locked
How do I keep my servers from connecting to WSUS RRS feed

  • Question

  • We've recently upgraded our Domain Controller from Server 2003 to Server 2008 R2. WSUS was previously installed on the Server 2003 DC and there were no issues. I know Microsoft recommends putting WSUS on something other than a Domain Controller, but because there were no problems with 2003 I figured there would be no problem with putting it on the 2008 R2 DC. Apparently I was wrong. I can't keep the servers (a mix of 2003 standard, 2003 R2, and 2008 R2), there are 7 total and all but 2 are member servers, from connecting to WSUS. I've tried deleting them.....they just come back.

    Because my Default Domain/Windows Update GPO points updates only to clients in the Staff Computers group I've created, I was going to try creating another group called Servers and just dump them in there, but now the 'change membership' option is greyed out on any computer you right-click on in my Staff Computers group. What am I doing wrong here?

    Thursday, December 11, 2014 5:41 PM

Answers

  • In an out-of-the-box configuration, windows server does not contact internal WSUS server, but uses Microsoft Update services on internet.  Windows Update settings on servers are configured using group policy objects in AD. So, if your servers contact internal WSUS, then you have to find out which GPO defines these WSUS settings and make sure this GPO is not applied to servers. Alternatively you can define a new GPO for servers and use it to turn off use of internal WSUS server.


    Gleb.

    • Marked as answer by uncletodd22 Tuesday, December 16, 2014 2:46 PM
    Saturday, December 13, 2014 3:29 PM

All replies

  • Run resultant set of policy on your server and identify which policies control windows update settings. Adjust these GPOs to use the right wsus server and settings.

    Gleb.

    Thursday, December 11, 2014 10:01 PM
  • I can't keep the servers (a mix of 2003 standard, 2003 R2, and 2008 R2), there are 7 total and all but 2 are member servers, from connecting to WSUS. I've tried deleting them.....they just come back.

    I'm not quite grasping why upgrading the DC/WSUS would result in wanting previous WSUS clients to NOT be WSUS clients any more, but the short answer to this is thus:

    The Windows Update Agent is configured through registry settings. Those registry settings are persistent. The registry settings are set by a GPO. Removing the GPO does NOT undo those settings. The ONLY way to make a WSUS client a Not-A-WSUS client, is to explicitly DISABLE the policy setting Specify Microsoft intranet update server location or setting the UseWUServer registry value to ZERO and restarting the Windows Update service.

    Because my Default Domain/Windows Update GPO points updates only to clients in the Staff Computers group I've created

    The Default Domain Policy applies to **ALL** computers in the domain ALWAYS.

    Where any other GPO applies depends on where you've linked it.

    The GPO does not point updates anywhere. The GPO points *computers* to the WSUS Server.

    I was going to try creating another group called Servers and just dump them in there, but now the 'change membership' option is greyed out on any computer you right-click on in my Staff Computers group.

    "Change Membership" is grayed out because you've set the Options->Computers value to "Use Group Policy.." to assign group memberships.

    I'm very confused by this conversation. It is your intent for these systems to NOT be WSUS clients, or is it your intent to place these systems in a different WSUS Target Group?


    Lawrence Garvin, M.S., MCSA, MCITP:EA, MCDBA
    SolarWinds Head Geek
    Microsoft MVP - Software Packaging, Deployment & Servicing (2005-2014)
    My MVP Profile: http://mvp.microsoft.com/en-us/mvp/Lawrence%20R%20Garvin-32101
    http://www.solarwinds.com/gotmicrosoft
    The views expressed on this post are mine and do not necessarily reflect the views of SolarWinds.

    Thursday, December 11, 2014 11:37 PM
  • Lawrence,

    My sole intent is that my "servers" not be WSUS clients. I do want all of my staff PCs as clients obviously, I just do not want my Windows servers to be updating through WSUS for obvious reasons. There seems to be very little documentation on how to "manage" WSUS. I can find everything I need to know about how to install and configure it, but nothing on how to manage it.

    If you could give me instruction on how to simply keep my servers from connecting to WSUS I would greatly appreciate it.

    -Thanks  

    Friday, December 12, 2014 4:36 PM
  • In an out-of-the-box configuration, windows server does not contact internal WSUS server, but uses Microsoft Update services on internet.  Windows Update settings on servers are configured using group policy objects in AD. So, if your servers contact internal WSUS, then you have to find out which GPO defines these WSUS settings and make sure this GPO is not applied to servers. Alternatively you can define a new GPO for servers and use it to turn off use of internal WSUS server.


    Gleb.

    • Marked as answer by uncletodd22 Tuesday, December 16, 2014 2:46 PM
    Saturday, December 13, 2014 3:29 PM
  • My sole intent is that my "servers" not be WSUS clients.

    Okay, then you'll need to put them in one (or more) separate OrgUnits and explicitly configure a GPO for that/those OrgUnits to DISABLE the setting Specify Microsoft intranet update server location. Just out of curiosity... how do you plan to patch these servers, or implement any form of compliance reporting on them?

    I just do not want my Windows servers to be updating through WSUS for obvious reasons.

    No, actually the reasons are never obvious to me.

    There seems to be very little documentation on how to "manage" WSUS.

    There's an entire Deployment Guide that tells how to install and configure the product, and an Operations Guide that tells how to use the product, and there are over 8000 threads in this forum that discuss every imaginable aspect of using WSUS that have occurred over the past 6 years.

    If you could give me instruction on how to simply keep my servers from connecting to WSUS I would greatly appreciate it.

    Some things are not "documented", probably because they're presumed to be self-evident. Since a machine can only become a WSUS client by explicitly configuring it to BE a WSUS client; the implied answer, thus, is you simply do NOT configure the machine to be a WSUS client.

    Of course, in exceptionally rare circumstances, there comes this interest in making a system that is already a WSUS client to NOT be a WSUS client. So, in those cases, you TURN OFF the policy setting that made it a WSUS client in the first place.


    Lawrence Garvin, M.S., MCSA, MCITP:EA, MCDBA
    SolarWinds Head Geek
    Microsoft MVP - Software Packaging, Deployment & Servicing (2005-2014)
    My MVP Profile: http://mvp.microsoft.com/en-us/mvp/Lawrence%20R%20Garvin-32101
    http://www.solarwinds.com/gotmicrosoft
    The views expressed on this post are mine and do not necessarily reflect the views of SolarWinds.

    Monday, December 15, 2014 9:05 PM
  • Thank you Gleb for that useful information.
    Tuesday, December 16, 2014 2:48 PM