News, tips, advice, support for Windows, Office, PCs & more. Tech help. No bull. We're community supported by donations from our Plus Members, and proud of it
Home icon Home icon Home icon Email icon RSS icon
  • Brinkmann: Win10 1709 group policy setting incorrectly blocking cumulative updates?

    Home Forums AskWoody blog Brinkmann: Win10 1709 group policy setting incorrectly blocking cumulative updates?

    This topic contains 20 replies, has 13 voices, and was last updated by  PKCano 1 year, 10 months ago.

    • Author
      Posts
    • #147423 Reply

      woody
      Da Boss

      Martin Brinkmann has uncovered a very strange group policy behavior in Win10 Fall Creators Update, version 1709, and written about it on ghacks.

      NOTE: I moved the comments from @pkcano‘s earlier post on this same topic, over here, so you can see what everyone’s saying.

      Mea culpa!

      [See the full post at: Brinkmann: Win10 1709 group policy setting incorrectly blocking cumulative updates?]

    • #146584 Reply

      zero2dash
      AskWoody Lounger

      Well that’s just great.
      I no longer have the warm fuzzies about rolling out 1703 with those settings applied at home anymore. (Given MS’ penchant for screwing around with GP version to version, and stripping away functionality especially on the Pro SKU level, now I’m concerned this is a planned change and not an “oopsie”.)
      Ah fiddlesticks.

    • #146624 Reply

      abbodi86
      AskWoody_MVP

      I noticed in 1709 that cumulative update is now delivered via UUP mechanism (which used for upgrade), not via standard WUA like other updates

      maybe that’s the cause for confliction 🙂

      1 user thanked author for this post.
    • #146726 Reply

      anonymous

      I can confirm this also happens just by choosing to defer Feature Updates in the PC Settings app in 1709 (you don’t even have to go mucking about in the Group Policy Editor).

      Last week, no cumulative update was listed when I checked via wushowhide.cab, or when I actually went to install updates. Afterward I was still on 16299.15, and I didn’t even realize that I’d missed the update to 16299.19 until I found no trace of the lastest update (16299.64). I had made some changes via gpedit, but only insomuch as setting WU to “disabled” so that I could use the troubleshooter to check for updates beforehand, as well as disabling driver updates. All other updates (Office, Flash, general Win10, etc.) were coming through just fine.

      Setting Defer Feature Updates back to “0” fixed the issue for me and allowed me to get the update to 16299.64.

       

      • #146786 Reply

        anonymous

        I also have this behaviour.

    • #146745 Reply

      Cybertooth
      AskWoody Lounger

      My new PC from HP arrived last week with FreeDOS installed, which was quickly turned into Kubuntu 16.04 LTS. Two days ago I brought Firefox “up to specs” with a little visual improvement and some security add-ons, and last night I finished pimping Kubuntu with glass window borders, a translucent taskbar, and Vista/Windows 7 window control buttons. I’m now in the process of making the final selections for the software that I will be using for work on a daily basis, and am pleased with the breadth of choices available thus far.

      The day after installing the OS, Linux simply informed me that there were (tons of) updates. It did not hijack my screen to insist that The Updates Must Be Installed Right Now!!! It did not order me to choose a time frame when I would have to let my machine reboot to complete the installation. Not totally familiar with the process yet, but I believe that (unlike Windows 10) Linux also refrained from that obnoxious “all or nothing” attitude on patching, and allowed me to pick and choose the updates that I wanted if I so preferred. Oh, and all of the updates just worked.

      Redmond, I am SOOOOOOO outta there. Thanks to your insufferable “we know what’s best for you” attitude, you have lost this 35-year customer and advocate.

       

      2 users thanked author for this post.
      • #147563 Reply

        DrBonzo
        AskWoody Plus

        It’s a wonderful thing, isn’t it? Your update experience mirrors mine. I’ve been running Ubuntu (no K in front) 16.04 on a couple of 8 year old laptops since August. I have updates set to notify me but I say when and what to install. No drama at all and works flawlessly. More than worth the effort a non-techie like me expended in getting it installed (and it really wasn’t all that hard). I’d do it all over again and I’d recommend to anyone who’s fed up with MS to switch to Ubuntu or one of it’s close relatives. Or, if your wallet allows and you want a ready-to-go computer right out of the box, get a Mac.

