Solved

How to Control Automatic Update Behavior in Win 10 Clients from Server 2012 R2

Posted on 2016-10-04
14
38 Views
Last Modified: 2016-10-09
We have some accounting software that users often leave running without posting their changes. If their stations restart due to automatic updates, they lose their work.

What we're looking to accomplish is a way of controlling the behavior on a station by station basis. If the user is conscientious and always posts their changes before the end of a day, we want to allow automatic updating. On other stations, we want the updates to download but let the users decide when to apply.

We used to simply exclude certain stations from the Group Policy for automatic updates and then use the settings built-in to Windows 7 to control the behavior.

Now that Windows 10 has removed the option to download but not install the updates, what's the preferred method for stopping stations from restarting automatically and allowing manual application of updates and restarts? Is there a specific Group Policy template for Win 10 that needs to be applied, or is it built into WSUS?

Environment is all Win 10 Pro stations running the craptacular Anniversary update, along with Server 2012 R2 Essentials.
0
Comment
Question by:philodendrin
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 4
  • 4
14 Comments
 
LVL 18

Expert Comment

by:awawada
ID: 41828710
Yes with WSUS you can control the update process. Have a look at
https://technet.microsoft.com/en-us/library/dn595129(v=ws.11).aspx

We are disabling the Update service and enabling it when we have a maintenance for the clients.
0
 

Author Comment

by:philodendrin
ID: 41828724
Article makes no mention of Windows 10... which is a completely different animal. Can anyone confirm that the same policy settings will work in Win 10? My understanding was that a special Win 10 Group Policy template for WSUS would need to be applied?
0
 
LVL 18

Assisted Solution

by:awawada
awawada earned 500 total points
ID: 41828731
0
Major Incident Management Communications

Major incidents and IT service outages cost companies millions. Often the solution to minimizing damage is automated communication. Find out more in our Major Incident Management Communications infographic.

 

Accepted Solution

by:
philodendrin earned 0 total points
ID: 41828756
I think this is really what I need... but, your link led me to what I was looking for. So... Grazie.

https://technet.microsoft.com/en-us/itpro/windows/manage/waas-manage-updates-wsus
0
 
LVL 18

Expert Comment

by:awawada
ID: 41829227
You are welcome.
0
 
LVL 54

Expert Comment

by:McKnife
ID: 41829599
I'd like to see the result. To my knowledge, win10 will not respect the policy setting that is outlined in your last link (detect but install manually).
0
 

Author Comment

by:philodendrin
ID: 41830316
I assume and fear the same thing, McKnife... since the local Group Policy options typically mirror those that are available from server to client ...and with 1607 (anniversary update) Microsoft has removed the option to allow the user to manually decide when they want to install the updates. I can tell already we're going to be getting complaints and PCs restarting automatically. I don't see "deferring" updates as a reasonable workaround.

Moreover, the more I read about Windows 10 with 1607 installed and WSUS, the more I see that I'll need to deploy in a test environment first... because there are lots of posts with users complaining that updates either don't download, crash Windows 10, or even brick the PC. Nice work, Microsoft.

https://social.technet.microsoft.com/Forums/windowsserver/en-US/5521e7f1-fa2d-4867-a47c-b276c66e6a82/windows-10-anniversary-update-1607?forum=winserverwsus

They've managed to take something that was relatively flexible before and make it complicated, awkward, and unreliable. I may need to look at third party patch management solutions.

I'm also not a fan of their new CU patch management strategy. Now instead of being able to remove a troublesome single update, we have to roll-back a cumulative update?! How is removing all updates instead of just the one causing the problem more secure? ...And we have to wait a month for the fix for broken patches.

Getting old already, since I'm still waiting for multiple fixes related to 1607.
0
 
LVL 18

Expert Comment

by:awawada
ID: 41833020
@McKnife
Because that we also disable the Update service and enabling it when we have a maintenance for the clients.
0
 
LVL 54

Expert Comment

by:McKnife
ID: 41833089
You wrote so. But to make that usable, you'll have to have a client based logic, because If you enabled it centrally, you'll have to rely on the condition that all computers are online at that time, which is normally not the case.

How do you go about with that disabling, if I may ask?
0
 
LVL 18

Expert Comment

by:awawada
ID: 41834921
@McKnife
We use the Task scheduler or SCCM tasks to enable / disable the Update service.
When we have a maintenance, all clients are online. On small locations they will not shut down the clients.
In large environments we are using wake on Lan.
0
 
LVL 54

Expert Comment

by:McKnife
ID: 41834966
That method cannot be applied to many environments, since wake on LAN will not work if proper preboot encryption authentication is in place (which is a security best practice). Leaving all computers on will not be an option anywhere, either.
0
 
LVL 18

Expert Comment

by:awawada
ID: 41835323
@McKnife
"Leaving all computers on will not be an option anywhere, either." That is not true.
Philodendrin asked a solution and I provided him what we do. We are responsible for many thousands of clients (different customers).
We know that wake on LAN can be a security risk and the customers know that too. And all other customers who has critical clients are protected by Bitlocker. So there is no other way than to communicate the maintenance to users. We had a Microsoft case opened and they told us to disable the service and use deadlines. Now this worked fine for more than one year.
0
 

Author Closing Comment

by:philodendrin
ID: 41835725
I located the information that I was looking for, which was not included in the other solutions.
0
 
LVL 54

Expert Comment

by:McKnife
ID: 41835776
The GPOs that you "located" in that link are not solving your question "what's the preferred method for stopping stations from restarting automatically and allowing manual application of updates and restarts? " - are they? Or what part do you think has made a difference?
0

Featured Post

How Do You Stack Up Against Your Peers?

With today’s modern enterprise so dependent on digital infrastructures, the impact of major incidents has increased dramatically. Grab the report now to gain insight into how your organization ranks against your peers and learn best-in-class strategies to resolve incidents.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Windows 10 came with  a lot of built in applications, Some organisations leave them there, some will control them using GPO's. This Article is useful for those who do not want to have any applications in their image (example:me).
The Nano Server Image Builder helps you create a custom Nano Server image and bootable USB media with the aid of a graphical interface. Based on the inputs you provide, it generates images for deployment and creates reusable PowerShell scripts that …
In this Micro Tutorial viewers will learn how they can get their files copied out from their unbootable system without need to use recovery services. As an example non-bootable Windows 2012R2 installation is used which has boot problems.
This tutorial will walk an individual through the process of configuring basic necessities in order to use the 2010 version of Data Protection Manager. These include storage, agents, and protection jobs. Launch Data Protection Manager from the deskt…

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question