News, tips, advice, support for Windows, Office, PCs & more. Tech help. No bull. We're community supported by donations from our Plus Members, and proud of it
Home icon Home icon Home icon Email icon RSS icon
  • Windows 10 Clients on 1809 and WSUS GPO settings?

    Posted on seamonkey420 Comment on the AskWoody Lounge

    Home Forums Admin IT Lounge WSUS, SCCM, Exchange and update management tools Windows 10 Clients on 1809 and WSUS GPO settings?

    Tagged: , ,

    This topic contains 6 replies, has 4 voices, and was last updated by

     NetDef 2 weeks, 2 days ago.

    • Author
      Posts
    • #243811 Reply

      seamonkey420
      AskWoody Lounger

      Hello all.  I am testing Windows 10 feature build 1809 for my company and have noticed my previous WSUS settings for 1703 are not working as i had hoped.  Before i get to my settings, let me outline what i am trying to do in regards to WSUS and Windows 10 clients and updates.

      1. We want to ONLY use WSUS for windows updates.  We have a proper GPO for 1607 and 1703 and even 1803 but on 1809, my settings are yielding the results i expected/that worked previously.

      2. Driver updates from WU are disabled in GPO.

      3. We allow our users to use the Microsoft Store and in turn have GPO set to auto-update any Store apps (working great on 1607, 1703!).

      4. We want to enable Windows Update for Business and in turn do not want DualScan (we approve all updates and DO NOT want any clients to go to Microsoft’s WU servers).  We also want to set a deferral of 180 or 300 days to pause feature updates but still receive patches we approve in WSUS.

      5. Lastly, we want the ability to click on “Check for Updates” in Settings > Windows Updates and have any newly imaged workstation to check into WSUS and get any updates before we handoff laptop to new user, etc.

      All of this we were able to accomplish on 1607 and 1703.  However I have yet to find a proper Microsoft document talking about the changes to Windows Updates in 1809.  I know that one BIG CHANGE is that setting Telemetry to 0 will basically override all WufB policies and let workstation use WU vs WSUS.  I have in turn changed that GPO setting from 0 to now 1.

      Screenshots of what WU settings look like on my client machine on 1809.

      Below are my GPO for WSUS for 1809 (all computer configuration items, sorry about formatting; WAIT! why did my formatted text change to HTML when pasted it looked right??)  Attached as PDF  JPGs now.

      1809-Updates-paused

      1809-Updates-advanced-settings

      WSUS-GPO-for-1809-and-paused-status_Page_1

      WSUS-GPO-for-1809-and-paused-status_Page_2

      WSUS-GPO-for-1809-and-paused-status_Page_3

      Attachments:
      You must be logged in to view attached files.
    • #243872 Reply

      b
      AskWoody Plus

      1. We want to ONLY use WSUS for windows updates. We have a proper GPO for 1607 and 1703 and even 1803 but on 1809, my settings are yielding the results i expected/that worked previously.

      Not? (on 1809)

      All of this we were able to accomplish on 1607 and 1703. However I have yet to find a proper Microsoft document talking about the changes to Windows Updates in 1809. I know that one BIG CHANGE is that setting Telemetry to 0 will basically override all WufB policies and let workstation use WU vs WSUS. I have in turn changed that GPO setting from 0 to now 1.

      I believe that applied prior to 1809:

      Windows 10 Dual-Scan enabled when telemetry is set to 0

      Cannon fodder Chump Daft glutton Idiot Sucker More intrepid Crazy/ignorant "Toxic drinker" (Group ASAP)

    • #243940 Reply

      seamonkey420
      AskWoody Lounger

      1. We want to ONLY use WSUS for windows updates. We have a proper GPO for 1607 and 1703 and even 1803 but on 1809, my settings are yielding the results i expected/that worked previously.

      Not? (on 1809)

      All of this we were able to accomplish on 1607 and 1703. However I have yet to find a proper Microsoft document talking about the changes to Windows Updates in 1809. I know that one BIG CHANGE is that setting Telemetry to 0 will basically override all WufB policies and let workstation use WU vs WSUS. I have in turn changed that GPO setting from 0 to now 1.

      I believe that applied prior to 1809: Windows 10 Dual-Scan enabled when telemetry is set to 0

      Correct, i mistyped and forgot the “not working as we want” part. 😉

      Most likely will be putting in a ticket w/Microsoft Premiere support.

    • #243982 Reply

      anonymous

      Hi seamonkey, thanks for the detail posting.

       

      I am surprised that WuFB settings works as intended so deferrals are in place if you want only to use WSUS. By documentation you are right telemetry has at least set to basic to allow WuFB to work.

       

      But it also says that WSUS will not respect ANY settings of the WuFB such as deferrals.

      It will not work if you disable dual scan. That’s what the both available posts about dual scan coming from MS are telling.

      Can you please double check that deferrals really work as intended when updates only come from WSUS. This should not be the case.

      1 user thanked author for this post.
    • #243983 Reply

      anonymous

      Given your GPO output the settings looks good.

      As I cannot subscribe to replies here plz contact me via @Twitter_alqamar if you have replied here and need further help.

      1 user thanked author for this post.
    • #244013 Reply

      seamonkey420
      AskWoody Lounger

      Just an update after further testing/checking today.  I believe the settings I have are working as they should and we no longer get the “Check for Updates” button.  Even though in settings it says updates are paused, i was able to get an office 2016 update via wsus today on my machine so…. i think my settings are actually fine and working as they should on 1809.

       

      thanks everyone who chimed in!

      1 user thanked author for this post.
      b
    • #244661 Reply

      NetDef
      AskWoody Plus

      We had to update our WMI filters for 1809, did you need to do this or were your’s set to a less specific version filter than ours?  (Ours are VERY specific.)

      Also note that several of our 1809 test workstations failed to pickup GP updates in a “timely” manner.  Some were “fixed” by running “gpupdate /force” followed by a reboot.  Others we simply waited and they eventually updated on their own over several days.  (Days!)  This might be a bug, generally things move much faster.

      ~ Group "Weekend" ~

    Please follow the -Lounge Rules- no personal attacks, no swearing, and politics/religion are relegated to the Rants forum.

    Reply To: Windows 10 Clients on 1809 and WSUS GPO settings?

    You can use BBCodes to format your content.
    Your account can't use Advanced BBCodes, they will be stripped before saving.

    Your information:


    Comments are closed.