Solved

How to Control Automatic Update Behavior in Win 10 Clients from Server 2012 R2

Posted on 2016-10-04
14
28 Views
Last Modified: 2016-10-09
We have some accounting software that users often leave running without posting their changes. If their stations restart due to automatic updates, they lose their work.

What we're looking to accomplish is a way of controlling the behavior on a station by station basis. If the user is conscientious and always posts their changes before the end of a day, we want to allow automatic updating. On other stations, we want the updates to download but let the users decide when to apply.

We used to simply exclude certain stations from the Group Policy for automatic updates and then use the settings built-in to Windows 7 to control the behavior.

Now that Windows 10 has removed the option to download but not install the updates, what's the preferred method for stopping stations from restarting automatically and allowing manual application of updates and restarts? Is there a specific Group Policy template for Win 10 that needs to be applied, or is it built into WSUS?

Environment is all Win 10 Pro stations running the craptacular Anniversary update, along with Server 2012 R2 Essentials.
0
Comment
Question by:philodendrin
  • 6
  • 4
  • 4
14 Comments
 
LVL 18

Expert Comment

by:awawada
ID: 41828710
Yes with WSUS you can control the update process. Have a look at
https://technet.microsoft.com/en-us/library/dn595129(v=ws.11).aspx

We are disabling the Update service and enabling it when we have a maintenance for the clients.
0
 

Author Comment

by:philodendrin
ID: 41828724
Article makes no mention of Windows 10... which is a completely different animal. Can anyone confirm that the same policy settings will work in Win 10? My understanding was that a special Win 10 Group Policy template for WSUS would need to be applied?
0
 
LVL 18

Assisted Solution

by:awawada
awawada earned 500 total points
ID: 41828731
0
 

Accepted Solution

by:
philodendrin earned 0 total points
ID: 41828756
I think this is really what I need... but, your link led me to what I was looking for. So... Grazie.

https://technet.microsoft.com/en-us/itpro/windows/manage/waas-manage-updates-wsus
0
 
LVL 18

Expert Comment

by:awawada
ID: 41829227
You are welcome.
0
 
LVL 53

Expert Comment

by:McKnife
ID: 41829599
I'd like to see the result. To my knowledge, win10 will not respect the policy setting that is outlined in your last link (detect but install manually).
0
 

Author Comment

by:philodendrin
ID: 41830316
I assume and fear the same thing, McKnife... since the local Group Policy options typically mirror those that are available from server to client ...and with 1607 (anniversary update) Microsoft has removed the option to allow the user to manually decide when they want to install the updates. I can tell already we're going to be getting complaints and PCs restarting automatically. I don't see "deferring" updates as a reasonable workaround.

Moreover, the more I read about Windows 10 with 1607 installed and WSUS, the more I see that I'll need to deploy in a test environment first... because there are lots of posts with users complaining that updates either don't download, crash Windows 10, or even brick the PC. Nice work, Microsoft.

https://social.technet.microsoft.com/Forums/windowsserver/en-US/5521e7f1-fa2d-4867-a47c-b276c66e6a82/windows-10-anniversary-update-1607?forum=winserverwsus

They've managed to take something that was relatively flexible before and make it complicated, awkward, and unreliable. I may need to look at third party patch management solutions.

I'm also not a fan of their new CU patch management strategy. Now instead of being able to remove a troublesome single update, we have to roll-back a cumulative update?! How is removing all updates instead of just the one causing the problem more secure? ...And we have to wait a month for the fix for broken patches.

Getting old already, since I'm still waiting for multiple fixes related to 1607.
0
Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 18

Expert Comment

by:awawada
ID: 41833020
@McKnife
Because that we also disable the Update service and enabling it when we have a maintenance for the clients.
0
 
LVL 53

Expert Comment

by:McKnife
ID: 41833089
You wrote so. But to make that usable, you'll have to have a client based logic, because If you enabled it centrally, you'll have to rely on the condition that all computers are online at that time, which is normally not the case.

How do you go about with that disabling, if I may ask?
0
 
LVL 18

Expert Comment

by:awawada
ID: 41834921
@McKnife
We use the Task scheduler or SCCM tasks to enable / disable the Update service.
When we have a maintenance, all clients are online. On small locations they will not shut down the clients.
In large environments we are using wake on Lan.
0
 
LVL 53

Expert Comment

by:McKnife
ID: 41834966
That method cannot be applied to many environments, since wake on LAN will not work if proper preboot encryption authentication is in place (which is a security best practice). Leaving all computers on will not be an option anywhere, either.
0
 
LVL 18

Expert Comment

by:awawada
ID: 41835323
@McKnife
"Leaving all computers on will not be an option anywhere, either." That is not true.
Philodendrin asked a solution and I provided him what we do. We are responsible for many thousands of clients (different customers).
We know that wake on LAN can be a security risk and the customers know that too. And all other customers who has critical clients are protected by Bitlocker. So there is no other way than to communicate the maintenance to users. We had a Microsoft case opened and they told us to disable the service and use deadlines. Now this worked fine for more than one year.
0
 

Author Closing Comment

by:philodendrin
ID: 41835725
I located the information that I was looking for, which was not included in the other solutions.
0
 
LVL 53

Expert Comment

by:McKnife
ID: 41835776
The GPOs that you "located" in that link are not solving your question "what's the preferred method for stopping stations from restarting automatically and allowing manual application of updates and restarts? " - are they? Or what part do you think has made a difference?
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

The article will show you how you can maintain a simple logfile of all Startup and Shutdown events on Windows servers and desktops with PowerShell. The script can be easily adapted into doing more like gracefully silencing/updating your monitoring s…
You might have come across a situation when you have Exchange 2013 server in two different sites (Production and DR). After adding the Database copy in ECP console it displays Database copy status unknown for the DR exchange server. Issue is strange…
In this Micro Tutorial viewers will learn how to use Windows Server Backup to create full image of their system. Tutorial shows how to install Windows Server Backup Feature on Windows 2012R2 and how to configure scheduled Bare Metal Recovery backup.…
In this Micro Tutorial viewers will learn how to use Boot Corrector from Paragon Rescue Kit Free to identify and fix the boot problems of Windows 7/8/2012R2 etc. As an example is used Windows 2012R2 which lost its active partition flag (often happen…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now