none
Win 10 v1709 "Preview Builds/Feature Updates deferral" Group Policy incorrectly blocks Cumulative Security Updates

    Question

  • I have set the following Group Policy as a local policy on two standalone PCs
    that have the Win 10 v1709 (Fall Creators Update) installed:

    Local Computer Policy --> Computer Configuration --> Administrative Templates
    --> Windows Components --> Windows Update --> Windows Update for Business:
    "Select when Preview Builds and Feature Updates are received":

    Windows Readiness Level: "Semi-Annual Channel"
    After a Preview Build or Feature Update is released, defer receiving it for
    this many days: "365" Days.

    This Group Policy Setting seems to *incorrectly* block all Cumulative Security (i.e. "Quality") Updates.

    If I set the number of days that a Feature Update should be deferred back to "0" (zero),
    the Cumulative Security Updates are correctly installed straight away (!)

    So this clearly seems to be a bug in this Group Policy or in Windows Update, as deferring Feature Updates
    should definitely not defer Security/Quality Updates as well.

    Just to be clear: I have NOT set the "Select when Quality Updates are received" Group Policy.
    It is the "Preview Builds/Feature Updates" Policy that incorrectly blocks the Cumulative Updates.

    I have verified and reproduced this bug on two PCs, both for the 2017-10 (October) and the
    2017-11 (November) Cumulative Updates for Win 10 v1709. Both of them did not get installed
    straight away with the number of days for deferral set for anything other than "0".

    All deferral policies worked as expected in v1703, so this is a new bug introduced in v1709.
    And a Nightmare for me as admin ... ;)

    Best Regards,
    Klaasklever

    Wednesday, November 15, 2017 7:33 PM

All replies

  • Hi Klaasklever,

    We haven't receive this feedback. What's exact build of your Windows?

    Please run gpresult /h c:\gpreport.html on the computer that have problem.

    Then upload it to OneDrive, share the link here to see if any other configuration.

    In addition, please enable the "Select when Preview Builds and Feature Updates are received", and then go to Settings -> Update & security, Check for updates manually to see if it can check cumulative update.

    Note: The latest build is 16299.64, you need to make sure your build is lower than this before checking.


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, November 16, 2017 6:38 AM
    Moderator
  • Hi Karen, thanks for your quick reply.

    No need for any gpresult logs, I have just quickly reproduced the issue
    in a Hyper-V virtual machine, using a fresh install of Win 10 v1709.
    Reproducing is easy:

    1) Install Win 10 v1709 in a Hyper-V virtual machine with no network connection.
    Use a Media Creation tool ISO, that contains v1709 Build 16299.15

    2) Set the Local Group Policy "Select when Preview Builds and Feature Updates are received":
    "Windows Readiness Level:" "Semi-Annual Channel"
    "After a Preview Build or Feature Update is released, defer receiving it for
    this many days:" "365" Days.

    3) Connect the VM to the network

    4) Search for Updates

    5) Only the latest Flash Player Update and the Malicious Software Removal Tool will be installed.
    Cumulative Updates are nowhere to be seen ;)

    6) Search fur updates again, no further updates will be found...

    7) Set "After a Preview Build or Feature Update is released, defer receiving it for
    this many days:" "0" (Zero) Days.

    8) Search for updates one more time, now the 2017-11 Cumulative Update (KB4048955)
    magically appears and is installed. Windows is updated to Build 16299.64.

    Go figure.

    Maybe, instead of changing the Windows Update policies and terminology in every
    Win 10 release (e.g. Current Branch for Business --> Semi-Annual Channel, blah blah, etc.),
    you guys should make sure they actually work as intended instead ...
    sorry, I just had to say that ;)

    Thanks and best regards

    Klaasklever

    Thursday, November 16, 2017 3:53 PM
  • This is exactly what we are facing at the moment!

    Coming from build 16299.15 or 16299.19 with local group policy enabling 'semi-annual channel' and 'defer receiving for 365 days' results in cumulative updates being ignored.

    As soon as value becomes 0 days everything works like a charm.

    Testings have been made on 2 VMs and 3 clean installed PCs.

    Are there any plans to fix this on short notice or at least provide a work around for the time waiting?

    Thanks

    Dirk

    Monday, November 20, 2017 8:45 AM
  • Hi,

    Please submit this Feedback via built-In Feedback app. And I will also submit it via our own channel.

    If any update, I will let you know as soon as possible.


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    Monday, November 20, 2017 10:09 AM
    Moderator
  • Does this effect machines that also pointed to a WSUS server for updating?
    Tuesday, November 21, 2017 2:13 AM
  • 1) I don't know about WSUS (don't have one running), It would be nice it someone could test this.

    2) I have seen reports that this issue is also caused by setting to defer Feature Updates in
    the Windows Update Settings within the normal Windows Settings App.

    In other words, it seems that setting a Group Policy is not even necessary to cause this behavior,
    just setting it under

    "Settings --> Update & Security --> Windows Update --> Advanced Options --> Choose
    when Updates are installed --> A feature Update includes new capabilities and improvements.
    It can be deferred for this many days: [set to anything greater 0]"

    seems to be enough...



    • Edited by Klaasklever Thursday, November 23, 2017 9:37 PM (corrected some typos)
    Thursday, November 23, 2017 9:35 PM
  • I'm seeing the same thing by using either Group Policy or the Settings App. When setting the number of days to Defer Features, 1709 will not find the monthly Cumulative Updates.

    Saturday, November 25, 2017 12:05 PM
  • I repro'd it too.  Let me see if I can get some attention to this.
    Saturday, December 02, 2017 9:15 PM
  • Done as well but please follow up with the product team.  

    https://aka.ms/O1i6sh

    Saturday, December 02, 2017 9:27 PM
  • Bug occurs only on pro sku, not enterprise.
    Tuesday, December 05, 2017 6:04 AM
  • Test again, today on a machine that I had this issue it got the updates for today.  So please confirm if you are still seeing this or not.
    Tuesday, December 12, 2017 7:35 PM
  • Update:

    The December 2017 Cumulative Update was just found and installed fine on my two PCs
    with the "Defer Feature Updates" GPO set to "Semi-Annual-Channel" + "365 Days".

    (Patch level of the machines before update installation was 30th November 2017, OS Build 16299.98)

    Maybe the issue has been fixed by MS on the server side ?

    Can anyone confirm that the issue is fixed ?

    Lets wait and see if things work out properly for the January 2018 update as well ;)

    Tuesday, December 12, 2017 7:46 PM
  • Argh, Susan, you beat me by 10 minutes ;)

    Thanks for the info :)


    • Edited by Klaasklever Tuesday, December 12, 2017 7:49 PM
    Tuesday, December 12, 2017 7:47 PM
  • Yes, the issue has been fixed.

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, December 13, 2017 8:35 AM
    Moderator
  • Fixed with a patch or fixed on the back end?
    Wednesday, December 13, 2017 4:47 PM
  • Thanks again to everyone involved in reporting, confirming and fixing
    this annoying bug.

    Have a merry Christmas!
    Klaas

    Monday, December 18, 2017 7:01 PM