question

HenningSvane-7883 avatar image
0 Votes"
HenningSvane-7883 asked HSvane-8971 answered

How to disable "windows Update managed by your organization"

Hi
I would like to disable "windows Update managed by your organization" as it never worked as intended,
so it is possible to managed the client localy again.
I have disabled the GPO I have created for WSUS. I have checked on the client if the GPO setting is enabled and it is not.
But still Windows Update says "windows Update managed by your organization"

So how can I get control of the windows update again.

Regards
Henning

windows-server-update-services
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AJTek-Adam-J-Marshall avatar image
0 Votes"
AJTek-Adam-J-Marshall answered

To answer your question directly, use GPO Preferences to delete the following registry key once.

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate

Also, why not setup WSUS - see my guide on how to do that easily and manage your updates like a Pro.

https://www.ajtek.ca/wsus/how-to-setup-manage-and-maintain-wsus-part-1-choosing-your-server-os/

Part 4 has the GPO policies, part 5 shows you how to link it to your OUs for an inheritance setup.

If you set it up like my guide, you'll spend 5-15 minutes a month approving the updates to both a test group, and then to the production group.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

HenningSvane-7883 avatar image
0 Votes"
HenningSvane-7883 answered

Hi Adam
Thanks for your answer.
Ok that was simple just to delete the registry key and subkey.

Then to your question.
As windows update use a unknow amount of FQDN to download updates from, it is not possible to make firewall rules out going.
So the idea is to put a WSUS in a DMZ where it can download from all these unknow FQDN's
Then from the Lan download from the WSUS, but I want to specifiy when each server must automatic reboot in the night.
This I cannot control in WSUS or I need to make groups for each different hour in the night. This is an idea I just got now, so I have to look into this.
Also I am interested that the Updates are installed when they are released from Microsoft, not at a later point.
So this is not to control many servers (max 20 servers), but only to limited/prevent the access to the internet for servers, that do not have anything to do on the internet. If Microsoft has chossen to use a more Firewall FQDN setup for Windows Update this has not been nesseasry.
Eg. a file server do not have anything to do on the internet, but due to updates it does. Echange servers (DAG) should have limited access and so on. But today they have full and that is not secure, and espcialy not with all that talent there are in some contries.:-(

I will read your guide to see if it can inspire me how to do what I try to do.

Thanks
Henning

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AJTek-Adam-J-Marshall avatar image
0 Votes"
AJTek-Adam-J-Marshall answered

You can do what you want - I have to take some time to update my blog series to include this type of setup, but you make rings with GROUPS, and you make a new GPO and assign that group to that GPO - you make the GPO with automatic updates and restart, but install at time slot 1 (let's say 1AM), and then the next ring installs at 5AM, and the last ring - what I have already setup in my blog series is manual for those systems that need manual touches after the fact, or if they are mission critical that someone has to be there to verify it comes back up.

Then you assign your computers to each of the groups, and they get the policies that you've laid out.

As for firewall settings for WSUS to download updates from microsoft - here's the link to the sites you need to whitelist.

https://docs.microsoft.com/en-us/windows-server/administration/windows-server-update-services/deploy/2-configure-wsus#211-connection-from-the-wsus-server-to-the-internet

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

HenningSvane-7883 avatar image
0 Votes"
HenningSvane-7883 answered

Hi Adam
Yes that was what I was thinging when I wrote to you, but as I have not tried it before, I was not sure it will work.

I know to the link you mention, but all these is not a FQDN
http://*.windowsupdate.microsoft.com

https://*.windowsupdate.microsoft.com

http://*.update.microsoft.com

https://*.update.microsoft.com

http://*.windowsupdate.com

http://*.download.windowsupdate.com

So it are not possible to make firewall rules for these "*.FQDN"

I will try to play with the idea, but look forward to your comming block about this.

Regards
Henning

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AJTek-Adam-J-Marshall avatar image
0 Votes"
AJTek-Adam-J-Marshall answered

What firewall are you using? There is likely a way to do it with wildcards.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

HSvane-8971 avatar image
0 Votes"
HSvane-8971 answered

Hi Adam
Sorry to first answer you now. I use Pfsense, but I do not know of firewalls that like wildcards in FQDN.

I have been pressed for time, so first now I have continued with my WSUS project.
I have now tried to setup what you described above, but only with some success.
I have made in OU hierarchy
Company-Computers (placed at the root in the domain)
-WSUS-Controled
--Servers01h
--Servers02h
I hve then in WSUS made simelary groups under all computers
where I have made a groupe E-Computers
Under this groupe I have made the following groups
-Servers01h
-Servers02h

I have now made GPO like you describe and linked them to
WSUS-Controled (Location)
-Servers01h (Specific for AM 01)
-Servers02h (Specific for AM 02)

And when I control the result in the TestServer with rsop.msc the GPO look precisly as I have specify.

But in WSUS under "all computer" I can only see servers in ou "Computers" But as I have move TestServer to Server01h
It do not shows up anywhere.

When I force it to run an update it runs for some time and stops with an error. (0x8024401c) I can see with netstat -a -b that it connect to the wsus server over port 8530 so that is also correct.

First after I run this command many times it worked
wuauclt /reportnow /detectnow
Is this normal?

Also what about DC's? should I under Domain controllers make a OU hierarch like
-Update01h (Link them to the same GPO Servers01h)
-Update02h (Link them to the same GPO Servers02h)
And then place half of the DC's in Update01h and the other half in Update02h so not all DC will reboot at the same time.

Regards
Henning

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AJTek-Adam-J-Marshall avatar image
0 Votes"
AJTek-Adam-J-Marshall answered HSvane-8971 commented
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi Adam

1)
WSUS is running now, and i have used you "setup" from ‘WSUS – Workstations’, but it will not automatic reboot.
Configure Automatic Updates: Enabled
Configure automatic updating: 4
Install during automatic maintenance: DISABLED
Scheduled install day: 0 – Every day
Scheduled install time: 02:00
Install updates for other Microsoft products: Disabled

So I have to manaul install downloaded updates and restart the servers.
What do I miss.

Also some upgrades will not be installed and yes they has been downloaded. See picture. I cannot see what I are missing. Also all the updates to the build in virus shield will not install. All has been approved.
!

Regards
Henning

0 Votes 0 ·
HSvane-8971 avatar image
0 Votes"
HSvane-8971 answered

Continue:
2)
I am tring to run the clean job, but it fails all the time. Will your script could run with out the same problem with a DB that stops responding. At this point the WSUS DB use around 620GB storage. The virtual server have 4 vCPUs and 16GB ram.
The clean job use all CPU resources when it runs.

And how can I make WSUS DB Stable?

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

HSvane-8971 avatar image
0 Votes"
HSvane-8971 answered

97204-wsus.png


Picture to the above question.


wsus.png (384.6 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.