News, tips, advice, support for Windows, Office, PCs & more. Tech help. No bull. We're community supported by donations from our Plus Members, and proud of it
Home icon Home icon Home icon Email icon RSS icon
  • Windows 10 Clients on 1809 and WSUS GPO settings?

    Posted on seamonkey420 Comment on the AskWoody Lounge

    Home Forums Admin IT Lounge WSUS, SCCM, Exchange and update management tools Windows 10 Clients on 1809 and WSUS GPO settings?

    Tagged: , ,

    This topic contains 9 replies, has 5 voices, and was last updated by

     alQamar 4 weeks ago.

    • Author
      Posts
    • #243811 Reply

      seamonkey420
      AskWoody Lounger

      Hello all.  I am testing Windows 10 feature build 1809 for my company and have noticed my previous WSUS settings for 1703 are not working as i had hoped.  Before i get to my settings, let me outline what i am trying to do in regards to WSUS and Windows 10 clients and updates.

      1. We want to ONLY use WSUS for windows updates.  We have a proper GPO for 1607 and 1703 and even 1803 but on 1809, my settings are yielding the results i expected/that worked previously.

      2. Driver updates from WU are disabled in GPO.

      3. We allow our users to use the Microsoft Store and in turn have GPO set to auto-update any Store apps (working great on 1607, 1703!).

      4. We want to enable Windows Update for Business and in turn do not want DualScan (we approve all updates and DO NOT want any clients to go to Microsoft’s WU servers).  We also want to set a deferral of 180 or 300 days to pause feature updates but still receive patches we approve in WSUS.

      5. Lastly, we want the ability to click on “Check for Updates” in Settings > Windows Updates and have any newly imaged workstation to check into WSUS and get any updates before we handoff laptop to new user, etc.

      All of this we were able to accomplish on 1607 and 1703.  However I have yet to find a proper Microsoft document talking about the changes to Windows Updates in 1809.  I know that one BIG CHANGE is that setting Telemetry to 0 will basically override all WufB policies and let workstation use WU vs WSUS.  I have in turn changed that GPO setting from 0 to now 1.

      Screenshots of what WU settings look like on my client machine on 1809.

      Below are my GPO for WSUS for 1809 (all computer configuration items, sorry about formatting; WAIT! why did my formatted text change to HTML when pasted it looked right??)  Attached as PDF  JPGs now.

      1809-Updates-paused

      1809-Updates-advanced-settings

      WSUS-GPO-for-1809-and-paused-status_Page_1

      WSUS-GPO-for-1809-and-paused-status_Page_2

      WSUS-GPO-for-1809-and-paused-status_Page_3

      Attachments:
      You must be logged in to view attached files.
    • #243872 Reply

      b
      AskWoody Plus

      1. We want to ONLY use WSUS for windows updates. We have a proper GPO for 1607 and 1703 and even 1803 but on 1809, my settings are yielding the results i expected/that worked previously.

      Not? (on 1809)

      All of this we were able to accomplish on 1607 and 1703. However I have yet to find a proper Microsoft document talking about the changes to Windows Updates in 1809. I know that one BIG CHANGE is that setting Telemetry to 0 will basically override all WufB policies and let workstation use WU vs WSUS. I have in turn changed that GPO setting from 0 to now 1.

      I believe that applied prior to 1809:

      Windows 10 Dual-Scan enabled when telemetry is set to 0

      Cannon fodder Chump Daft glutton Idiot Sucker More intrepid Crazy/ignorant Toxic drinker "Saluted blockhead" (Group ASAP)

    • #243940 Reply

      seamonkey420
      AskWoody Lounger

      1. We want to ONLY use WSUS for windows updates. We have a proper GPO for 1607 and 1703 and even 1803 but on 1809, my settings are yielding the results i expected/that worked previously.

      Not? (on 1809)

      All of this we were able to accomplish on 1607 and 1703. However I have yet to find a proper Microsoft document talking about the changes to Windows Updates in 1809. I know that one BIG CHANGE is that setting Telemetry to 0 will basically override all WufB policies and let workstation use WU vs WSUS. I have in turn changed that GPO setting from 0 to now 1.

      I believe that applied prior to 1809: Windows 10 Dual-Scan enabled when telemetry is set to 0

      Correct, i mistyped and forgot the “not working as we want” part. 😉

      Most likely will be putting in a ticket w/Microsoft Premiere support.

    • #243982 Reply

      anonymous

      Hi seamonkey, thanks for the detail posting.

       

      I am surprised that WuFB settings works as intended so deferrals are in place if you want only to use WSUS. By documentation you are right telemetry has at least set to basic to allow WuFB to work.

       

      But it also says that WSUS will not respect ANY settings of the WuFB such as deferrals.

      It will not work if you disable dual scan. That’s what the both available posts about dual scan coming from MS are telling.

      Can you please double check that deferrals really work as intended when updates only come from WSUS. This should not be the case.

      2 users thanked author for this post.
    • #243983 Reply

      anonymous

      Given your GPO output the settings looks good.

      As I cannot subscribe to replies here plz contact me via @Twitter_alqamar if you have replied here and need further help.

