That’s not correct and is at the root of the confusion. Niall’s documentation is also inaccurate on this point as well – something he’s well aware of and very frustrated about because Microsoft has really dropped the ball on this one. His documentation was correct based on Microsoft info given and may well have been correct for Win 10 1507 but as of 1511, it’s not.
Setting a registry value doesn’t change the build that a system is on so saying a system is CB or CBB based on this setting is mis-leading at best. Setting the registry value simply defines an intent of when you want a feature update to be deployed to a system in the future from Windows Update for Business (and only from Windows Update for Business). If you set this value and you are using ConfigMgr, updates (and not just feature updates) won’t work at all and you’ll enable dual-scan which is described in the blog post linked way down below. That Technet documentation is (unfortunately) horribly wrong also and is (sorry, once again) the point of that same blog post: https://blogs.technet.microsoft.com/windowsserver/2017/01/09/why-wsus-and-sccm-managed-clients-are-reaching-out-to-microsoft-online/ J From: [email protected] [mailto:[email protected]] On Behalf Of Hyatt, Dewayne Sent: Wednesday, April 12, 2017 7:26 AM To: [email protected] Subject: RE: [mssms] GPO Update Disable Manual MS checks I must be missing a pretty big piece of the puzzle here. When I initially set up Windows 10 servicing to deploy 1511 I learned that SCCM wouldn’t deploy a CBB plan to a client if the client was not set to CBB manually or by using a GPO. Niall’s guide covered this: If however the below setting is set (either manually in the OS or via GPO or MDM) then the device is considered to be Current Branch for Business (CBB). (https://www.niallbrady.com/2016/04/11/how-can-i-use-servicing-plans-in-system-center-configuration-manager-current-branch-to-upgrade-windows-10-devices/) This blog was recently updated and it covers the same thing: https://technet.microsoft.com/en-us/itpro/windows/update/waas-manage-updates-configuration-manager How is everyone changing the operating system readiness branch of their clients in order to use Windows 10 servicing plans? Dewayne From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Jason Sandys Sent: Tuesday, April 11, 2017 7:12 PM To: [email protected]<mailto:[email protected]> Subject: RE: [mssms] GPO Update Disable Manual MS checks No. This choice is a feature update selection mechanism that helps determine what to include in the resulting update group. It is not a targeting mechanism and thus is not dependent on the defer updates setting on clients. You use collections just like you always have/do to target servicing plans/ADRs. J From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Hyatt, Dewayne Sent: Tuesday, April 11, 2017 12:42 PM To: [email protected]<mailto:[email protected]> Subject: RE: [mssms] GPO Update Disable Manual MS checks Maybe I misunderstood then. I thought that when you define a servicing plan that you have to pick the update ring (CB or CBB) and that the targeted clients are set to either ring using defer windows updates GPO’s. This is how I was setting my Windows 10 clients to the CBB ring. Is that not correct? From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Jason Sandys Sent: Tuesday, April 11, 2017 11:55 AM To: [email protected]<mailto:[email protected]> Subject: RE: [mssms] GPO Update Disable Manual MS checks We just had confirmation on the back-end that not much changes here, the blog post is still valid, don’t set anything. Question though, what do you mean tear down your servicing? Servicing in ConfigMgr has nothing to do with the issues being discussed. J From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Hyatt, Dewayne Sent: Tuesday, April 11, 2017 10:34 AM To: [email protected]<mailto:[email protected]> Subject: RE: [mssms] GPO Update Disable Manual MS checks So since it’s patch Tuesday it looks like I’m going to have to tear down all of my Windows 10 servicing in SCCM so that my clients don’t go to MS for updates today… what fun. I was hoping that something would be fixed at least by 1703 but your comments don’t make me very confident in that. I guess we’ll see? From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Jason Sandys Sent: Tuesday, April 11, 2017 11:13 AM To: [email protected]<mailto:[email protected]> Subject: RE: [mssms] GPO Update Disable Manual MS checks And of course, it’s changed in 1703 – the “defer” option is gone and now there is a “pause” option. No one knows if these are the same, different, or something else. J