        2 users thanked author for this post.
      • #147755 Reply

        MrJimPhelps
        AskWoody_MVP

        My experience with Linux Mint is the same as yours with Kubuntu.

        If you want FreeDOS on your computer, you could install VMWare Workstation Player, and then set up a virtual machine with FreeDOS as the OS. In this way, you will have FreeDOS always available.

        As far as that goes, you could set up an additional virtual machine with Windows 7 or 8.1 as the OS. I have a Windows 8.1 virtual machine (with Classic Shell) set up on my Linux machine, so that I can easily do the one or two things in Windows that I just can’t get to work in Linux. (Classic Shell makes Windows 8.1 look and feel just like Windows 7.) For example, I can’t get my scanner to work in Linux; but I can scan without any issue from my W8.1 virtual machine.

        The reason I went with Windows 8.1 is because it will be supported by Microsoft till January 2023 — in other words, 8.1 will give me the longest time possible of the way Microsoft used to do customer support.

        Group "L" (Linux Mint)
        with Windows 8.1 running in a VM
        2 users thanked author for this post.
    • #147438 Reply

      Noel Carboni
      AskWoody_MVP

      I have a Win 10 v1709 VM that I test with that will update everything BUT the cumulative updates. And I don’t have any of the “defer” settings thrown as far as I can see. Only thing is I normally block the system reaching the update server, because it WILL update only when I say so. The timing is non-negotiable.

      But when I do open the firewall, I expect a Windows Update to actually complete and bring the system fully up to date. It is the way I have always worked.

      EverythingButCumulativeUpdate

      It passes SFC and DISM checks with flying colors. There is no real explanation except that the update process is B R O K E N.

      It updates just fine from the .msu file downloaded manually from the catalog, so I’m not complaining; it IS manageable. It’s just not working in the most convenient way.

      Only other thing I could think of is that maybe the (necessarily large) updates are rolled out in a gradual fashion to spread the load on Microsoft’s cloud servers, so some systems will naturally get them before others. They could be running on the assumption that EVERY Win 10 system will be looking for updates every night.

      -Noel

      Attachments:
    • #147436 Reply

      anonymous

      The whole thing is a disaster (but you know that already).

      For anyone needing a stable OS lasting for 5 or 10 or 20 years, “Windows as a service” fails utterly. LTSB isn’t really adequate either.

      In slight detail, the GP policy settings and the Settings app settings don’t agree (and I can’t find out which of them the Windows Update Minitool settings match or even control).

      And I AM NOT AT ALL SURE WHICH SETTINGS WINDOWS ITSELF OBEYS AT UPDATE TIME … grrr.

    • #147447 Reply

      anonymous

      Uhh Woody, this is a complete duplicate of a post @pkcano began last week on Monday the 20th, titled “Win10 v1709 “Preview Builds/Feature Updates deferral” Group Policy blocks Security Updates”. It even refers folks to the same thread on the MS Technet forum. However, this thread you started does include a new reference to the article that Martin Brinkmann wrote for ghacks. Sorry. Would it be possible to merge both posts into one, so folks don’t get confused about which one they posted to?

      Edit to remove HTML

      • #147518 Reply

        woody
        Da Boss

        OMG. I’ve been on the road, and hadn’t put two and two together. Yes, you’re absolutely right. I duplicated PKCano’s work from last week.

        I’ll move the comments from that post over here.

        Apologies to one and all, but especially to PKCano. Too much turkey I guess….

    • #147458 Reply

      anonymous

      This is nearly a complete duplicate of @pkcano‘s post of November 20th titled “Win10 v1709 “Preview Builds/Feature Updates deferral” Group Policy blocks Security Updates”. Only difference is this post mentions cumulative updates in the title, whereas @pkcano‘s post mentions security updates in the title. Both posts trace back to the same person (Klaasklever) posting the same info in the MS Technet forums. This newer post, however, includes a reference to an article by Martin Briinkmann for ghacks as well, which isn’t included in @pkcano‘s post from last week.

      Is it possible to combine both posts (PKCano’s from last week and this newer one) so folks don’t get confused over which one they posted in, given they both cover the same subject?

    • #147467 Reply

      BrianL
      AskWoody Lounger

      The glitter of the advertisement of Windows 10 is over and those who switched are realizing that Windows 10 has no glitter! Windows 10 will never get better than the Windows 7 you were using. Windows-7 had no problems with accessing it all. Windows 10 can’t access without problems galore. Wishing you had stayed with windows 7?

