Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Thursday, April 19, 2018 8:48 PM
Hi
Windows 10 1709
Windows Update is blocked via GPO with policies below:-
Computer Configuration > Administrative Templates > Windows Components > Windows Update
- Configure Automatic Updates = Disabled
- Do not allow update referral polices to cause scans against windows update = Enabled
- Do not connect to any windows update internet locations = Enabled
Computer Configuration > Administrative Templates > Windows Components > Windows Update > Windows Update for Business
- Select when preview builds and feature updates are received = Enabled
- Select when Quality Updates are received = Enabled - 30 days
- Select the windows readiness level for the updates you want to receive = Semi-annual channel
- After a preview build or feature update is released - defer receiving for 180 days
User Configuration > Administrative Templates > Windows Components > Windows Update
- remove access to all windows update features = enabled
- configure notifications = 0 - do not show any notifications
But Windows still keeps trying to download and install updates despite it clearly showing in Settings > Windows Update that "Some settings are managed by your organization"
And still getting notifications about updates
What are we missing?????
Darren Rose
All replies (19)
Thursday, April 19, 2018 9:40 PM
Just to add we are using Shavlik to roll out patches after we test them - so not just trying to avoid patches, simply handing them ourselves so don't want Windows automatically doing them
Darren Rose
Friday, April 20, 2018 7:36 AM
Hi,
Did the PC join a domain?
If yes, please try to unjoin the domain to see if it can work.
Please click View configured update policies to see if it show as following screenshot. (Settings -> Update & Security).
Please also check if the NoAutoUpdate registry value is 1 under HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected].
Friday, April 20, 2018 9:02 AM
Yes it joined a domain - and it joined successfully as checked in event logs for NetJoin message - this is also affecting multiple computers so can't imagine all of them failed to join domain, but anyway our event log alerting software sends us an alert if NetJoin shows failed to join domain etc
Checked settings you mention above and they both show exactly the same as yours
But if I click check for updates it will still find, download and install them (or if left it will do it itself)
Darren Rose
Friday, April 20, 2018 9:51 AM
Hi,
According to your description, it will download and install update after you click check for updates.
From following screenshot about the Configure Automatic Updates, it metioned “If the status for this policy is set to Disabled, any updates that are available on Windows Update must be downloaded and installed manually.”
There is no method for you to permanently disable Windows Update. But you could set Windows Update service startup to "Disable" to disable the Windows Update as a workaround temporarily.
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected].
Friday, April 20, 2018 10:49 AM
We can't set Windows Update Service to Disabled - as then 3rd party patch management tool (Shavlik) can't roll out patches
There must be some way to stop Windows downloading automatically for customer who use one of the many 3rd party patch management tools....
Darren Rose
Friday, April 20, 2018 3:33 PM
Hello,
You can simply block V1709 feature update:
https://www.kapilarya.com/how-to-block-feature-updates-in-windows-10
Let us know if this helps!
Microsoft MVP (Windows and Devices for IT)
Windows Insider MVP
Windows Help & Support [www.kapilarya.com]
Friday, April 20, 2018 3:55 PM
I not asking about blocking 1709 update? I was asking about all the other updates as I want to roll them out using Shavlik patching tool and not have clients downloading updates themselves
Darren Rose
Monday, April 23, 2018 9:41 AM
Hi,
You could enable Remove access to use all Windows Update features GPO.
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected].
Monday, April 23, 2018 12:00 PM
Which would stop users getting to settings > windows updates
BUT it isn't going to stop updates installing automatically I doubt
Darren Rose
Tuesday, April 24, 2018 1:39 AM
Hi,
Windows Update will be downloaded and installed manually when you disable Configure Automatic Updates GPO. It means users need to click Check for update to download and install update. So if you enable Remove access to use all Windows Update features GPO, users will not be able to click Check for update.
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected].
Tuesday, April 24, 2018 10:02 AM
As stated in my question the Configure Automatic Updates GPO is configured - BUT Windows is still downloading and installing updates AUTOMATICALLY - hence the whole point of my question
Darren Rose
Tuesday, April 24, 2018 10:22 AM
Did you use SCCM to deploy update in your environment?
