We help IT Professionals succeed at work.

Block Windows 10 Creators update

1,917 Views
1 Endorsement
Last Modified: 2018-03-10
Hi

We need to block creators update for all our computers because it is causing problems with some of our applications.

Till now, we have allowed the users to install Windows Updates themselves and bless them they have been doing it without any problems.

But now we need to take control and prevent them from installing this update.

The idea is to block ONLY the Windows 10 Creators update and not other windows update.

I know I can just simply disable Windows update for everyone but that will block ALL updates including security ones.

The domain controller is Windows Server 2012 (NOT R2).

I thought I can do it using Group Policy as per this article

http://pureinfotech.com/prevent-windows-10-installing-creators-update/

For that, I needed to install the client side extensions for Windows 10, here is the link

https://www.microsoft.com/en-us/download/details.aspx?id=48257

I installed the update and then moved the .adm and admx files to the policy folder under sysvol.

However, after that install, I am not getting the subfolder that provides me options to block the creators update as described in that article.

That means either of the following.

1. I have installed the wrong update to get those options in the Group Policy

2. I have installed the correct update but not configured them correctly.

3. I have installed the correct update but there might be further update I need to install.


This is getting a bit out of hand now because users are programmed to just installing available updates and it is obviously causing problems.

Any help would be great !!
Comment
Watch Question

CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
If you have a WSUS server, let them only use the WSUS and at the WSUS, don't approve that update.
If you don't have a WSUS, you should get one, since there is no GPO way to block certain updates.

Author

Commented:
Is there a way to block it using registry?

The solution we need to put in place needs to be completely silent and the users shouldn't know or have to do anything.
RaminTechnical Advisor
CERTIFIED EXPERT

Commented:
I'm not sure but "Defer feature updates" might be helpful.
http://www.windowscentral.com/how-delay-windows-10-creators-update-your-pc-and-why
Shaun VermaakSenior Consultant
CERTIFIED EXPERT
Awarded 2017
Distinguished Expert 2019

Commented:
Good article. Explains how to do it via all methods, including Registry
http://pureinfotech.com/defer-windows-10-upgrades-updates/
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
Ramin and Shaun, did you read what articles he mentioned? Just those about deferring the update, but after installing the adm files (he calls them client side extensions, but it would be just administrative templates, to be correct), he still cannot see the template container with "defer updates" enclosed.

Alex, I see the "defer windows updates" container and you should not need to install admx files because win 10 v1511 already holds this option, so does v1607. Please note: this is not blocking, but deferring - that's why I advised you (for blocking) to let them use only a managed wsus.
Shaun VermaakSenior Consultant
CERTIFIED EXPERT
Awarded 2017
Distinguished Expert 2019

Commented:
Mine about OP's registry questions
RaminTechnical Advisor
CERTIFIED EXPERT

Commented:
McKnife - Thanks for your point.

Commented:
We looked in to this as well. Our engineer came to the same conclusion. The creators update could only be delayed, not stopped. I think he mentioned 6 months.
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
It would be WSUS like McKnife cited or another patch management solution where you approve/reject updates (SCCM, Labtech, etc). However, the big thing is that you would have to have Automatic Updates turned off on all systems, which would actually prevent any updates from the Windows Updates site. But it should achieve your goal.
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
"the big thing is that you would have to have Automatic Updates turned off on all systems" - no. You would simply setup wsus and allow only wsus - there are policies for that.
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
I put that comment in for scenarios where products other than WSUS are used. 3rd party products don't tie in the same way that WSUS does for example.

Author

Commented:
Thanks for your comments guys.

I should have said admin templates and not CSEs.

Delaying for 6 months is fine,

WSUS is now planned ofcourse but it is not an option right now.

I need a solution pronto.
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
You need to continue with the defer policy, then.  As I told you, without even installing newer administrative templates, there should be the policies inside the defer windows updates container. What windows 10 version is it? Please run the command winver to read it out.

Author

Commented:
McKnife

My friend, there isn't, as you can see in the screenshot.

There is no subcontainer of Windows Update, as there is for things like Windows Remote Management, Windows Error Reporting etc.
ee.png
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
Your screenshot is good: it shows that you don't even use the win10 RTM templates, no any newer ones. All the policies that are win10-exclusive are missing in your screenshot! Where did you start the group policy editor, on what OS?

Author

Commented:
On the server itself which is Windows Server 2012 (NOT R2).

I thought I could install the Group Policy extensions for Windows 10 on the server and that will give me the options related to Win10.

If I need to install something specific, let me know and a link to the download if possible.
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
I don't use a central store, nor do I mess with adm files. I simply use my administrative win10 and install RSAT on it - that's what I recommend. With RSAT, you start GPMC directly on 10 and you'll have access to all new policies right away, no matter what server OS your DC has.

Author

Commented:
Hmm that's interesting but I was sure you need to install admin templates for client OS on the server for the server to then apply those settings for the clients when GPO gets applied.

I will try this and let you know if this works.
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
RSAT takes the ADMs from the machine it runs on. It will work.

Author

Commented:
So McKnife

Made some progress in this.

1. Installed the administrative templates on the server and now i am getting the options that I need for Deferring the update. You can see it in WU2.png. This didn't work although the GPresult command showing that the comuter is getting the GPO.

2. I then said, heck it should work locally atleast so I configured the local policy to see if group policy will work at all for this. See WU3.png. This didn't work either.

3. I have attached the setting I believe should get ticked if the group policy (local or domain) is to work properly.

I can't understand what the hell is going on here or how to proceed.
WU1.png
WU2.png
WU3.png
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
You seem to expect that windows discards updates that it already downloaded - I don't think this would happen. So on PCs that have received these new, correct settings, stop the update service, delete c:\windows\softwaredistribution, restart the update service and re-detect. See what happens.

Author

Commented:
I am sorry, I don't understand what you are saying here. Does group policy settings (local or domain) have anything to with any updates already downloaded?

I will still try this and let you know but this doesn't help because it means I will have to go around doing this on all computers.
CERTIFIED EXPERT
Distinguished Expert 2019
Commented:
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
Alex, it is time to return to your question. Could we help you solve it? Any further questions?

Author

Commented:
McKnife

Your Windows 10 solution worked fine after trying a few things, the issues were local to PCs and not group policy.
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
Fine. Are you about to close this question, then?
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
https://www.experts-exchange.com/questions/29022351/Block-Windows-10-Creators-update.html?notificationFollowed=201025794#a42179756 indicated that the issues are no longer present and I helped in solving them. The authro needs to return and close this.
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
Author addressed me with "your win10 solution worked fine"
Unlock the solution to this question.
Thanks for using Experts Exchange.

Please provide your email to receive a sample view!

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.