Solved

WSUS: How do I make WSUS not install itself automatically on networked PC's/Laptops?

Posted on 2007-12-03
12
233 Views
Last Modified: 2013-12-05
I have WSUS Build 2.0.0.2620 installed on a server on my work's network.  Whenever I reformat a new PC or remove a PC from our domain and then re-add it, WSUS attaches itself to the machine within a few minutes of being on our domain.  It grays out all the options under the Automatic Updates tab (right-click My Computer, Properties) so the user (or admin) cannot change the settings.  Right now it defaults everyone's options under Automatic Updates to "Download updates for me, but let me choose when to install them".  I would like to change this to "Notify me but don't automatically download or install them".  I would also like to make it so that I could somehow choose what machines WSUS manages.

My main problem is with situations like below:
  A user needs a laptop configured for them so I reformat and configure the laptop.  I add the laptop to our domain and then reboot for the changes to take effect.  After I reboot and log in, within a few minutes the yellow '!" shield appears in the task tray and then a message "New Updates are Available" appears above it.  I right-click on My Computer, select Properties and then click the Automatic Updates tab and see that all of the options are now grayed out.  Now if the user disconnects from our network and goes out of state because they are a remote VPN user, the update options are still all grayed out.  The WSUS still has it's grip on the laptop and I'd like to remove it.  The user can't recieve updates unless they connect through the VPN.  If WSUS was off the laptop, they could update the PC using their home LAN connection and not have to be managed buy WSUS, many miles away.
0
Comment
Question by:Swamp_Thing
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 5
12 Comments
 
LVL 2

Author Comment

by:Swamp_Thing
ID: 20397082
0
 
LVL 12

Expert Comment

by:weareit
ID: 20397097
WSUS is configured using GPO's.  The best bet would be to create an new OU and an associated policy, add the computers that you do not want to have WSUS on, update the policies on these computers and viola!!!

http://blogs.technet.com/robert_hensing/archive/2007/10/24/getting-microsoft-updates-offline.aspx

-saige-
0
 
LVL 2

Author Comment

by:Swamp_Thing
ID: 20411738
Not sure what you mean by the term "GPO".  I'm guessing it has to do with Group Policy?  My boss set up the whole WSUS system so I'm not sure how she set everything up but she's leaving soon so I'm on my own with this...  We have Windows Server 2000 (yea, I know... we have to upgrade) with Active Directory so if it has to do with policies and what not, I can probably get this straightened out but I'll need to get pointed in the right direction...
0
Office 365 Training for IT Pros

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

 
LVL 12

Expert Comment

by:weareit
ID: 20413186
GPO = Group Policy Object...

And rightly so it is very straightforward...

By creating a new OU (Organizational Unit), you can easily segregate the machines that will not be administered by WSUS from the rest of your domain...  You accomplish this by first moving all the computers to the new OU...

After you have moved all effected computers to the OU, you simply create a new GPO and link it to the OU...  Inside the settings of the GPO you specify that the computers will receive their updates from Microsoft (this is usually accomplished by disabling the WSUS policies)...

-saige-
0
 
LVL 2

Author Comment

by:Swamp_Thing
ID: 20413371
I just went in to Active Directory, right clicked on "goldlinecontrols.com" and selected New and then Organizational Unit.  I looked under the "goldlinecontrols.com" domain where I added that new Organizational Unit (named it "Computers in WSUS") and there's a folder named "Computers" and it has all of the PCs/laptops listed that are in our domain.

You mentioned that I now need to move all of these machines into the "Computers in WSUS" OU that I just created.  Will this mess anything up?  I don't want to screw up anything with our servers and/or network.
0
 
LVL 12

Expert Comment

by:weareit
ID: 20413382
You wouldn't move the computers you want to keep using WSUS, actually you would do the opposite...  Move the computers that you do not want to use WSUS.

-saige-
0
 
LVL 2

Author Comment

by:Swamp_Thing
ID: 20413431
Oh alright, that makes sense now.  I just moved the 1 laptop that I created this question for (but this will help me down the line as well) to the "Computuer not in WSUS" OU.  Now, how do I create a new GPO so that I can link it to the "Computers not in WSUS" OU?
0
 
LVL 12

Accepted Solution

by:
weareit earned 150 total points
ID: 20413821
If you have not done so already, download and install the Group Policy Management Console:

http://www.microsoft.com/downloads/details.aspx?FamilyID=0a6d4c24-8cbd-4b35-9272-dd3cbfc81887&DisplayLang=en

Once you have this installed, open the group policy management console by goind to Start --> Administrative Tools --> Group Policy Management

You should see a tree on the left and contents on the right.  Expand the tree until you can see the root policies and the OU's directly beneath them.  Right-click on the OU and choose Create and Link a GPO here...

After the GPO is created, right-click on the GPO and modify the Windows Update Components under Computer Configuration --> Administrative Templates --> Windows Components --> Windows Update

Set the Specify intranet Microsoft update service location = Disabled

Close the GPMC (Group Policy Management Console)...

Start --> Run --> GPUPDATE /FORCE

Do not log off...

Start --> Run --> MMC
File --> Add/Remove Snap-in
Click Add
Scroll down through the list, choose Resultant Set of Policy and click Add
Click Close and then Click OK
Right-click on Resultant Set of Policy --> Generate RSoP Data
Click Next
Logging Mode and click Next
If you are on the laptop that you want to have the policy apply to click This computer and click Next
Otherwise, choose the laptop (this may not work based upon security) and click Next
Select Do not display user policy settings and click Next
Click Next
When the RSoP scan finishes, you should be able to browse through the policy to determine if the Policy inheritence is working properly and to determine if the WSUS option is disabled.

-saige-
0
 
LVL 2

Author Comment

by:Swamp_Thing
ID: 20413981
When I try to install the Group Policy Management Console on my Windows 2000 server I get a message saying:

"You must be running Windows XP SP1 or Windows Server 2003 build 3602 or later to install Microsoft Group Policy Management Console with SP1"

However, under Microsoft's System Requirements section for this download on the page you sent me it says this: "GPMC runs on Windows XP Professional SP1 and Windows Server 2003 computers and can manage Group Policy in either Windows 2000 or Windows Server 2003 domains."

Does that mean I can install it on my Windows XP machine and manage Group Policy in my Windows 2000 domain?

0
 
LVL 12

Expert Comment

by:weareit
ID: 20415715
Yes
0

Featured Post

Increase Agility with Enabled Toolchains

Connect your existing build, deployment, management, monitoring, and collaboration platforms. From Puppet to Chef, HipChat to Slack, ServiceNow to JIRA, Splunk to New Relic and beyond, hand off data between systems to engage the right people.

Connect with xMatters.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The environment that this is running in is SCCM 2007 R2 running on a Windows 2008 R2 server. The PXE Distribution point is running on its own Windows 2008 R2 box. This is what Event viewer showed after trying to start the WDS service:  An erro…
My previous article  (http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Windows_Server_2008/A_4466-A-beginners-guide-to-installing-SCCM2007-on-Windows-2008-R2-Server.html)detailed one possible method to get SCCM 2007 installed an…
Add bar graphs to Access queries using Unicode block characters. Graphs appear on every record in the color you want. Give life to numbers. Hopes this gives you ideas on visualizing your data in new ways ~ Create a calculated field in a query: …
This tutorial will teach you the special effect of super speed similar to the fictional character Wally West aka "The Flash" After Shake : http://www.videocopilot.net/presets/after_shake/ All lightning effects with instructions : http://www.mediaf…

717 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question