How to disable "windows Update managed by your organization"

Henning Svane 26 Reputation points
2021-04-17T21:43:34.853+00:00

Hi
I would like to disable "windows Update managed by your organization" as it never worked as intended,
so it is possible to managed the client localy again.
I have disabled the GPO I have created for WSUS. I have checked on the client if the GPO setting is enabled and it is not.
But still Windows Update says "windows Update managed by your organization"

So how can I get control of the windows update again.

Regards
Henning

Windows for business | Windows Server | User experience | Other
0 comments No comments
{count} vote

Accepted answer
  1. Adam J. Marshall 10,281 Reputation points MVP
    2021-04-18T00:44:13.587+00:00

    To answer your question directly, use GPO Preferences to delete the following registry key once.

    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate

    Also, why not setup WSUS - see my guide on how to do that easily and manage your updates like a Pro.

    https://www.ajtek.ca/wsus/how-to-setup-manage-and-maintain-wsus-part-1-choosing-your-server-os/

    Part 4 has the GPO policies, part 5 shows you how to link it to your OUs for an inheritance setup.

    If you set it up like my guide, you'll spend 5-15 minutes a month approving the updates to both a test group, and then to the production group.

    0 comments No comments

8 additional answers

Sort by: Most helpful
  1. Adam J. Marshall 10,281 Reputation points MVP
    2021-04-18T15:10:02.453+00:00

    You can do what you want - I have to take some time to update my blog series to include this type of setup, but you make rings with GROUPS, and you make a new GPO and assign that group to that GPO - you make the GPO with automatic updates and restart, but install at time slot 1 (let's say 1AM), and then the next ring installs at 5AM, and the last ring - what I have already setup in my blog series is manual for those systems that need manual touches after the fact, or if they are mission critical that someone has to be there to verify it comes back up.

    Then you assign your computers to each of the groups, and they get the policies that you've laid out.

    As for firewall settings for WSUS to download updates from microsoft - here's the link to the sites you need to whitelist.

    https://learn.microsoft.com/en-us/windows-server/administration/windows-server-update-services/deploy/2-configure-wsus#211-connection-from-the-wsus-server-to-the-internet

    1 person found this answer helpful.
    0 comments No comments

  2. Henning Svane 26 Reputation points
    2021-04-18T08:39:53.923+00:00

    Hi Adam
    Thanks for your answer.
    Ok that was simple just to delete the registry key and subkey.

    Then to your question.
    As windows update use a unknow amount of FQDN to download updates from, it is not possible to make firewall rules out going.
    So the idea is to put a WSUS in a DMZ where it can download from all these unknow FQDN's
    Then from the Lan download from the WSUS, but I want to specifiy when each server must automatic reboot in the night.
    This I cannot control in WSUS or I need to make groups for each different hour in the night. This is an idea I just got now, so I have to look into this.
    Also I am interested that the Updates are installed when they are released from Microsoft, not at a later point.
    So this is not to control many servers (max 20 servers), but only to limited/prevent the access to the internet for servers, that do not have anything to do on the internet. If Microsoft has chossen to use a more Firewall FQDN setup for Windows Update this has not been nesseasry.
    Eg. a file server do not have anything to do on the internet, but due to updates it does. Echange servers (DAG) should have limited access and so on. But today they have full and that is not secure, and espcialy not with all that talent there are in some contries.:-(

    I will read your guide to see if it can inspire me how to do what I try to do.

    Thanks
    Henning

    0 comments No comments

  3. Henning Svane 26 Reputation points
    2021-04-18T21:37:02.06+00:00

    Hi Adam
    Yes that was what I was thinging when I wrote to you, but as I have not tried it before, I was not sure it will work.

    I know to the link you mention, but all these is not a FQDN
    http://*.windowsupdate.microsoft.com

    https://*.windowsupdate.microsoft.com

    http://*.update.microsoft.com

    https://*.update.microsoft.com

    http://*.windowsupdate.com

    http://*.download.windowsupdate.com

    So it are not possible to make firewall rules for these "*.FQDN"

    I will try to play with the idea, but look forward to your comming block about this.

    Regards
    Henning

    0 comments No comments

  4. Adam J. Marshall 10,281 Reputation points MVP
    2021-04-19T03:40:34.187+00:00

    What firewall are you using? There is likely a way to do it with wildcards.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.