We help IT Professionals succeed at work.

Turn off WSUS

Medium Priority
539 Views
Last Modified: 2018-08-10
We have purchased an RMM tool that also does windows updates. How can i turn off WSUS on those environments? Some run WIndows Server 2008 and 2012
Comment
Watch Question

Jacob DurhamIT Support Analyst II (Lead Infrastructure Engineer)
CERTIFIED EXPERT

Commented:
You need to edit or disable whichever GPO is pointing your Domain at the WSUS server.
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
or disable the service where it is hosted "update services"

Make sure the tool does not rely on WSUS getting the updates and the tool confirming their installation....

..

Author

Commented:
So by disabling the "update services" thats the best way to turn off WSUS?
Jacob DurhamIT Support Analyst II (Lead Infrastructure Engineer)
CERTIFIED EXPERT

Commented:
No. You can't just turn of the WSUS server because your machines will still be looking for it.

Run RSOP on a machine and your network and drill down into Windows Components > Windows Updates and find out what GPO is applying the settings for Updates.

Change/Disable that GPO.

Author

Commented:
I found the GPO. SO just disable it and thats it?

Author

Commented:
When i enter the GPO which i called it WSUS. I go to to the "Detail" tab under GPO status it says enable. All i need to do is just set that to "All Settings Disabled"?
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
Yes, you can disable computer settings which is generally how it is applied.\

I would suggest you first explicitly exclude a single system and test that your RMM solution can achieve what you want. (deny the system the rights to have this GPO apply to it.)
Then see whether you can use the RMM to update the system.

Disabling the service will prevent the WSUS service from checking in with MS and downloading updates......

As noted it is a multi-front ..
WSUS running on the server checks in with MS and gets the metadata of updates new, expiring, etc.
it then using the auto approve rule and approves updates. Some previously approved updates their revisions are approved. etc.
once approved it downloads the content.

Author

Commented:
Yes, you can disable computer settings which is generally how it is applied.\

"From the server correct"?
IT Support Analyst II (Lead Infrastructure Engineer)
CERTIFIED EXPERT
Commented:
From the GPO - disable all settings

Before you do this you should be testing your RMM on a single device where this GPO is blocked or not applied to make sure it works.

You're trying to make brash changes to your environment without proper vetting and testing. It seems you don't have a clear understanding of how WSUS or your current environment works. I recommend you do a bit more research before you end up making changes you cannot fix.

Right now your environment appears to be set up with an internal WSUS (and maybe downstream servers)

Microsoft sends updates to WSUS > WSUS determines which updates will be applied to your ORG > Your domain devices pull approved updates from WSUS

If you just turn off that GPO - your devices get no updates and also don't know where to look for them.

Author

Commented:
That's correct. WSUS for the client deploys to the PCs.

The RMM does not use WSUS at all. They have there own engines the fetches and deploys updates to clients PCs.