locked
Will the Windows 10 "Creator's Update" somehow sneak in through WSUS when I am not looking? RRS feed

  • Question

  • I have finally stabilized my small business on Windows 10 1607 (Anniversary Update) - and still have a couple of workstations to go. We are running WSUS via Windows Server 2012R2.

    I wanted to check - if I am running WSUS and I am only approving Critical and Security updates for Windows 10 - is there any way that build 1703 (Creator's Update) is suddenly going to sneak in through the back door on WSUS and then out to an unsuspecting client machine?

    Since we are just getting started with Windows 10 Build 1607 - I have no desire whatsoever to allow the Creator's Update to suddenly appear on any desktop until later in 2017 - like a lot later.

    Anyone have any thoughts on this?

    B

     

    Tuesday, March 21, 2017 6:18 PM

All replies

  • Hi Bruce McDonald,

    Do you want to know if the win10 1607 upgrade file will go into WSUS server stealthily, and go into clients then.

    If my understanding is correct, then, the answer is not. Windows 10 1607 won't sync into WSUS server, only when we enable "Upgrades" in "Products and Classifications", and even the upgrade file is synced into WSUS server, it won't downloaded by clients only if we "Approve" the upgrade.

    So, the upgrade file is under WSUS admins control.

    Best Regards,

    Anne


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, March 22, 2017 8:06 AM
  • Anne,

    As I mentioned - I am already running Windows 10 1607. It's Windows 10 1703 (Creator's Update) that I am most concerned about. 

    Nice to know that the file is under my control. I appreciate the update.

    Cheers,

    B

    Wednesday, March 22, 2017 11:28 AM
  • Hi Bruce McDonald,

    Thanks for your reminder.

    Just learned something about 1703, since it hasn't been released into WSUS server, it's hard to confirm it's actual behavior. While compare to 1607 behavior, I think it's still under WSUS admin's control. Let's wait for it's arrival.

    Best Regards,

    Anne


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, March 24, 2017 7:31 AM
  • Hi everyone.

    For anyone coming to this thread for answers, there's something that needs to be added here.  By default, Windows 10 will periodically go out to the Internet and download whatever it finds, even if it's not approved in WSUS.  This happened to us yesterday and some of our machines downloaded 1703!!!!  Thankfully, we had recently updated the GP templates for Windows 10, so we had the workaround.  The policy you need is at Policies/Computer/Windows Components/Windows Update.  The setting is Do not connect to any Windows Update Internet locations

    I guess this setting actually arrived with 8.1, but we bypassed all the 8.x versions.

    Hope this helps folks struggling to figure out why their systems are getting forced upgrades!

    Derek

    Tuesday, August 1, 2017 7:00 PM
  • Nice catch!

    I had the same thing happen to me when I was reconfiguring one test workstation last week. I reverted the workstation WSUS settings back to default Windows Update settings for no more than 10 mins and while the machine was in that state - it managed to snag 1703 and start the download going.

    I actually let the package download and install just to see what it looked like - AND to see if I could uninstall it - which I could.

    But yes - you must ensure the additonal GP setting referenced above is enabled.

    Cheers,

    B


    Tuesday, August 1, 2017 7:06 PM