Solved

Is there a way to configure GPO to disable Widows Update even though the servers are not part of the domain?

Posted on 2014-03-14
7
263 Views
Last Modified: 2014-04-04
I've disabled Windows update on alot of our servers that are not joined to the domain. However, sometime I find that the settings have reverted back. I don't know by who. So, it would be best to just lock it down via GPO.  If this cannot be accomplished via GPO, what's the best way to lock down this setting for servers not in the domain? I do not want to go through every server and disable it.
0
Comment
Question by:5itface
7 Comments
 
LVL 77

Accepted Solution

by:
arnold earned 500 total points
ID: 39929883
You can configure local using MMC and group policy object editor.

If the username you are using and password on this system, you can use MMC to remotely access those systems and configure their windows update settings within the computer configuration\administrative templates\windows components\windows update.

The files are stored in c:\windows\system32\GroupPolicy

There are different ways to accomplish this, look at powershell, vbscript, etc.
0
 

Author Comment

by:5itface
ID: 39929892
Arnold,

Can you give me step-by-step instructions on how to accomplish this? Do you have any documentation you can provide?
0
 
LVL 77

Expert Comment

by:arnold
ID: 39929916
you want manually or a powershell script?
Here is a reference to the powershell GPO cmdlet
http://technet.microsoft.com/en-us/library/ee461027.aspx

Using MMC and accessing the systems remotely
http://technet.microsoft.com/en-us/library/cc731745.aspx
when you add the snap-in, you will be prompted whether to use the local system or you can connect to a remote one.  NOTE: the credentials with which you are logged in, have to have rights on the remote system. i.e. you are logged in as someuser with somepassword.  This same username with the exact same password must exist on the other system with requisite rights, or you will get an access denied message.
0
NAS Cloud Backup Strategies

This article explains backup scenarios when using network storage. We review the so-called “3-2-1 strategy” and summarize the methods you can use to send NAS data to the cloud

 
LVL 77

Expert Comment

by:arnold
ID: 39929949
The simpler route (NOTE TEST IT FIRST)
On one of the computers, edit the policy using MMC group policy object editor

Then copy the data from c:\windows\system32\GroupPolicy to the other system.
Check whether this does what you are looking for.  Some/Several GPO Settings are registry entries.
psexec is one way to have them imported.

MMC remoting into each system might be the simpler and doable right away.
0
 
LVL 57

Expert Comment

by:Cliff Galiher
ID: 39930351
The acronym GPO stands for group policy object. And as the name implies, it is an active directory object. You cannot use GPOs outside of AD, hence non-domain joined machines do not get GPOs.

Now windows ALSO has the concept of a local security policy. But as ITS name implies, it isn't a full group policy. It is inky a subset of the security settings, of which windows update is not a part.

So no, there is no good automated way to lock down WU settings in box. Even scripting and remote operations cannot guarantee effective state because the machines are not domain joined and therefore the access not guarantees. You are looking at domain joining or 3rd-party tools.
0
 
LVL 77

Expert Comment

by:arnold
ID: 39930388
Cliff,
windows update is configurable via the Local Group POlicy object editor in the same place where it exists computer configurations\administrative templates\windows components\windows update.

Not sure whether your statement is based on versions prior to XP, but ........
0
 
LVL 54

Expert Comment

by:McKnife
ID: 39931338
Your problem is not how to disable windows update but how to manage servers that are not joined to a domain. You would like to deactivate the service and make sure it stays like this.

With the product intune, MS has provided control for non-domain-joined machines. But if you have a domain, why not use it, there is no drawback at all. So I would stop right here until you clarify why you don't join them.

But to give you a preview on options you have without a domain and without intune: you could establish a startup script on each machine that calls a centrally managed batch or whatever script, so you would only need to tune that single script.
But: once you would have to visit each machine, that's for sure.

With that script, you could use sc.exe for example to set the startup type of windows update to disabled.
0

Featured Post

Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
help!! No network & No Internet connectivity 4 59
Allowing a local account for incoming Rdp but not outgoing Rdp 15 134
AD Account Lockout 22 53
Cannot Change Local DNS 9 41
This is the first one of a series of articles I’ll be writing to address technical issues that are always referred to as network problems. The network boundaries have changed, therefore having an understanding of how each piece in the network  puzzl…
Container Orchestration platforms empower organizations to scale their apps at an exceptional rate. This is the reason numerous innovation-driven companies are moving apps to an appropriated datacenter wide platform that empowers them to scale at a …
This is used to tweak the memory usage for your computer, it is used for servers more so than workstations but just be careful editing registry settings as it may cause irreversible results. I hold no responsibility for anything you do to the regist…
In this video I am going to show you how to back up and restore Office 365 mailboxes using CodeTwo Backup for Office 365. Learn more about the tool used in this video here: http://www.codetwo.com/backup-for-office-365/ (http://www.codetwo.com/ba…

813 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now