Solved

How to Control Automatic Update Behavior in Win 10 Clients from Server 2012 R2

Posted on 2016-10-04
14
35 Views
Last Modified: 2016-10-09
We have some accounting software that users often leave running without posting their changes. If their stations restart due to automatic updates, they lose their work.

What we're looking to accomplish is a way of controlling the behavior on a station by station basis. If the user is conscientious and always posts their changes before the end of a day, we want to allow automatic updating. On other stations, we want the updates to download but let the users decide when to apply.

We used to simply exclude certain stations from the Group Policy for automatic updates and then use the settings built-in to Windows 7 to control the behavior.

Now that Windows 10 has removed the option to download but not install the updates, what's the preferred method for stopping stations from restarting automatically and allowing manual application of updates and restarts? Is there a specific Group Policy template for Win 10 that needs to be applied, or is it built into WSUS?

Environment is all Win 10 Pro stations running the craptacular Anniversary update, along with Server 2012 R2 Essentials.
0
Comment
Question by:philodendrin
  • 6
  • 4
  • 4
14 Comments
 
LVL 18

Expert Comment

by:awawada
ID: 41828710
Yes with WSUS you can control the update process. Have a look at
https://technet.microsoft.com/en-us/library/dn595129(v=ws.11).aspx

We are disabling the Update service and enabling it when we have a maintenance for the clients.
0
 

Author Comment

by:philodendrin
ID: 41828724
Article makes no mention of Windows 10... which is a completely different animal. Can anyone confirm that the same policy settings will work in Win 10? My understanding was that a special Win 10 Group Policy template for WSUS would need to be applied?
0
 
LVL 18

Assisted Solution

by:awawada
awawada earned 500 total points
ID: 41828731
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 

Accepted Solution

by:
philodendrin earned 0 total points
ID: 41828756
I think this is really what I need... but, your link led me to what I was looking for. So... Grazie.

https://technet.microsoft.com/en-us/itpro/windows/manage/waas-manage-updates-wsus
0
 
LVL 18

Expert Comment

by:awawada
ID: 41829227
You are welcome.
0
 
LVL 54

Expert Comment

by:McKnife
ID: 41829599
I'd like to see the result. To my knowledge, win10 will not respect the policy setting that is outlined in your last link (detect but install manually).
0
 

Author Comment

by:philodendrin
ID: 41830316
I assume and fear the same thing, McKnife... since the local Group Policy options typically mirror those that are available from server to client ...and with 1607 (anniversary update) Microsoft has removed the option to allow the user to manually decide when they want to install the updates. I can tell already we're going to be getting complaints and PCs restarting automatically. I don't see "deferring" updates as a reasonable workaround.

Moreover, the more I read about Windows 10 with 1607 installed and WSUS, the more I see that I'll need to deploy in a test environment first... because there are lots of posts with users complaining that updates either don't download, crash Windows 10, or even brick the PC. Nice work, Microsoft.

https://social.technet.microsoft.com/Forums/windowsserver/en-US/5521e7f1-fa2d-4867-a47c-b276c66e6a82/windows-10-anniversary-update-1607?forum=winserverwsus

They've managed to take something that was relatively flexible before and make it complicated, awkward, and unreliable. I may need to look at third party patch management solutions.

I'm also not a fan of their new CU patch management strategy. Now instead of being able to remove a troublesome single update, we have to roll-back a cumulative update?! How is removing all updates instead of just the one causing the problem more secure? ...And we have to wait a month for the fix for broken patches.

Getting old already, since I'm still waiting for multiple fixes related to 1607.
0
 
LVL 18

Expert Comment

by:awawada
ID: 41833020
@McKnife
Because that we also disable the Update service and enabling it when we have a maintenance for the clients.
0
 
LVL 54

Expert Comment

by:McKnife
ID: 41833089
You wrote so. But to make that usable, you'll have to have a client based logic, because If you enabled it centrally, you'll have to rely on the condition that all computers are online at that time, which is normally not the case.

How do you go about with that disabling, if I may ask?
0
 
LVL 18

Expert Comment

by:awawada
ID: 41834921
@McKnife
We use the Task scheduler or SCCM tasks to enable / disable the Update service.
When we have a maintenance, all clients are online. On small locations they will not shut down the clients.
In large environments we are using wake on Lan.
0
 
LVL 54

Expert Comment

by:McKnife
ID: 41834966
That method cannot be applied to many environments, since wake on LAN will not work if proper preboot encryption authentication is in place (which is a security best practice). Leaving all computers on will not be an option anywhere, either.
0
 
LVL 18

Expert Comment

by:awawada
ID: 41835323
@McKnife
"Leaving all computers on will not be an option anywhere, either." That is not true.
Philodendrin asked a solution and I provided him what we do. We are responsible for many thousands of clients (different customers).
We know that wake on LAN can be a security risk and the customers know that too. And all other customers who has critical clients are protected by Bitlocker. So there is no other way than to communicate the maintenance to users. We had a Microsoft case opened and they told us to disable the service and use deadlines. Now this worked fine for more than one year.
0
 

Author Closing Comment

by:philodendrin
ID: 41835725
I located the information that I was looking for, which was not included in the other solutions.
0
 
LVL 54

Expert Comment

by:McKnife
ID: 41835776
The GPOs that you "located" in that link are not solving your question "what's the preferred method for stopping stations from restarting automatically and allowing manual application of updates and restarts? " - are they? Or what part do you think has made a difference?
0

Featured Post

Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Windows 10 introduced a new kind of product activation called Digital Entitlement, in addition to using the conventional product key activation. In this article I investigated the detail of such activation and provide some tips so you can understand…
Resolve DNS query failed errors for Exchange
In this Micro Tutorial viewers will learn how they can get their files copied out from their unbootable system without need to use recovery services. As an example non-bootable Windows 2012R2 installation is used which has boot problems.
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question