      1 user thanked author for this post.
    • #147469 Reply

      BrianL
      AskWoody Lounger

      Microsoft has limited most 3rd party software to Windows 10 thru threats that they have to couldn’t be accessed except thru windows 10. But that is the way Microsoft is working now! Now windows 7 can be be whipped out.

    • #147510 Reply

      krzemien
      AskWoody Lounger

      I did read something similar here back in September:

      https://forums.theregister.co.uk/forum/1/2017/09/08/microsoft_says_it_wont_fix_kernel_flaw_its_not_a_security_issue_apparently/

       

      (see first 10 or so comments)

       

      I’m afraid nothing surprises me anymore.

    • #147531 Reply

      teuhasn
      AskWoody Lounger

      Yes I’ve experienced this issue as well in Windows 10 Pro 1709. As others have said, it’s been mentioned here before.

      Specifically in 1709, Windows 10 Settings > Update and security > Windows Update is broken–nothing will download–with the gpedit.msc settings that have been recommended here. Even when Woody goes green and bumps MS-DEFCON to 3+ and you want to install selected updates or all Quality Updates that are a month old, the download will freeze early on. This worked in 1509 and 1607 but not in 1709.

      At least there’s a suggestion for working around it on ghacks:  when but only when you’re ready to download and install updates (because this process may commence immediately after changing this setting–you may for example want to run wushowhide first to block hardware updates), set Start > gpedit.msc > Administrative Tools > Windows Components > Windows Update > Defer Windows Updates > Select when Feature Updates are received > After a feature update is released, defer receiving it for this many days:  0.

      You would think it would also work if you set Select when Feature Updates are received to Disabled.

      I’m not going to test it right now since we’re at MS-DEFCON 2. If still nothing happens after you temporarily revert the above setting, try rebooting. And if that still fails, go here where you can manually update:

      https://www.catalog.update.microsoft.com/Home.aspx</span&gt;

    • #147685 Reply

      BobbyB
      AskWoody Lounger

      Well it seems to me every time theres a new version of Win10 they mess with the update settings. I seemed to recall last incarnation 1703 we had quite the discussion, as I recall with Noel & Woody and it seems like theyre at it again.
      This seems to work with current ver. 1709 and did with 1703, even though its early days;

      1709UD-Settings-showing-options

      What I have found setting the Group Policy with 1703 & 1709 you stop getting the daily “virus signature” updates which in these fraught times of exploits etc quite the comfort. It would seem according to Martain Brinkman that using the GPOL settings it also knocks out the security component of Cumm. updates.
      What I cant figure out is when they have stopped CBB etc which caught a few out with unwanted upgrades, why on earth did they leave in the GPOL as its no longer relevent. Well “fingers crossed” these settings should work. To be honest I have taken to going to the “Catalogue” and grabbing them as and when Req.

      gpedit-sttings-deferral

      As @Noel surmises its sounds a “little broke to me”, certainly when you cant “set it & forget it” to run in the background without any hassle. Its bad enough trying to dodge the “Howlers” that come down the update shute, and to think we will have to do this all over again when 1803 hits the tiles. I only moved off 1703 because I treated myself to a new SSD and 1709 hasnt been bad so far but lets see if skipping 1-2 releases, and lets face they arent giving any earth shattering new features every time, makes for a long term stable Computing outlook.

      Attachments:
    • #147739 Reply

      anonymous

      I see 1709 is definitely ready for business. Companies should start rolling the update out without delay.

    • #147751 Reply

      MrJimPhelps
      AskWoody_MVP

      Looks like it’s yet another bug in 1709.

      It’s not a bug; the user base are unpaid beta testers.

      It would be a bug if the user base were only users not testers.

      Group "L" (Linux Mint)
      with Windows 8.1 running in a VM
    • #148819 Reply

      PKCano
      Da Boss

      I can verify this today 11/30/17. In 1709, I had feature updates set not to install for 365 days in my Build 16299.64. There were no updates offered. As soon as I set it to 0, I was offered CU KB4051963 update to 16299.98

      1 user thanked author for this post.

    Please follow the -Lounge Rules- no personal attacks, no swearing, and politics/religion are relegated to the Rants forum.

    Reply To: Brinkmann: Win10 1709 group policy setting incorrectly blocking cumulative updates?

    You can use BBCodes to format your content.
    Your account can't use Advanced BBCodes, they will be stripped before saving.