directly beneath them.  Right-click on the OU and choose Create and Link a GPO here...

After the GPO is created, right-click on the GPO and modify the Windows Update Components under Computer Configuration --> Administrative Templates --> Windows Components --> Windows Update

Set the Specify intranet Microsoft update service location = Disabled

Close the GPMC (Group Policy Management Console)...

Start --> Run --> GPUPDATE /FORCE

Do not log off...

Start --> Run --> MMC
File --> Add/Remove Snap-in
Click Add
Scroll down through the list, choose Resultant Set of Policy and click Add
Click Close and then Click OK
Right-click on Resultant Set of Policy --> Generate RSoP Data
Click Next
Logging Mode and click Next
If you are on the laptop that you want to have the policy apply to click This computer and click Next
Otherwise, choose the laptop (this may not work based upon security) and click Next
Select Do not display user policy settings and click Next
Click Next
When the RSoP scan finishes, you should be able to browse through the policy to determine if the Policy inheritence is working properly and to determine if the WSUS option is disabled.

-saige-
0
 
Swamp_ThingAuthor Commented:
When I try to install the Group Policy Management Console on my Windows 2000 server I get a message saying:

"You must be running Windows XP SP1 or Windows Server 2003 build 3602 or later to install Microsoft Group Policy Management Console with SP1"

However, under Microsoft's System Requirements section for this download on the page you sent me it says this: "GPMC runs on Windows XP Professional SP1 and Windows Server 2003 computers and can manage Group Policy in either Windows 2000 or Windows Server 2003 domains."

Does that mean I can install it on my Windows XP machine and manage Group Policy in my Windows 2000 domain?

0
 
weareitCommented:
Yes
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

  • 5
  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now