      1 user thanked author for this post.
    • #244013 Reply

      seamonkey420
      AskWoody Lounger

      Just an update after further testing/checking today.  I believe the settings I have are working as they should and we no longer get the “Check for Updates” button.  Even though in settings it says updates are paused, i was able to get an office 2016 update via wsus today on my machine so…. i think my settings are actually fine and working as they should on 1809.

       

      thanks everyone who chimed in!

      1 user thanked author for this post.
      b
    • #244661 Reply

      NetDef
      AskWoody_MVP

      We had to update our WMI filters for 1809, did you need to do this or were your’s set to a less specific version filter than ours?  (Ours are VERY specific.)

      Also note that several of our 1809 test workstations failed to pickup GP updates in a “timely” manner.  Some were “fixed” by running “gpupdate /force” followed by a reboot.  Others we simply waited and they eventually updated on their own over several days.  (Days!)  This might be a bug, generally things move much faster.

      ~ Group "Weekend" ~

    • #330600 Reply

      alQamar
      AskWoody_MVP

      Hi seamonkey, thanks for the detail posting. I am surprised that WuFB settings works as intended so deferrals are in place if you want only to use WSUS. By documentation you are right telemetry has at least set to basic to allow WuFB to work. But it also says that WSUS will not respect ANY settings of the WuFB such as deferrals. It will not work if you disable dual scan. That’s what the both available posts about dual scan coming from MS are telling. Can you please double check that deferrals really work as intended when updates only come from WSUS. This should not be the case.

      I agree. I would be surprised if this would work.

    • #330602 Reply

      alQamar
      AskWoody_MVP

      Just an update after further testing/checking today. I believe the settings I have are working as they should and we no longer get the “Check for Updates” button. Even though in settings it says updates are paused, i was able to get an office 2016 update via wsus today on my machine so…. i think my settings are actually fine and working as they should on 1809. thanks everyone who chimed in!

      The check for update button is intented to no longer show up as you have set “turn off access to all windows features.”

      Windows Update for Business will only offer Windows Updates. This is the reason why MS has implemented Dual Scan, so orgs can use WuFB for Windows Updates where deferrals or full stops can be set via GPO, and on top telemetry help to not receive updates / upgrades to machines that have known blockers.

      WuFB ultimately features a centralized a view in Azure to monitor your device health (at costs) and update status, besides WSUS for other products.

      The next step if you want dump WSUS altogether, will be Azure Update management (at costs).

      However Dual Scan will allow orgs to use WSUS for all other MS products just as MSI based Office, SQL etc and their updates.

      WuFB is not designed to completely replace WSUS as it won’t offer all updates available for all MS products – these would come from WU instead (if the button / GPO is checked to include other products) if you have no WSUS.

      If you want to use WuFB you need to take care to enable and configure distributed delivery and tune BITS GPOs so all clients will feed each other instead all of them download from MS WU / WuFB eating up your bandwith (both is no longer a problem if all are on 1809 / Server 2019 due to smaller update sizes)

      With your current GPO configuration WuFB is disabled and updates deferrals should not work.

       

      sorry the much editing, but the WYSIWYG editor does not like copy and paste.

      • This reply was modified 4 weeks ago by
         alQamar.
      • This reply was modified 4 weeks ago by
         alQamar. Reason: additions
      • This reply was modified 4 weeks ago by
         alQamar. Reason: removed html
      • This reply was modified 4 weeks ago by
         alQamar. Reason: removed html caused missing words
    • #330609 Reply

      alQamar
      AskWoody_MVP

      One more thing, I’ve read about complaints that “install during automatic maintenance” does not work for some Windows 10 versions but should work well for later ones.

      For best compatibility disable it, as you did. Users reported at borncity that on affected OS versions the timed installation and restarts will not happen if you enable this feature.

      I can confirm this to happen on 1607, including Server 2016 LTSC 1607 which disqualifies the OS for me another time / or set a overriding GPO for this OS.

      Because of this I can always recommend to create one OU for each Windows Client and Server version, so you can handle existing and potential differences.

       

      naming OUs like

      Windows 10 LTSC 2015
      Windows 10 LTSC 2016
      Windows 10 LTSC 2019
      Windows 10 SAC 1809
      Windows Server 2012
      Windows Server 2012 R2
      Windows Server 2016 LTSC 1607
      Windows Server 2016 SAC 1809
      Windows Server 2019 LTSC 1809

      etc.

      This looks like much of work but ulitmately I have had a lot of reasons to do this. e.g. Citrix Workspace does not work with 2015 LTSC but with all other Windows releases etc.
      WMI filters generally cost too much performance, so I rather keep them sorting, which (in addition to other tools) let me keep track about Windows OS fragmentation and possible upgrade needs due to support ends as a side effect.

      • This reply was modified 4 weeks ago by
         alQamar.

    Please follow the -Lounge Rules- no personal attacks, no swearing, and politics/religion are relegated to the Rants forum.

    Reply To: Windows 10 Clients on 1809 and WSUS GPO settings?

    You can use BBCodes to format your content.
    Your account can't use Advanced BBCodes, they will be stripped before saving.

    Your information:


    Comments are closed.