Windows 10 Clients on 1809 and WSUS GPO settings?

Topic

New Reply

Hello all.  I am testing Windows 10 feature build 1809 for my company and have noticed my previous WSUS settings for 1703 are not working as i had hoped.  Before i get to my settings, let me outline what i am trying to do in regards to WSUS and Windows 10 clients and updates.

1. We want to ONLY use WSUS for windows updates.  We have a proper GPO for 1607 and 1703 and even 1803 but on 1809, my settings are yielding the results i expected/that worked previously.

2. Driver updates from WU are disabled in GPO.

3. We allow our users to use the Microsoft Store and in turn have GPO set to auto-update any Store apps (working great on 1607, 1703!).

4. We want to enable Windows Update for Business and in turn do not want DualScan (we approve all updates and DO NOT want any clients to go to Microsoft’s WU servers).  We also want to set a deferral of 180 or 300 days to pause feature updates but still receive patches we approve in WSUS.

5. Lastly, we want the ability to click on “Check for Updates” in Settings > Windows Updates and have any newly imaged workstation to check into WSUS and get any updates before we handoff laptop to new user, etc.

All of this we were able to accomplish on 1607 and 1703.  However I have yet to find a proper Microsoft document talking about the changes to Windows Updates in 1809.  I know that one BIG CHANGE is that setting Telemetry to 0 will basically override all WufB policies and let workstation use WU vs WSUS.  I have in turn changed that GPO setting from 0 to now 1.

Screenshots of what WU settings look like on my client machine on 1809.

Below are my GPO for WSUS for 1809 (all computer configuration items, sorry about formatting; WAIT! why did my formatted text change to HTML when pasted it looked right??)  Attached as PDF  JPGs now.

Reply | Quote

Replies

seamonkey420 wrote:

1. We want to ONLY use WSUS for windows updates. We have a proper GPO for 1607 and 1703 and even 1803 but on 1809, my settings are yielding the results i expected/that worked previously.

Not? (on 1809)

seamonkey420 wrote:

All of this we were able to accomplish on 1607 and 1703. However I have yet to find a proper Microsoft document talking about the changes to Windows Updates in 1809. I know that one BIG CHANGE is that setting Telemetry to 0 will basically override all WufB policies and let workstation use WU vs WSUS. I have in turn changed that GPO setting from 0 to now 1.

I believe that applied prior to 1809:

Windows 10 Dual-Scan enabled when telemetry is set to 0

Reply | Quote

b wrote:

seamonkey420 wrote:

1. We want to ONLY use WSUS for windows updates. We have a proper GPO for 1607 and 1703 and even 1803 but on 1809, my settings are yielding the results i expected/that worked previously.

Not? (on 1809)

seamonkey420 wrote:

All of this we were able to accomplish on 1607 and 1703. However I have yet to find a proper Microsoft document talking about the changes to Windows Updates in 1809. I know that one BIG CHANGE is that setting Telemetry to 0 will basically override all WufB policies and let workstation use WU vs WSUS. I have in turn changed that GPO setting from 0 to now 1.

I believe that applied prior to 1809: Windows 10 Dual-Scan enabled when telemetry is set to 0

Correct, i mistyped and forgot the “not working as we want” part.

Most likely will be putting in a ticket w/Microsoft Premiere support.

Reply | Quote

Hi seamonkey, thanks for the detail posting.

 

I am surprised that WuFB settings works as intended so deferrals are in place if you want only to use WSUS. By documentation you are right telemetry has at least set to basic to allow WuFB to work.

 

But it also says that WSUS will not respect ANY settings of the WuFB such as deferrals.

It will not work if you disable dual scan. That’s what the both available posts about dual scan coming from MS are telling.

Can you please double check that deferrals really work as intended when updates only come from WSUS. This should not be the case.

2 users thanked author for this post.

alQamar, seamonkey420

Reply | Quote

Given your GPO output the settings looks good.

As I cannot subscribe to replies here plz contact me via @Twitter_alqamar if you have replied here and need further help.

