Windows 10 Anniversary Update Issues

(Aaron Harvey) #41

What parameters are you using with gpresult?

Are you not seeing any of the Computer Settings section of the output, or is it showing that part but not the list of GPOs you have applied?

Below is the output I get using gpresult /R. I personally like gpresult /h [path to file] for a nice HTML report.

RSOP data for LINCOLNBEREAN\aharvey on AHARVEY : Logging Mode

OS Configuration: Member Workstation
OS Version: 10.0.14393
Site Name: Default-First-Site-Name
Roaming Profile: N/A
Local Profile: C:\Users\aharvey
Connected over a slow link?: No


CN=AHARVEY,OU=[ou path]
Last time Group Policy was applied: 11/16/2016 at 2:15:32 PM
Group Policy was applied from:      [dc]
Group Policy slow link threshold:   500 kbps
Domain Name:                        [domain name]
Domain Type:                        Windows 2008 or later

Applied Group Policy Objects
-----------------------------[list of applied GPOs, etc]

(Craig Mashburn) #42

WAIT! I just looked again. Noticed there were two sections. One for computer and one for user.


(Craig Mashburn) #43

Okay, the PC’s that I have updated to Anniversary seem to be pulling updates from somewhere besides WSUS. I have not approved any, yet they are getting updates.

How do I keep them from getting them from anywhere else but my WSUS? Never been a problem before.

(Alex Conner) #44

Anniversary isn’t ready for WSUS based deployment so anything that’s got it is already pulling updates past any patch management system.

(Craig Mashburn) #45

Huh. Is this something that will be fixed? It is really ridiculous.

(Alex Conner) #46

Businesses using Windows 10 and WSUS are expected to be deploying and managing the Current Branch for Business and not the consumer Current Branch. This is covered under the Windows 10 as a Service documentation.

It does look like 1607 just made CBB a few weeks ago, so machines running 1607 should be back under WSUS control as long as GP is working and configured correctly. Also, unless you have disabled end-user control of updates entirely they can still check online.

(Derek Schwab) #47

We’re using WSUS with 1607 for a couple of months now and updates are deploying fine from WSUS.

(Alex Conner) #48

Just remember, one of Microsoft’s main goals with Windows 10 was to reduce IT control of workstations so that the Windows managed experience would more closely follow the Mac managed experience in the same workplace.

(Derek Schwab) #49

I think this might be a misconception. In the consumer version of windows, yes, that’s absolutely true. In an enterprise environment, we still have the same control we have over previous versions of Windows. Without WSUS and group policy, it can definitely quickly become a free-for-all, but methods to properly manage it all do exist.

(Craig Mashburn) #50

Well we have Enterprise and WSUS and clients are getting updates elsewhere since going 1607.

(Alex Conner) #51

1607 enables peer-to-peer updating to the Internet by default. Windows 10 is going to require you to keep abreast of all their internal changes and fight for your control every step of the way. CBB gives you a little more time to get a handle on the changes and therefore is Microsoft’s standard recommendation for workstations requiring controlled patching.

(Craig Mashburn) #52

CBB is a new thing for me. Can you explain what it is?

(Alex Conner) #53

CBB is the Current Branch for Business covered in the article I linked a bit back. It runs about 4 months behind CB for new features, but still gets all the security updates.

(Derek Schwab) #54

You might want to check your group policy settings. Something is wrong if they are bypassing WSUS.

(Craig Mashburn) #55

I have not changed anything since Win10 because it was all working great with WSUS. Apparently 1607 has changed that.

I have found a setting that allows me to defer updates for 180 days, but apparently not until I decide to release them. Is that not possible anymore?

Computer Configuration - Policies - Administrative Templates - Windows Components - Windows Update - Defer Windows Updates

(Aaron Harvey) #56

It seems like I ran across this after we started deploying 1607 as well. It’s been awhile since I’ve messed with it, but try leaving the Defer Windows Updates settings to Not Configured. (Computer Config/Policies/Admin Templates/Windows Components/Windows Update/Defer Windows Updates) It seems if you set those, it assumes you are getting your updates from MS instead of WSUS.

It is possible to control the Anniversary Edition with WSUS…we are. You just have to get the GP correct. Microsoft has made a mess of updates, and it doesn’t help that they seem to change it’s behavior with each release. Good luck.

(Craig Mashburn) #57

All I want is to only do updates through WSUS, you know, like we have always done in the past! Just do not understand why Microsoft would mess with this.

Does anyone have a document or reference for me to know what GP’s to mess with to get this behavior?

aharvey, I did not have that defer set and they were getting them from somewhere else so it must not be that alone.

(Craig Mashburn) #58

Here is what I have set for group policy.

Computer Config > Policies >Admin Templates > Windows Components > Windows Update
Specify intranet Microsoft update service location: Enables - http://:8530

I tried enabling ‘Do not connect to any Windows Update Internet locations’ and all the clients started not being to even find updates. Un-enabling that and things started working again.

Computer Config > Policies >Admin Templates > Windows Components > Delivery Optimization
Download Mode - enabled set to Bypass

Having the two above settings seems to be getting updates other places besides WSUS.

(Aaron Harvey) #59

Here is an article that talks about some of the WUfB GPO settings will cause your clients to bypass WSUS.

(Craig Mashburn) #60

Looking at the registry, I see many of the ones they list…


How do I go about getting rid of them on all computers?