From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Hyatt, Dewayne Sent: Tuesday, April 11, 2017 10:01 AM To: [email protected]<mailto:[email protected]> Subject: RE: [mssms] GPO Update Disable Manual MS checks I’ll admit that I have been off task for a little while with other projects. I didn’t realize this was a daily thing ☹ From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Adam Juelich Sent: Tuesday, April 11, 2017 10:49 AM To: [email protected]<mailto:[email protected]> Subject: Re: [mssms] GPO Update Disable Manual MS checks The fact that we are still having this conversation daily over the past few months means that Microsoft is really screwing the pooch here. On Tue, Apr 11, 2017 at 9:42 AM, Hyatt, Dewayne <[email protected]<mailto:[email protected]>> wrote: Whoops… I had read that blog a while back but apparently not well enough. I am confused now though. I am using a GPO to define what branch our Windows 10 clients are in for Windows 10 servicing in SCCM. I thought that was the correct way to do it. I saw 1607 used different policies but it looked like it was doing the same thing. This blog said not to enable those policies. From: [email protected]<mailto:[email protected]> [mailto:[email protected]<mailto:[email protected]>] On Behalf Of Niall Brady Sent: Monday, April 10, 2017 3:37 PM To: [email protected]<mailto:[email protected]> Subject: Re: [mssms] GPO Update Disable Manual MS checks read this https://blogs.technet.microsoft.com/windowsserver/2017/01/09/why-wsus-and-sccm-managed-clients-are-reaching-out-to-microsoft-online/ dual scan is the cause On Mon, Apr 10, 2017 at 7:54 PM, Hyatt, Dewayne <[email protected]<mailto:[email protected]>> wrote: Sorry to hijack but this is somewhat relevant. Since we rolled out 1607 we have noticed machines are automatically getting updates from Microsoft update even though we have a GPO defining our SUP as the WSUS server. I was looking into blocking Microsoft update entirely (not sure that is what I want to do in our environment) and I ran across this thread. Has anyone else seen behavior like this? We’ve had a few different locations report this, then my own workstation did it this morning, at that point I started to believe them ☺. Thanks, Dewayne From: [email protected]<mailto:[email protected]> [mailto:[email protected]<mailto:[email protected]>] On Behalf Of Adam Juelich Sent: Thursday, March 30, 2017 8:46 AM To: [email protected]<mailto:[email protected]> Subject: Re: [mssms] GPO Update Disable Manual MS checks Yes, other than the GP setting to 'Disable Automatic Updates,' don't configure anything else related to it. There is the User-Side GP Setting: "Remove access to use all Windows Update features" That should do the trick. On Thu, Mar 30, 2017 at 7:12 AM, Daniel Ratliff <[email protected]<mailto:[email protected]>> wrote: Never configure any of your windows update settings with GPO, let SCCM handle that via local policy. I believe the setting you want is here for Win10: https://miketerrill.net/2016/10/11/disable-check-online-for-updates-from-microsoft-update-in-windows-10/ For Win7, we just disable the ability to check online: https://weikingteh.wordpress.com/2012/09/20/how-to-disable-the-check-online-for-updates-from-microsoft-update-link-in-the-windows-update-icon-in-control-panel/ Daniel Ratliff From: [email protected]<mailto:[email protected]> [mailto:[email protected]<mailto:[email protected]>] On Behalf Of S ConfigMgr Sent: Thursday, March 30, 2017 12:12 AM To: [email protected]<mailto:[email protected]> Subject: [mssms] GPO Update Disable Manual MS checks Hello all, I have deployed SUP and Patching is working as expected. However my end users are able to use windows update, How can i block end users to stop installing patches from internet, I have windows 10 Enterprise and Professional Machines as end users. I have tried to deploy a group policy to disable Computer Configuration\Administrative Templates\Windows Components\Windows Update. 1. Find and double-click Configure Automatic Updates [0711 group policy step 3]<https://cms-images.idgesg.net/images/article/2016/06/0711-group-policy-step-3-100666831-orig.jpg> 2. In the resulting dialog box, select Enabled. 3. In the Options box, pull down the Configure automatic updating menu and select your preferred option. [0711 group policy step 4 and 5] 4. Still Updates are able to scan by user with ms site, How can I achieve this ? -- Thanks, ED The information transmitted is intended only for the person or entity to which it is addressed and may contain CONFIDENTIAL material. If you receive this material/information in error, please contact the sender and delete or destroy the material/information.