1 user thanked author for this post.

seamonkey420

Reply | Quote

Just an update after further testing/checking today.  I believe the settings I have are working as they should and we no longer get the “Check for Updates” button.  Even though in settings it says updates are paused, i was able to get an office 2016 update via wsus today on my machine so…. i think my settings are actually fine and working as they should on 1809.

 

thanks everyone who chimed in!

1 user thanked author for this post.

b

Reply | Quote

We had to update our WMI filters for 1809, did you need to do this or were your’s set to a less specific version filter than ours?  (Ours are VERY specific.)

Also note that several of our 1809 test workstations failed to pickup GP updates in a “timely” manner.  Some were “fixed” by running “gpupdate /force” followed by a reboot.  Others we simply waited and they eventually updated on their own over several days.  (Days!)  This might be a bug, generally things move much faster.

~ Group "Weekend" ~

Reply | Quote

anonymous wrote:

Hi seamonkey, thanks for the detail posting. I am surprised that WuFB settings works as intended so deferrals are in place if you want only to use WSUS. By documentation you are right telemetry has at least set to basic to allow WuFB to work. But it also says that WSUS will not respect ANY settings of the WuFB such as deferrals. It will not work if you disable dual scan. That’s what the both available posts about dual scan coming from MS are telling. Can you please double check that deferrals really work as intended when updates only come from WSUS. This should not be the case.

I agree. I would be surprised if this would work.

Reply | Quote

seamonkey420 wrote:

Just an update after further testing/checking today. I believe the settings I have are working as they should and we no longer get the “Check for Updates” button. Even though in settings it says updates are paused, i was able to get an office 2016 update via wsus today on my machine so…. i think my settings are actually fine and working as they should on 1809. thanks everyone who chimed in!

The check for update button is intented to no longer show up as you have set “turn off access to all windows features.”

Windows Update for Business will only offer Windows Updates. This is the reason why MS has implemented Dual Scan, so orgs can use WuFB for Windows Updates where deferrals or full stops can be set via GPO, and on top telemetry help to not receive updates / upgrades to machines that have known blockers.

WuFB ultimately features a centralized a view in Azure to monitor your device health (at costs) and update status, besides WSUS for other products.

The next step if you want dump WSUS altogether, will be Azure Update management (at costs).

However Dual Scan will allow orgs to use WSUS for all other MS products just as MSI based Office, SQL etc and their updates.

WuFB is not designed to completely replace WSUS as it won’t offer all updates available for all MS products – these would come from WU instead (if the button / GPO is checked to include other products) if you have no WSUS.

If you want to use WuFB you need to take care to enable and configure distributed delivery and tune BITS GPOs so all clients will feed each other instead all of them download from MS WU / WuFB eating up your bandwith (both is no longer a problem if all are on 1809 / Server 2019 due to smaller update sizes)

With your current GPO configuration WuFB is disabled and updates deferrals should not work.

 

sorry the much editing, but the WYSIWYG editor does not like copy and paste.

Reply | Quote

One more thing, I’ve read about complaints that “install during automatic maintenance” does not work for some Windows 10 versions but should work well for later ones.

For best compatibility disable it, as you did. Users reported at borncity that on affected OS versions the timed installation and restarts will not happen if you enable this feature.

I can confirm this to happen on 1607, including Server 2016 LTSC 1607 which disqualifies the OS for me another time / or set a overriding GPO for this OS.

Because of this I can always recommend to create one OU for each Windows Client and Server version, so you can handle existing and potential differences.

 

naming OUs like

Windows 10 LTSC 2015
Windows 10 LTSC 2016
Windows 10 LTSC 2019
Windows 10 SAC 1809
Windows Server 2012
Windows Server 2012 R2
Windows Server 2016 LTSC 1607
Windows Server 2016 SAC 1809
Windows Server 2019 LTSC 1809

etc.

This looks like much of work but ulitmately I have had a lot of reasons to do this. e.g. Citrix Workspace does not work with 2015 LTSC but with all other Windows releases etc.
WMI filters generally cost too much performance, so I rather keep them sorting, which (in addition to other tools) let me keep track about Windows OS fragmentation and possible upgrade needs due to support ends as a side effect.

Reply | Quote