• Status: Solved
  • Priority: Medium
  • Security: Private
  • Views: 64
  • Last Modified:

Does Windows 10 consistently respect Windows Update GPO settings?

I realize this is an open-ended question--I'm not asking on behalf of a particular customer--but we're wondering if Windows 10 always respects the GPOs we've set for Windows Update, which point all domain PCs to our on-premises WSUS server with specific maintenance windows and restart settings.

I'm hearing anecdotal evidence that 10 may bypass WSUS (and any other WU-related settings imposed by GP) and update and restart itself whenever Microsoft deems this necessary.  I don't have "smoking gun" proof yet, but cursory Googling suggests I'm not the only one who's getting suspicious, and we're seeing some erratic update behavior on our fleet of Win 10 Surfaces.

What has your experience been like?  Do you use WSUS, or a third-party patch management solution?
  • 2
2 Solutions
Cliff GaliherCommented:
Semantics matter here.yes, windows 10 is consistent in respecting policies and how it respects them. That does NOT mean it respects ALL policies. Particularly with 7 and previous  several policies no longer are used  so they are consistently IGNORED.

If you are seeing inconsistent behavior though, that is99. 99999% likely to be a configuration issue. There is no statistically relevant reports of windows 10 arbitrarily deciding to install updates outside of WSUS because "Microsoft" deemed it so.
AA-in-CAAuthor Commented:
How do I determine whether a policy will be ignored?  Is this labelled in the GP Editor?
Cliff GaliherCommented:
I don't recall any that aren't. Every policy has an applies to section. But since the editor can load policies from the central store if  if your templates are out of date, you could be misled.

If a template from windows 7 is used, it could say "windows XP and higher."

MS can change the behavior in windows 8. They also update their template to say "XP, Vista, and 7."* But if you do then update your templates, your editor still says "XP and higher." Thus is the burden of choosing to use a central store.  Same could be said of editing policies on an old OS without a central store truth be told.

So yes, you can tell. But you have to be cognizant of how group policies, the editor, and templates work.
PberSolutions ArchitectCommented:
No comment has been added to this question in more than 21 days, so it is now classified as abandoned.

I have recommended this question be closed as follows:

-- Cliff Galiher (https:#a42350478)
-- Cliff Galiher (https:#a42350476)

If you feel this question should be closed differently, post an objection and the moderators will review all objections and close it as they feel fit. If no one objects, this question will be closed automatically the way described above.

Experts-Exchange Cleanup Volunteer
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: Certified Penetration Testing

This CPTE Certified Penetration Testing Engineer course covers everything you need to know about becoming a Certified Penetration Testing Engineer. Career Path: Professional roles include Ethical Hackers, Security Consultants, System Administrators, and Chief Security Officers.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now