Are you not seeing any of the Computer Settings section of the output, or is it showing that part but not the list of GPOs you have applied?
Below is the output I get using gpresult /R. I personally like gpresult /h [path to file] for a nice HTML report.
RSOP data for LINCOLNBEREAN\aharvey on AHARVEY : Logging Mode
OS Configuration: Member Workstation
OS Version: 10.0.14393
Site Name: Default-First-Site-Name
Roaming Profile: N/A
Local Profile: C:\Users\aharvey
Connected over a slow link?: No
COMPUTER SETTINGS
CN=AHARVEY,OU=[ou path]
Last time Group Policy was applied: 11/16/2016 at 2:15:32 PM
Group Policy was applied from: [dc].lincolnberean.org
Group Policy slow link threshold: 500 kbps
Domain Name: [domain name]
Domain Type: Windows 2008 or later
Applied Group Policy Objects
-----------------------------[list of applied GPOs, etc]
Okay, the PC’s that I have updated to Anniversary seem to be pulling updates from somewhere besides WSUS. I have not approved any, yet they are getting updates.
How do I keep them from getting them from anywhere else but my WSUS? Never been a problem before.
It does look like 1607 just made CBB a few weeks ago, so machines running 1607 should be back under WSUS control as long as GP is working and configured correctly. Also, unless you have disabled end-user control of updates entirely they can still check online.
Just remember, one of Microsoft’s main goals with Windows 10 was to reduce IT control of workstations so that the Windows managed experience would more closely follow the Mac managed experience in the same workplace.
I think this might be a misconception. In the consumer version of windows, yes, that’s absolutely true. In an enterprise environment, we still have the same control we have over previous versions of Windows. Without WSUS and group policy, it can definitely quickly become a free-for-all, but methods to properly manage it all do exist.
1607 enables peer-to-peer updating to the Internet by default. Windows 10 is going to require you to keep abreast of all their internal changes and fight for your control every step of the way. CBB gives you a little more time to get a handle on the changes and therefore is Microsoft’s standard recommendation for workstations requiring controlled patching.
CBB is the Current Branch for Business covered in the article I linked a bit back. It runs about 4 months behind CB for new features, but still gets all the security updates.
It seems like I ran across this after we started deploying 1607 as well. It’s been awhile since I’ve messed with it, but try leaving the Defer Windows Updates settings to Not Configured. (Computer Config/Policies/Admin Templates/Windows Components/Windows Update/Defer Windows Updates) It seems if you set those, it assumes you are getting your updates from MS instead of WSUS.
It is possible to control the Anniversary Edition with WSUS…we are. You just have to get the GP correct. Microsoft has made a mess of updates, and it doesn’t help that they seem to change it’s behavior with each release. Good luck.
All I want is to only do updates through WSUS, you know, like we have always done in the past! Just do not understand why Microsoft would mess with this.
Does anyone have a document or reference for me to know what GP’s to mess with to get this behavior?
aharvey, I did not have that defer set and they were getting them from somewhere else so it must not be that alone.
Computer Config > Policies >Admin Templates > Windows Components > Windows Update
Specify intranet Microsoft update service location: Enables - http://:8530
I tried enabling ‘Do not connect to any Windows Update Internet locations’ and all the clients started not being to even find updates. Un-enabling that and things started working again.
Computer Config > Policies >Admin Templates > Windows Components > Delivery Optimization
Download Mode - enabled set to Bypass
Having the two above settings seems to be getting updates other places besides WSUS.