In the last few months, systems have been randomly upgrading themselves, the update is not approved within WSUS and is obtained directly from Miccrosoft Servers.
The upgrade to 1709/1703 is not managed by WSUS and needs to be controlled. And the upgrade to the next feature update needs to be properly executed across the business the miniseries any downtime.
Configuring "Defer Feature Upgrades" GPO stopped the direct upgrade to build 1709 - but not the upgrade to 1703 because...
"Now that Microsoft, uh, recommends version 1703 build 15063.483, your “Defer feature updates” setting has expired, and you’re getting the business-ready version of Win10 Creators Update. (This, despite the fact that there’s a massive batch of bug fixes waiting in the wings for 1703.)
There is no "Current Branch for Business" anymore, but that "Microsoft recommends" bullet applies in its stead. If you were deferring updates, your deferral just ran out (see screenshot)." - this is news to me!
Source: https://www.computerworld.com/article/3211375/microsoft-windows/win10-machines-with-defer-feature-up....
This is my current Windows Update Configuration under:
DeferQualityUpdates REG_DWORD 0x0 (not enabled)
DeferFeatureUpdates REG_DWORD 0x1 (enabled)
BranchReadinessLevel REG_DWORD 0x20 (set to current branch for business)
DeferFeatureUpdatesPeriodInDays REG_DWORD 0xb4 (180 days)
ElevateNonAdmins REG_DWORD 0x0 (Users in the Users security group are allowed to approve or disapprove update )
WUServer REG_SZ http://WSUS:8530 (Specified intranet source)
WUStatusServer REG_SZ http://WSUS:8530
The upgrade to 1703 is not managed by WSUS and needs to be controlled. And the upgrade to the next feature update needs to be properly executed across the business the miniseries any downtime.
Is there a way to?
- Identify what servers a systems connects to when pulling the feature
update and block communications? (i.e. Stop connections to Microsoft
Servers through endpoint content control or Boundary Firewall -
without effecting Office 365 updates)
What I've done so far
Understood 1703 is now recommended for business (but I still don't
want it)Attempted to configure "Do not connect to any Windows Update Internet
Locations" local GPO, but it blocked access to WSUS too, despite the
following note: This policy applies only when this PC is configured
to connect to an intranet update service using the "Specify intranet
Microsoft update service location" policy - this is already
configured on a Group Policy level but it's being ignoredConsidered blacklisting the following application/files on endpoint
management console to prevent the Windows upgrade assistant from
running - but haven't had time to test:
No comments:
Post a Comment