Link to home
Start Free TrialLog in
Avatar of Darren Rose
Darren RoseFlag for United Kingdom of Great Britain and Northern Ireland

asked on

Windows 10 1709 - updates still downloading/installing despite being blocked in GPO

Hi

Windows 10 1709

Windows Update is blocked via GPO with policies below:-

Computer Configuration > Administrative Templates > Windows Components > Windows Update

- Configure Automatic Updates = Disabled
- Do not allow update referral polices to cause scans against windows update = Enabled
- Do not connect to any windows update internet locations = Enabled

Computer Configuration > Administrative Templates > Windows Components > Windows Update  > Windows Update for Business

- Select when preview builds and feature updates are received = Enabled
- Select the windows readiness level for the updates you want to receive = Semi-annual channel
- After a preview build or feature update is released - defer receiving for 180 days

User Configuration > Administrative Templates > Windows Components > Windows Update 

- remove access to all windows update features = enabled
- configure notifications = 0 - do not show any notifications

But Windows still keeps trying to download and install updates despite it clearly showing in Settings > Windows Update that "Some settings are managed by your organization"

And still getting notifications about updates

What are we missing?????
Avatar of John
John
Flag of Canada image

Probably nothing, Windows 10 will update.

Use the settings in Windows 10 V1703 Update to defer feature updates for a period until you resolve the problem with V1709.
Avatar of Darren Rose

ASKER

"Probably nothing, Windows 10 will update. " - but that defeats point of GPO and really don't need 350 machines updating when they want too, hence reason for using GPO

You can't defer them within Windows because with GPO enabled (even if not working) the setting doesn't appear as it clearly shows as I mentioned in question "Some settings are managed by your organization"
Avatar of Cliff Galiher
Most of those settings are ignored by windows 8-10. About the only ones that matter are the windows update for business.  And you are past 180 days since 1709 was released, so that's pretty much working as expected. You cannot disable updates in a supported way on windows 10. Delay, yes. Disable, no.
What is the reason for attempting to prevent update? What is not working?  V1803 is due out before then end of April so that is yet another update that will download.
It has been doing it for a while now - so originally problem started before the 180 day period was over

The whole point of Windows 10 Enterprise and Group Policy etc should allow a business to control updates - we roll them out using Shavlik (or whatever it is called this week) as I suspect do a lot of companies, or at least some other WSUS solution, so we want to roll out updates as and when we want, NOT when Microsoft want
You need to combine your schedule with Microsoft's otherwise you may go nuts trying to defeat things
Then use WSUS or Shavlik.  Both offer setup instructions on how to set that up. And yes, it works.  I can attest to that personally as can the thousands of subscribers to the patchmanagement.org email list.

BUT.  If you try to fake setting up WSUS just to block updates, you'll be disappointed.  The system knows the difference betwwen "this update exists and is not approved" as WSUS would report, and a non-responsive server request, as would be done if you tried to fake it.  Windows 10 expects to be updated regularly and is coded as such.  This has been VERY WELL DOCUMENTED, even in Enterprise.

You may not agree with it.  You may not like it.  But you asked a question and experts have answered.  Arguing about how Microsoft has chosen to implement update management goes away from the intent of the original ask, and isn't productive to argue for anybody's time here. We are all volunteering our time to assist.  Nothing more or less.
@ Cliff

Not trying to "fake" anything - we have Shavlik installed and use it to roll out updates, but like a lot of people working in IT we don't do them immediately, we leave them a few days to make sure no issues first and roll them out to a test group - as you must know yourself MS often cock things up and cause problems hence waiting a few days

But in the meantime windows 10 is starting to download them by itself despite being blocked by GPO

That is the whole point of my question, not arguing, just asking

Never had problem with 1703, 1607 etc - it is just 1709 builds that are ignoring Group Policy
we don't do them immediately, we leave them a few day

That's fair but V1703 is months old and you can easily defer a few days using the update settings.

Never had problem with 1703, 1607

Windows is changing to ensure updates.
@ John

We pay for SA and Enterprise so we don't have to install new "builds" each time, and can skip a build for x days

The build updates are not the problem here - it is all the other weekly patches for security and fixes etc etc

I want to roll them out via Shavlik each week or two - and don't want windows getting them itself until I roll them out via shavlik
Which goes back to my previous comment.  Shavlik has specific guidance *FOR WINDOWS 10* ...if you follow their older win7 guidance, or are an IT guy for 20+ years and just assume the same settings you've always used still work...they don't.  But the Shavlik win10 guidance *DOES* work, even on new builds.  Again, plenty of folks on patchmanagement.org do this *EVERY DAY* ...if this was a widespread issue, it'd be getting screamed about at the top of Engadge, Gizmodo, and every other MS bashing site you can think of.

