GPO question - Windows Update- stop applying from WSUS

[Mike Leone]

We use WSUS, and I have GPOs set up so that "Auto download and schedule the install" is checked. And this is applied to a specific group in AD.

And so what we do is, in WSUS, I have a group that corresponds to that AD group (same hosts). I approve the updates for that WSUS group, and the next time the scheduled time comes along, the updates are applied, and the host reboots. I have a Powershell script that runs later, and uses the PSWindowsUpdate module to query the WU status of the hosts in that AD group. You follow>

Well, now, we are moving our patching over to Ivanti. And I still want the AD group to exist, because I still want that Powershell script to run, so it sends a status email to the staff, so they can see what hosts may have had an issue.

So what's stumping me is .. how do I change that GPO to no longer schedule any install? I know GPOs need to be reversed when they're no longer needed, not just no longer applied. I don't see any setting under "Configure automatic updating" to be ... nothing. :-)  Is it to instead choose "notify for download an auto install"?  Or is it to remove the "Specify intranet Microsoft Update service location" to be blank, instead of my WSUS host? (and then delete those hosts out of WSUS)

I still need WSUS for other groups of hosts (for now, until we finish migrating to Ivanti), so we will be going into WSUS and approving updates. And usually we "Approve for all computers", since some computers may not be a WSUS group. I'd like to continue with "Approve for All Computers", and "Apply to children", for the other groups.

Sorry if this seems like a dumb question. I guess what I mostly want is that WSUS group to disappear out of WSUS, and the hosts in that group, and not come back. And the hosts to no long auto try to download and install updates, since Ivanti will be doing that.. 

--

Mike. Leone, <mailto:tur...@mike-leone.com>

PGP Fingerprint: 0AA8 DC47 CB63 AE3F C739 6BF9 9AB4 1EF6 5AA5 BCDF
Photo Gallery: <http://www.flickr.com/photos/mikeleonephotos>

[Mike Leone]

UPDATE - searching seems to indicate that just unlinking the GPO would cause the settings to revert (i.e., not use my WSUS server for updates, but instead point to MS, etc). This turns out NOT to be the case - I unlinked the GPO, and this morning, all those servers are back in WSUS ... which is what I DON'T want. 

(I didn't think that would work, the setting would need to be reversed, as far as I know. And that seems to be what's happening)

So now I have to figure out how to fix that, I'm assuming I just need to change the setting to NOT use the WSUS server, and re-link the GPO.

Yes?

[don.l....@gmail.com]

After you unlink the GPO, the clients/servers need to reboot (or else you need to reprocess the GPOs and also restart the WUservice on each client/server.

 

Also, WSUS group-based-targeting requires that the WSWUS group-name exist in WSUS (so you could change the name or membership) AND it also requires that the WSUS group name be set in registry (or via GPO) on each client/server (so you could change or remove that GPO/registry setting).

De-scoping the groups/members is one way to do it, but you do also need to reset the WU settings on the clients anyway (unless Ivanti comes along and takes over that stuff) but you don’t want to leave those GPO settings hanging around as they are likely to eventually bite you on the @ss  😉

 

 

DonP

--
You received this message because you are subscribed to the Google Groups "ntsysadmin" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntsysadmin+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/CAHBr%2B%2BjsquZujZH83DYtsQdCSWfWJDEqkUZgcBBtEM1gye3vtw%40mail.gmail.com.

 

[don.l....@gmail.com]

Client-side-targeting (aka group-based-targeting) Manage additional Windows Update settings - Windows Deployment | Microsoft Learn

 

Manage additional Windows Update settings - Windows Deployment | Microsoft Learn

 

From (distant) memory, AUOptions:3  was the original default back in the day?

o    3: Automatically download and notify of installation.

There are a few settings there that you can use to stop patching from happening, if that’s your goal? But I’d guess you don’t want to cripple WU too much as Ivanti will probably need some bits of it?

 

DonP