How to cancel scheduled windows updates?

Hi Experts,

I hope you can help me.

We are having a slowness issue on a classroom where I work.

I have blocked inheritance on the Ou this classroom is and only have limited group policies added back.

The problem is I didn't add back our WSUS policy and now the systems have detected updates directly from microsoft and scheduled them for 6 pm tonight.

How do I stop this?  I put the policy back and forced policy but they are still scheduled.  They cannot install and it's a few hours away.

Help.

thank you,

Karen
klsphotosAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

achaldaveCommented:
Try restarting windows update service on workstations after forcing wsus group policy
0
Santosh GuptaCommented:
in addition to achaldave, you can run the rsop.msc to check if still policy is reflecting.
0
klsphotosAuthor Commented:
I did and restarted the system, the updates are still there and pending for tonight at 6 pm.  The policy applied but it didn't cancel the updates.

At this point I am thinking I can manually go into each computer through AD and disable the Windows Update service and I created a duplicate WSUS policy for now that has windows update disabled and removing the other one.  I can't keep it like that though we have forefront updates that come in daily :(
0
Newly released Acronis True Image 2019

In announcing the release of the 15th Anniversary Edition of Acronis True Image 2019, the company revealed that its artificial intelligence-based anti-ransomware technology – stopped more than 200,000 ransomware attacks on 150,000 customers last year.

achaldaveCommented:
As sgupta1181 suggested run rsop.msc and collect policy information it should show you which policy is in effect on the machine so you can identify what is blocking gpo settings from you new policy.
Try enforcing the group policy so it will take precedence over any conflicting policy.
0
klsphotosAuthor Commented:
I did all of that.  The correct policy are applying but they are not canceling out the pending windows updates that downloaded and are scheduled to install at 6 pm, they are still there.

These updates went out to the default Microsoft website and downloaded what the system needed and scheduled them when I did not have our policy applied.  Even though it's now applied and working it did not cancel what it scheduled, they are still pending.  One update is IE11.  The programs the students use are not compatible with IE11 yet and there is no way I can have them deploy.
0
Santosh GuptaCommented:
hi,

Just for a workaround dont disable windows update services. use SC command to disable the service from any machine.

sc \\10.167.58.42 config wuauserv start= disabled
sc \\10.167.58.43 config wuauserv start= disabled

and so on.
0
achaldaveCommented:
You can block IE 11 using IE blocker tool kit
http://www.microsoft.com/en-us/download/details.aspx?id=40722

Try renaming C:\windows\winsxs\pending.xml, you might need to take ownership first
takeown /f C:\windows\winsxs\pending.xml
ren C:\windows\winsxs\pending.xml C:\windows\winsxs\pending.xml.old

If you have sccm like tool, you can create script and apply to all machines. Also check if any other application like sccm is controlling updates or not
0
klsphotosAuthor Commented:
WSUS is controlling the updates.
The "Wsus" policy controls that.  We have IE11 blocked on WSUS but when I removed all policies, that quick it took the default settings of windows update and downloaded all that was needed.  Being a school we only patch during breaks.

The service is disabled on all systems and the new policy I put there to disable windows updates being installed tonight look like they are successful.

Shouldn't they automatically if the policy is applying point to our WSUS server now not windows update when I enable this?  That isn't what it was doing, they were still there.

Achaldave - I do not have a pending.xml in that directory?

Thank you all for your help, these installing just cannot happen.
0
David Johnson, CD, MVPOwnerCommented:
Being a school we only patch during breaks.

That is a rather cavalier attitude re windows updates. Once the patches have been released the bad guy's reverse engineer them to find the exploit and then use this information rather quickly to begin their campaign of terror. I'm sure that there are PD days every month that you could apply your updates.. once a month is not bad compared to once every 3 months. If all of the machines run as a standard user then over 90% of the exploits and 100% of the IE exploits are stopped dead in their tracks.
0
klsphotosAuthor Commented:
Hi David and  thank you.  

This is out of my control.  My boss understands the risk and not holding me accountable, this is what I was told to do.  The person before me did a lot of damage because he couldn't control the updates and they interfered with class time.  Students are standard users.  Forefront are the only updates that are allowed daily.

This is resolved for now.  I still cannot find the pending.xml but the service is disabled and I will have to resolve it manually.  I checked one of them on Friday and they are only behind by one update.  I will monitor them through Forefront for the next two months until they are reimaged.

Thanks again,

Karen
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
klsphotosAuthor Commented:
There really was no solution to this besides disabling the windows update service manually and then through policy.  I checked the systems and all updates are still pending and want to install since they missed the scheduled date.  The policy kicks in after that fact since it was applied afterwards.  The original question was how to change or stop the pending once it's scheduled but as far as I can tell there isn't one - so disabled it for now.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows 7

From novice to tech pro — start learning today.