Disable WSUS on mobile computers

Frankie23

Frankie23

Expert Member
Joined
Jan 22, 2013
Messages
2,317
Reaction score
5,581
Location
//\/¯¯¯¯\/\
Hope you guys can help -

I want to disable WSUS completely on my mobile workstations connecting to my network over 3G, to avoid these computers download megs and megs worth of updates over 3G.

I have a local WSUS server where I manually move computers out of the "Unassigned Computers" group where/if required.

I have a system-wide WSUS GPO, where the update site points to my local WSUS server. I've also disabled/removed all the GPO Windows Update settings I could find, that looks like it might cause a computer to download Windows updates.

These mobile computers must not attempt to check for- or download Windows updates at all, whether from the internet or from my local WSUS server.

Workstations are mostly Win7, with a handful of XP and one Win8.1 machines.

Thanks!
 
Well unless you have something to enforce it like in Windows AD the user will always be able to click update from internet...

You get software but good ones are paid solutions...

Or you will just have to lock down the users permissions on said system as much as you can but its going to be really hard...

there is an option where you can set it to not update unless you specify it must

but in general its going to be hard to enforce unless you have a system in place that restricts what your users can do
 
What you can do is to put a bogus IP into the WSUS registry settings.

It will keep on checking for updates, but won't get any.

Create a new GPO with the bogus WSUS settings. Create a new group, and add the mobile workstations to this group.

Then assign the GPO to the new group.
 
Like the guys above said, not going to be easy. We had the same issue, in the end we got a private APN, so no need to VPN in anymore. Then I just blocked all traffic between APN range and WSUS server IP (Fortigate firewall between internal network and private APN network, but just routing traffic, not natting it)

Also blocked any file downloads from internet for the APN range as their breakout is now also out over the fortigate on another port.

So essentially the 3G clients are on our internal network as soon as they connect their 3G connection and stricter firewall policies applies to their internet traffic to curb nasty surprises
 
Last edited:
You must log in or register to reply here.
Back
Top
Sign up to the MyBroadband newsletter
X