Block Windows 10 Creators update
Hi
We need to block creators update for all our computers because it is causing problems with some of our applications.
Till now, we have allowed the users to install Windows Updates themselves and bless them they have been doing it without any problems.
But now we need to take control and prevent them from installing this update.
The idea is to block ONLY the Windows 10 Creators update and not other windows update.
I know I can just simply disable Windows update for everyone but that will block ALL updates including security ones.
The domain controller is Windows Server 2012 (NOT R2).
I thought I can do it using Group Policy as per this article
http://pureinfotech.com/prevent-windows-10-installing-creators-update/
For that, I needed to install the client side extensions for Windows 10, here is the link
https://www.microsoft.com/en-us/download/details.aspx?id=48257
I installed the update and then moved the .adm and admx files to the policy folder under sysvol.
However, after that install, I am not getting the subfolder that provides me options to block the creators update as described in that article.
That means either of the following.
1. I have installed the wrong update to get those options in the Group Policy
2. I have installed the correct update but not configured them correctly.
3. I have installed the correct update but there might be further update I need to install.
This is getting a bit out of hand now because users are programmed to just installing available updates and it is obviously causing problems.
Any help would be great !!
We need to block creators update for all our computers because it is causing problems with some of our applications.
Till now, we have allowed the users to install Windows Updates themselves and bless them they have been doing it without any problems.
But now we need to take control and prevent them from installing this update.
The idea is to block ONLY the Windows 10 Creators update and not other windows update.
I know I can just simply disable Windows update for everyone but that will block ALL updates including security ones.
The domain controller is Windows Server 2012 (NOT R2).
I thought I can do it using Group Policy as per this article
http://pureinfotech.com/prevent-windows-10-installing-creators-update/
For that, I needed to install the client side extensions for Windows 10, here is the link
https://www.microsoft.com/en-us/download/details.aspx?id=48257
I installed the update and then moved the .adm and admx files to the policy folder under sysvol.
However, after that install, I am not getting the subfolder that provides me options to block the creators update as described in that article.
That means either of the following.
1. I have installed the wrong update to get those options in the Group Policy
2. I have installed the correct update but not configured them correctly.
3. I have installed the correct update but there might be further update I need to install.
This is getting a bit out of hand now because users are programmed to just installing available updates and it is obviously causing problems.
Any help would be great !!
ASKER
Is there a way to block it using registry?
The solution we need to put in place needs to be completely silent and the users shouldn't know or have to do anything.
The solution we need to put in place needs to be completely silent and the users shouldn't know or have to do anything.
I'm not sure but "Defer feature updates" might be helpful.
http://www.windowscentral.com/how-delay-windows-10-creators-update-your-pc-and-why
http://www.windowscentral.com/how-delay-windows-10-creators-update-your-pc-and-why
Good article. Explains how to do it via all methods, including Registry
http://pureinfotech.com/defer-windows-10-upgrades-updates/
http://pureinfotech.com/defer-windows-10-upgrades-updates/
Ramin and Shaun, did you read what articles he mentioned? Just those about deferring the update, but after installing the adm files (he calls them client side extensions, but it would be just administrative templates, to be correct), he still cannot see the template container with "defer updates" enclosed.
Alex, I see the "defer windows updates" container and you should not need to install admx files because win 10 v1511 already holds this option, so does v1607. Please note: this is not blocking, but deferring - that's why I advised you (for blocking) to let them use only a managed wsus.
Alex, I see the "defer windows updates" container and you should not need to install admx files because win 10 v1511 already holds this option, so does v1607. Please note: this is not blocking, but deferring - that's why I advised you (for blocking) to let them use only a managed wsus.
Mine about OP's registry questions
McKnife - Thanks for your point.
We looked in to this as well. Our engineer came to the same conclusion. The creators update could only be delayed, not stopped. I think he mentioned 6 months.
It would be WSUS like McKnife cited or another patch management solution where you approve/reject updates (SCCM, Labtech, etc). However, the big thing is that you would have to have Automatic Updates turned off on all systems, which would actually prevent any updates from the Windows Updates site. But it should achieve your goal.
"the big thing is that you would have to have Automatic Updates turned off on all systems" - no. You would simply setup wsus and allow only wsus - there are policies for that.
I put that comment in for scenarios where products other than WSUS are used. 3rd party products don't tie in the same way that WSUS does for example.
