WSUS 4.0 and Windows 10 Enterprise 1607 and Windows Updates; GPO to fully control updates??

Copper Contributor

So does anyone know how we can fully control windows updates and office 2016 updates via WSUS and still allow Windows Store updates from microsoft? These policies seem to be directly related and reliant upon each other vs having the ability to use WSUS for windows updates/office updates and then allow Store to update via microsoft.  


We consider Windows Store to be more BYOD in that apps are sandboxed, consumer orientated whereas windows updates should be managed by WSUS.  We have a ticket open w/Premiere support but the more we dig the more it seems that NO ONE knows how Windows 10 Enterprise, Windows Updates and WSUS work.   


Our policies are not being abided by; today we have a ton of win10 computers we just rolled out yesterday get windows updates even though we have set the appropriate GPO for fridays only.  WE.ARE.LOSING.OUR.MINDS and very concerned that our users w/win10 will get the creators update before we even can vett it; we have lost all faith in Microsoft's testing of patches w/the Feb issues and now the office 2016 updates in march (KB3178674)



The funny thing is that we hadn't noticed windows 10 machines not abiding by the rules until the infamous Office 2016 Word patches in March that broke subscript/superscript in footers hit all of our windows 10 machines even though we were blocking this update in WSUS.  More IT admins are starting to realize this now that the bad patch slipped through in March 2017 and are getting a bit freaked out that even though we have WSUS stood up and GPO configured; windows updates are getting past wsus w/o approval and into the users machines.


This issue with WSUS and no one at microsoft knowing how it truelly works is going to keep inflating as more and more companies finally deploy win10 this year and get a bad patch they never approved.  So, my question is: what settings/policies are you using to make sure Windows 10 enterprise edition only gets approved updates from WSUS 4.0?


We are running these settings:


WSUS 4.0 on a freshly build Windows Server 2016 (built in mid march 2017)

Windows 10 Enterprise Edition OS on workstations configured to be CBB w/180days deferral.

GPO configured as follows:
Computer Policy, assigned to our Win10 IT OU (for testing) with these options:

Setting Comment
Specify settings for optional component installation and component repair Enabled  
Alternate source file path    
Never attempt to download payload from Windows Update Disabled  
Download repair content and optional features directly from Windows Update instead of Windows Server Update Services (WSUS) Enabled  
Setting Comment
Download Mode Enabled  
Download Mode: Group  
Setting Comment
Turn off the offer to update to the latest version of Windows Enabled  
Setting Comment
Always automatically restart at the scheduled time Disabled  
Automatic Updates detection frequency Enabled  
Check for updates at the following  
interval (hours): 1  
Policy Setting Comment
Configure Automatic Updates Enabled  
Configure automatic updating: 4 - Auto download and schedule the install  
The following settings are only required and applicable if 4 is selected.  
Install during automatic maintenance Disabled  
Scheduled install day: 0 - Every day  
Scheduled install time: 12:00  
Install updates for other Microsoft products Disabled  
Policy Setting Comment
Configure auto-restart reminder notifications for updates Enabled  
Specify the style used for auto-restart reminder notifications:  
Style: 2 - Partial Screen  
Specify the period for auto-restart reminder notifications:  
Period (min): 60  
Policy Setting Comment
Configure auto-restart required notification for updates Enabled  
Specify the method by which the auto-restart required notification is dismissed:  
Method: 2 - User Action  
Policy Setting Comment
Configure auto-restart warning notifications schedule for updates Enabled  
Specify the period for auto-restart warning reminder notifications:  
Reminder (hours): 4  
Specify the period for auto-restart immiment warning notifications:  
Warning (mins): 15  
Policy Setting Comment
Do not connect to any Windows Update Internet locations Enabled  
Do not include drivers with Windows Updates Enabled  
Enable client-side targeting Enabled  
Target group name for this computer IT;Workstations  
Policy Setting Comment
Remove access to use all Windows Update features Disabled  
Specify deadline before auto-restart for update installation Disabled  
Specify intranet Microsoft update service location Enabled  
Set the intranet update service for detecting updates: http://ourinhouseWSUSserver:8530  
Set the intranet statistics server: http://ourinhouseWSUSserver:8530  
Set the alternate download server:    
(example: http://IntranetUpd01)  
Policy Setting Comment
Turn off auto-restart for updates during active hours Enabled  
Active Hours  
Start: 7:00 AM  
End: 6:00 PM  
Setting Comment
Select when Feature Updates are received Enabled  
Select the branch readiness level for the feature updates you want to receive: Current Branch for Business  
After a feature update is released, defer receiving it for this many days: 180  
Pause Feature Updates starting 3/30/2017  
(format yyyy-mm-dd example: 2016-09-16)  
3 Replies
NOTE; the users GPO object for this is set to be Friday only (our GPO for IT is set to any day since we want to test asap)

Regarding the Store there are 2 settings, one for the user and one for the computer. If I remember the discussion correctly, allow the computer and it will update the built-in Store apps.


I believe by enabling the defer updates part for CBB that it will check from Microsoft for updates. It's part of a dual scan "feature" of 1607. 1703 will will make this more clear. I do not have those settings enabled and the computers just get updates from WSUS.

Hi James,


Well my worst fear happened and the creators update installed on my computer with out asking me to install it, and I haev not approved it in WSUS.


I have read various stuff on the internet and posted on reddit forums.


There are articles that seem to say that certain GPO settings don't apply when your using WSUS and windows 10 and are more designed for Windows machines that get updates online.


See here:


In particular "We also recommend that you do not use these new settings with WSUS/SCCM."


In additon, I have found another site talking about "Dual scan" where its checking online  for updates


Your GPO is very similar to mine. I have the same options set. However, I am going to change the following (which is set how yours is): 


ENABLE: Never attempt to download payload from Windows Update

DISABLE: Download repair content and optional features directly from Windows Update instead of Windows Server Update Services (WSUS)

100 (BITS DOWNLOADS): Download Mode