If you are seeing windows getting updates outside of Shavlik then *something* is wrong with your setup.  If it were one machine, I'd say maybe the OS is corrupt and is ignoring the setup. But if all machines are exhibiting the same behavior as you have implied then the issue is in your setup.  This isn't Home vs Pro vs Enterprise vs SA vs LTSB vs semi-annual vs Windows XP. This is using the product as intended and following their [shavlik's] guidance for managing updates on win10.
@Cliff

I thought we had followed all steps when installing Shavlik - BUT yes it was installed originally when we had Windows 7.  Then we started rolling out Windows 10 first 1607, then 1703 and last November we started using 1709

Can you tell me which Shavlik guidance you mean as I have obviously missed something please

Thank you
@ Cliff

Just looked on Shavlik website and it seems to suggest setting GPO as below - which I have done as I put in original question!

Computer Configuration > Administrative Templates > Windows Components > Windows Update

 - Configure Automatic Updates = Disabled

That's a win7 setting for sure. I am not a Shavlik guy. But I interact with many folks that are. When I need tight update management, I prop up WSUS.  And larger environments have SCCM for other reasons. So I know guidance is out there for Shavlik on Win10, but I don't have details memorized. Maybe another expert here can chime in on that aspect.. But Shavlik deployments are pretty rare these days  so maybe not.
@ Cliff

So initially you said "But the Shavlik win10 guidance *DOES* work, even on new builds"

And then when I mentioned the guidance found on Shavlik website which clearly says for Windows 10 you say it is a win 7 setting for sure?

Now I am confused, as I assumed by the tone of your reply initially you were telling me I didn't know what I was doing and had obviously set it up wrong - which clearly I haven't as the GPO settings Shavlik state on website are the settings I posted in initial question....

1607 and 1703 = https://community.shavlik.com/docs/DOC-24497

1709 = https://community.shavlik.com/docs/DOC-23923
I'm noticing in the 1709 docs you linked to that you need to change the service startup. And I can't see in any of your posts that you did so.  So that's one thing I'm noticing just in a brief scan.
@Cliff

Yes I noticed that and checked and it is set correctly

So everything Shavlik suggest is set correctly and always has been

So back to my original question then as to what am I missing....
I am not convinced those documents are correct. They look like community creates and maintained docs, not official product documentation.  If I were you, I'd reach out to Ivanti support.
Yes I thought I might do that just for clarification
I did a fairly quick search and it does look like protect 9.3 update 1 fixes a lot of bugs and compatibility issues. Part of patching is keeping the patching product itself up to date. Hope that helps.
Thanks, don't think I have update 1 so will do it now :)
Darren, what are you trying to do, shut down updating completely? Then set the startup type of windows update to "disabled".
All implications like not being patched or not being supported set aside - that works - it's not recommendable for many reasons, but it works.
If you are looking for recommendations on setting up policies for updating, then please phrase your needs.

The state of the update service (startup: disabled) will not change unless you manually install a feature upgrade or use some 3rd party software that looks forward to "help" you by changing it. If you wanted to make sure it's kept disabled, you can use GPOs to enforce the disabled startup type: computer config - windows settings - system services
@McKnife

I am trying to centrally manage updates using Shavlik - so I want to be able to roll out updates (after I have tested them) via Shavlik to all 350 client machines

I don't want Windows downloading updates itself in the meantime

Setting service to disabled doesn't work - yes it would stop clients downloading them but 3rd party WSUS tools such as Shavlik require that service to be set to Manual
Right, Shavlik. What does Shavlik's documentation recommend? Sorry, only experience with WSUS here, where you would simply
-approve updates when tested
-set an installation schedule
-prevent updates from restarting when users are logged on

The last option can of course be set with Shavlik as update server, too.
Yes I can do all those things with Shavlik as well

They say to do as per links below - which is done

1607 and 1703 = https://community.shavlik.com/docs/DOC-24497

 1709 = https://community.shavlik.com/docs/DOC-23923
Since the author of the first is a support employee, you will be able to contact him and ask.
ASKER CERTIFIED SOLUTION
Avatar of Darren Rose
Darren Rose
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
found solution as posted in last comment