Please help us collect for windowsupdate.log (%windir%\windowsupdate.log) for detailed information. Please upload the log to OneDrive and paste the link here. We will help you to analyze them.
Note: If you have any concern about this, please send the logs to [email protected] through email, but it may cause reply delay.
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected].
Tuesday, April 24, 2018 12:57 PM
No we don't use SCCM
We use Shavlik (Ivanti) Patch Management software
Please see links below for the windowsupdate.log from two different machines both with same problem of ignoring group policy settings etc
Would really appreciate someone analyzing them for me - thanks
http://www.pcassistonline.co.uk/TEST/WindowsUpdateLogs.zip
Darren Rose
Wednesday, April 25, 2018 9:25 AM
Hi,
There is a task scheduler named Schedule Scan (Task Scheduler Library\Microsoft\Windows\UpdateOrchestrator), it will performs a scheduled Windows Update scan with system level. There is a limitation time about manually download Windows Update, if you never click Check for update, the system will download the update automatically.
So I recommend you to enable Configure Automatic Updates GPO, then select 2-Notify for download and auto install, users will be notified that updates are ready to be downloaded.
And you could also enable the Select when Quality Updates are received to defer receiving quality updates for up to 30 days. (Computer Configuration -> Administrative Templates -> Windows Components -> Windows Update -> Windows Update for Business)
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected].
Wednesday, April 25, 2018 9:31 AM
1) Have you looked at the logs you requested and I supplied?
2) Not sure how your above reply helps - as I don't want users notified etc - I want to handle patch management in my organization with Shavlik/Ivanti and roll out patches to all client machines myself - exactly how I have done successfully with Windows 7, Windows 8, and Windows 10 prior to 1709
I REPEAT I DON'T WANT USERS GETTING NOTIFIED OF UPDATES OR UPDATES BEING INSTALLED MANUALLY BEFORE I TEST THEM IN A TEST GROUP AND ROLL THEM OUT VIA A THIRD PARTY PATCH MANAGEMENT SOLUTION
Darren Rose
Wednesday, April 25, 2018 9:50 AM
I have seen the logs. And in windowsupdate2.log, there is an update installed via Windows Update automatically.
According to my understanding, you couldn’t prevent the Schedule Scan task running in Windows 1709. So it couldn’t ensure if the updates that you want to test are not installed on your PC.
Please try to enable the Select when Quality Updates are received to defer receiving quality updates for up to 30 days. (Computer Configuration -> Administrative Templates -> Windows Components -> Windows Update -> Windows Update for Business)
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected].
Wednesday, April 25, 2018 1:52 PM
Hi,
There is a task scheduler named Schedule Scan (Task Scheduler Library\Microsoft\Windows\UpdateOrchestrator)
There is no UpdateOrchestrator showing where you mention on these computers - I can see it on my test computer here but not on the problematic ones
They are running Windows 10 Enterprise if that makes any difference?
See screenshot below where you can see a WindowsUpdate folder but not an UpdateOrchestrator
Any thoughts?
Darren Rose
Wednesday, April 25, 2018 3:19 PM
The Select when Quality Updates are received group policy is already set to 30 days
How can I disable or delete the Task Scheduler
Library\Microsoft\Windows\UpdateOrchestrator\Schedule Scan so it doesn't run in future?
Darren Rose
Thursday, November 22, 2018 2:21 PM
Hey,
not sure if this is still open but we had a similar problem starting with Build 1709.
The solution was to set the telemetry level to at least 1, else any policies restricting automatic update behaviour simply got ignored.
<style type="text/css"><!--td {border: 1px solid #ccc;}br {mso-data-placement:same-cell;}--></style>https://www.computerworld.com/article/3261570/microsoft-windows/microsoft-forces-win10-1709-upgrades-on-pcs-set-to-restrict-telemetry.html
Cheers
Maik