04-06-2017 12:46 PM - last edited on 04-07-2017 11:50 AM by Michael Holste
So does anyone know how we can fully control windows updates and office 2016 updates via WSUS and still allow Windows Store updates from microsoft? These policies seem to be directly related and reliant upon each other vs having the ability to use WSUS for windows updates/office updates and then allow Store to update via microsoft.
We consider Windows Store to be more BYOD in that apps are sandboxed, consumer orientated whereas windows updates should be managed by WSUS. We have a ticket open w/Premiere support but the more we dig the more it seems that NO ONE knows how Windows 10 Enterprise, Windows Updates and WSUS work.
Our policies are not being abided by; today we have a ton of win10 computers we just rolled out yesterday get windows updates even though we have set the appropriate GPO for fridays only. WE.ARE.LOSING.OUR.MINDS and very concerned that our users w/win10 will get the creators update before we even can vett it; we have lost all faith in Microsoft's testing of patches w/the Feb issues and now the office 2016 updates in march (KB3178674)
The funny thing is that we hadn't noticed windows 10 machines not abiding by the rules until the infamous Office 2016 Word patches in March that broke subscript/superscript in footers hit all of our windows 10 machines even though we were blocking this update in WSUS. More IT admins are starting to realize this now that the bad patch slipped through in March 2017 and are getting a bit freaked out that even though we have WSUS stood up and GPO configured; windows updates are getting past wsus w/o approval and into the users machines.
This issue with WSUS and no one at microsoft knowing how it truelly works is going to keep inflating as more and more companies finally deploy win10 this year and get a bad patch they never approved. So, my question is: what settings/policies are you using to make sure Windows 10 enterprise edition only gets approved updates from WSUS 4.0?
We are running these settings:
WSUS 4.0 on a freshly build Windows Server 2016 (built in mid march 2017)
Windows 10 Enterprise Edition OS on workstations configured to be CBB w/180days deferral.
GPO configured as follows:
Computer Policy, assigned to our Win10 IT OU (for testing) with these options:
|Specify settings for optional component installation and component repair||Enabled|
|Alternate source file path|
|Never attempt to download payload from Windows Update||Disabled|
|Download repair content and optional features directly from Windows Update instead of Windows Server Update Services (WSUS)||Enabled|
|Turn off the offer to update to the latest version of Windows||Enabled|
|Always automatically restart at the scheduled time||Disabled|
|Automatic Updates detection frequency||Enabled|
|Check for updates at the following|
|Configure Automatic Updates||Enabled|
|Configure automatic updating:||4 - Auto download and schedule the install|
|The following settings are only required and applicable if 4 is selected.|
|Install during automatic maintenance||Disabled|
|Scheduled install day:||0 - Every day|
|Scheduled install time:||12:00|
|Install updates for other Microsoft products||Disabled|
|Configure auto-restart reminder notifications for updates||Enabled|
|Specify the style used for auto-restart reminder notifications:|
|Style:||2 - Partial Screen|
|Specify the period for auto-restart reminder notifications:|
|Configure auto-restart required notification for updates||Enabled|
|Specify the method by which the auto-restart required notification is dismissed:|
|Method:||2 - User Action|
|Configure auto-restart warning notifications schedule for updates||Enabled|
|Specify the period for auto-restart warning reminder notifications:|
|Specify the period for auto-restart immiment warning notifications:|
|Do not connect to any Windows Update Internet locations||Enabled|
|Do not include drivers with Windows Updates||Enabled|
|Enable client-side targeting||Enabled|
|Target group name for this computer||IT;Workstations|
|Remove access to use all Windows Update features||Disabled|
|Specify deadline before auto-restart for update installation||Disabled|
|Specify intranet Microsoft update service location||Enabled|
|Set the intranet update service for detecting updates:||http://ourinhouseWSUSserver:8530|
|Set the intranet statistics server:||http://ourinhouseWSUSserver:8530|
|Set the alternate download server:|
|Turn off auto-restart for updates during active hours||Enabled|
|Select when Feature Updates are received||Enabled|
|Select the branch readiness level for the feature updates you want to receive:||Current Branch for Business|
|After a feature update is released, defer receiving it for this many days:||180|
|Pause Feature Updates starting||3/30/2017|
|(format yyyy-mm-dd example: 2016-09-16)|
04-06-2017 01:01 PM
04-07-2017 12:02 PM
Regarding the Store there are 2 settings, one for the user and one for the computer. If I remember the discussion correctly, allow the computer and it will update the built-in Store apps.
I believe by enabling the defer updates part for CBB that it will check from Microsoft for updates. It's part of a dual scan "feature" of 1607. 1703 will will make this more clear. I do not have those settings enabled and the computers just get updates from WSUS.
05-27-2017 11:25 PM - edited 05-27-2017 11:27 PM
Well my worst fear happened and the creators update installed on my computer with out asking me to install it, and I haev not approved it in WSUS.
I have read various stuff on the internet and posted on reddit forums.
There are articles that seem to say that certain GPO settings don't apply when your using WSUS and windows 10 and are more designed for Windows machines that get updates online.
In particular "We also recommend that you do not use these new settings with WSUS/SCCM."
In additon, I have found another site talking about "Dual scan" where its checking online for updates
Your GPO is very similar to mine. I have the same options set. However, I am going to change the following (which is set how yours is):
ENABLE: Never attempt to download payload from Windows Update
DISABLE: Download repair content and optional features directly from Windows Update instead of Windows Server Update Services (WSUS)
100 (BITS DOWNLOADS): Download Mode