How to disable "windows Update managed by your organization"

Question

Hi
I would like to disable "windows Update managed by your organization" as it never worked as intended,
so it is possible to managed the client localy again.
I have disabled the GPO I have created for WSUS. I have checked on the client if the GPO setting is enabled and it is not.
But still Windows Update says "windows Update managed by your organization"

So how can I get control of the windows update again.

Regards
Henning

Answer 1

To answer your question directly, use GPO Preferences to delete the following registry key once.

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate

Also, why not setup WSUS - see my guide on how to do that easily and manage your updates like a Pro.

https://www.ajtek.ca/wsus/how-to-setup-manage-and-maintain-wsus-part-1-choosing-your-server-os/

Part 4 has the GPO policies, part 5 shows you how to link it to your OUs for an inheritance setup.

If you set it up like my guide, you'll spend 5-15 minutes a month approving the updates to both a test group, and then to the production group.

Answer 2

Hi Adam
Sorry to first answer you now. I use Pfsense, but I do not know of firewalls that like wildcards in FQDN.

I have been pressed for time, so first now I have continued with my WSUS project.
I have now tried to setup what you described above, but only with some success.
I have made in OU hierarchy
Company-Computers (placed at the root in the domain)
-WSUS-Controled
--Servers01h
--Servers02h
I hve then in WSUS made simelary groups under all computers
where I have made a groupe E-Computers
Under this groupe I have made the following groups
-Servers01h
-Servers02h

I have now made GPO like you describe and linked them to
WSUS-Controled (Location)
-Servers01h (Specific for AM 01)
-Servers02h (Specific for AM 02)

And when I control the result in the TestServer with rsop.msc the GPO look precisly as I have specify.

But in WSUS under "all computer" I can only see servers in ou "Computers" But as I have move TestServer to Server01h
It do not shows up anywhere.

When I force it to run an update it runs for some time and stops with an error. (0x8024401c) I can see with netstat -a -b that it connect to the wsus server over port 8530 so that is also correct.

First after I run this command many times it worked
wuauclt /reportnow /detectnow
Is this normal?

Also what about DC's? should I under Domain controllers make a OU hierarch like
-Update01h (Link them to the same GPO Servers01h)
-Update02h (Link them to the same GPO Servers02h)
And then place half of the DC's in Update01h and the other half in Update02h so not all DC will reboot at the same time.

Regards
Henning

Answer 3

You should read this

https://www.ajtek.ca/wsus/does-wuauclt-exe-detectnow-reportnow-work/

Answer 4

Continue:
2)
I am tring to run the clean job, but it fails all the time. Will your script could run with out the same problem with a DB that stops responding. At this point the WSUS DB use around 620GB storage. The virtual server have 4 vCPUs and 16GB ram.
The clean job use all CPU resources when it runs.

And how can I make WSUS DB Stable?

Answer 5

Picture to the above question.