ASKER
Thanks for your comments guys.
I should have said admin templates and not CSEs.
Delaying for 6 months is fine,
WSUS is now planned ofcourse but it is not an option right now.
I need a solution pronto.
I should have said admin templates and not CSEs.
Delaying for 6 months is fine,
WSUS is now planned ofcourse but it is not an option right now.
I need a solution pronto.
You need to continue with the defer policy, then. As I told you, without even installing newer administrative templates, there should be the policies inside the defer windows updates container. What windows 10 version is it? Please run the command winver to read it out.
ASKER
McKnife
My friend, there isn't, as you can see in the screenshot.
There is no subcontainer of Windows Update, as there is for things like Windows Remote Management, Windows Error Reporting etc.
ee.png
My friend, there isn't, as you can see in the screenshot.
There is no subcontainer of Windows Update, as there is for things like Windows Remote Management, Windows Error Reporting etc.
ee.png
Your screenshot is good: it shows that you don't even use the win10 RTM templates, no any newer ones. All the policies that are win10-exclusive are missing in your screenshot! Where did you start the group policy editor, on what OS?
ASKER
On the server itself which is Windows Server 2012 (NOT R2).
I thought I could install the Group Policy extensions for Windows 10 on the server and that will give me the options related to Win10.
If I need to install something specific, let me know and a link to the download if possible.
I thought I could install the Group Policy extensions for Windows 10 on the server and that will give me the options related to Win10.
If I need to install something specific, let me know and a link to the download if possible.
I don't use a central store, nor do I mess with adm files. I simply use my administrative win10 and install RSAT on it - that's what I recommend. With RSAT, you start GPMC directly on 10 and you'll have access to all new policies right away, no matter what server OS your DC has.
ASKER
Hmm that's interesting but I was sure you need to install admin templates for client OS on the server for the server to then apply those settings for the clients when GPO gets applied.
I will try this and let you know if this works.
I will try this and let you know if this works.
RSAT takes the ADMs from the machine it runs on. It will work.
ASKER
So McKnife
Made some progress in this.
1. Installed the administrative templates on the server and now i am getting the options that I need for Deferring the update. You can see it in WU2.png. This didn't work although the GPresult command showing that the comuter is getting the GPO.
2. I then said, heck it should work locally atleast so I configured the local policy to see if group policy will work at all for this. See WU3.png. This didn't work either.
3. I have attached the setting I believe should get ticked if the group policy (local or domain) is to work properly.
I can't understand what the hell is going on here or how to proceed.
WU1.png
WU2.png
WU3.png
Made some progress in this.
1. Installed the administrative templates on the server and now i am getting the options that I need for Deferring the update. You can see it in WU2.png. This didn't work although the GPresult command showing that the comuter is getting the GPO.
2. I then said, heck it should work locally atleast so I configured the local policy to see if group policy will work at all for this. See WU3.png. This didn't work either.
3. I have attached the setting I believe should get ticked if the group policy (local or domain) is to work properly.
I can't understand what the hell is going on here or how to proceed.
WU1.png
WU2.png
WU3.png
You seem to expect that windows discards updates that it already downloaded - I don't think this would happen. So on PCs that have received these new, correct settings, stop the update service, delete c:\windows\softwaredistrib
ASKER
I am sorry, I don't understand what you are saying here. Does group policy settings (local or domain) have anything to with any updates already downloaded?
I will still try this and let you know but this doesn't help because it means I will have to go around doing this on all computers.
I will still try this and let you know but this doesn't help because it means I will have to go around doing this on all computers.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Alex, it is time to return to your question. Could we help you solve it? Any further questions?
ASKER
McKnife
Your Windows 10 solution worked fine after trying a few things, the issues were local to PCs and not group policy.
Your Windows 10 solution worked fine after trying a few things, the issues were local to PCs and not group policy.
Fine. Are you about to close this question, then?
https://www.experts-exchange.com/questions/29022351/Block-Windows-10-Creators-update.html?notificationFollowed=201025794&anchorAnswerId=42179756#a42179756 indicated that the issues are no longer present and I helped in solving them. The authro needs to return and close this.
Author addressed me with "your win10 solution worked fine"
If you don't have a WSUS, you should get one, since there is no GPO way to block certain updates.