locked
Feature update to Windows 10 version 1607 RRS feed

  • Question

  • I am not seeing the Feature update to Windows 10 version 1607 on our WSUS server.  Why is that? What specific KB article should it be?  Thanks.

    Wednesday, September 28, 2016 9:00 PM

Answers

  • what Windows OS version is your WSUS running on?

    For Win10 feature updates, you need:

    WS2012R2
    apply all Windows Updates detected as needed
    ensure KB2919442 (servicing stack)
    ensure KB2919355
    Install WSUS role
    perform wsusutil postinstall
    re-scan for Windows Updates
    ensure KB2938066
    apply KB3095113
    apply KB3159706, especially manual steps for this KB as below:
    perform wsusutil postinstall /servicing
    enable Feature .Net FW > WCF > HTTP Activation
    (if using SSL, also perform the manual steps relating to web.config)
    **don't enable any extra Products/Classifications yet**
    perform WSUS sync
    enable the Classification "Upgrades" ** must be the very last step **
    perform WSUS sync


    Don [doesn't work for MSFT, and they're probably glad about that ;]


    Wednesday, September 28, 2016 10:14 PM
  • Hi WSUAL2,

    To deploy win10 1607, we need WSUS 4.0 (2012 and 2012R2) with KB3095113 and KB3159706(with manual steps) pre-installed. Then check "Upgrade" in "Products and Classifications", then sync.

    Best Regards,

    Anne


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Marked as answer by WSUAL2 Thursday, September 29, 2016 6:47 PM
    Thursday, September 29, 2016 7:01 AM
  • Got it.  The last question I have then is about the "Defer Windows Updates" group policy.  I read through it and understand how it works except for in one situation.  When using a WSUS server to control when updates are released like we are, our users are administrators on their computers so they could go around this to install feature updates.  What role does the "Defer Windows Updates" group policy play in this?  Does it work then to delay feature updates for administrative users who go to the check updates screen and check online to bypass our WSUS policies?

    this may be helpful information:

    https://social.technet.microsoft.com/Forums/en-US/5521e7f1-fa2d-4867-a47c-b276c66e6a82/windows-10-anniversary-update-1607?forum=winserverwsus

    Yes, there is a new feature in 1607 called Dual Scan that is intended to allow you to connect to Windows Update for Business and still get third-party/other updates from WSUS as needed.  This mode automatically goes into effect when WU for Business policy is enabled and the machine is configured to be managed by WSUS--we wanted to avoid creating a whole new policy for this scenario, so we used a combination of existing policies.
    The confusion came when folks were [reasonably] using the Defer Upgrades setting in a WSUS environment.  Running 1511, there is no impact; however, as soon as you upgrade to 1607 with these settings active, your machine begins scanning both WU and WSUS.
    In short, this is a known issue, and we'll be shipping a patch to the client to correct it.
    Thursday, September 22, 2016 10:35 PM
    Steve Henry [MSFT]
    Microsoft


    Don [doesn't work for MSFT, and they're probably glad about that ;]

    • Marked as answer by WSUAL2 Tuesday, October 4, 2016 1:27 PM
    Friday, September 30, 2016 9:27 PM

All replies

  • what Windows OS version is your WSUS running on?

    For Win10 feature updates, you need:

    WS2012R2
    apply all Windows Updates detected as needed
    ensure KB2919442 (servicing stack)
    ensure KB2919355
    Install WSUS role
    perform wsusutil postinstall
    re-scan for Windows Updates
    ensure KB2938066
    apply KB3095113
    apply KB3159706, especially manual steps for this KB as below:
    perform wsusutil postinstall /servicing
    enable Feature .Net FW > WCF > HTTP Activation
    (if using SSL, also perform the manual steps relating to web.config)
    **don't enable any extra Products/Classifications yet**
    perform WSUS sync
    enable the Classification "Upgrades" ** must be the very last step **
    perform WSUS sync


    Don [doesn't work for MSFT, and they're probably glad about that ;]


    Wednesday, September 28, 2016 10:14 PM
  • Hi WSUAL2,

    To deploy win10 1607, we need WSUS 4.0 (2012 and 2012R2) with KB3095113 and KB3159706(with manual steps) pre-installed. Then check "Upgrade" in "Products and Classifications", then sync.

    Best Regards,

    Anne


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Marked as answer by WSUAL2 Thursday, September 29, 2016 6:47 PM
    Thursday, September 29, 2016 7:01 AM
  • The part that I missed was clicking the check box for Upgrades in Classifications.

    However, I was surprised to see that there were not any workstations needing it so I checked when computers last checked in and I see that no computers have checked in according to the console since the time I rebooted the server yesterday, yet computers are able to connect to our WSUS server and download Endpoint protection definitions.  The Update Services mmc is also having problems loading and crashes and asks me to reset server node, then it will try again.  I rebooted the server again this morning but it didn't fix the issue.  It says an error occurred trying to connect to the server.  I'll probably have to open a case with Microsoft.  If you have any ideas shoot them my way.  I've had the server running for a couple of years so I don't know why this is occurring suddenly now.

    Thursday, September 29, 2016 6:54 PM
  • Ok, so I rebooted my server again and now everything is happy and working properly. Go figure.

    I did have one follow-up question though.  Now that I can see the "Feature update to Windows 10 Enterprise, version 1607" in my list of available/unapproved updates, can I assume that no one will get it unless I approve it just like other updates? 

    I ask this because there was some question from my co-workers that some people were getting this update and they were saying that I must have released it but I did not. 

    Thursday, September 29, 2016 7:52 PM
  • Hi WSUAL2,

    >Now that I can see the "Feature update to Windows 10 Enterprise, version 1607" in my list of available/unapproved updates, can I assume that no one will get it unless I approve it just like other updates? 

    Yes, you need to approve it, then client can download and install, just like common updates. When we sync the upgrade, it only download metadata, when approve, WSUS server download the upgrade file.

    Best Regards,

    Anne 


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, September 30, 2016 1:42 AM
  • Got it.  The last question I have then is about the "Defer Windows Updates" group policy.  I read through it and understand how it works except for in one situation.  When using a WSUS server to control when updates are released like we are, our users are administrators on their computers so they could go around this to install feature updates.  What role does the "Defer Windows Updates" group policy play in this?  Does it work then to delay feature updates for administrative users who go to the check updates screen and check online to bypass our WSUS policies?
    Friday, September 30, 2016 1:35 PM
  • Got it.  The last question I have then is about the "Defer Windows Updates" group policy.  I read through it and understand how it works except for in one situation.  When using a WSUS server to control when updates are released like we are, our users are administrators on their computers so they could go around this to install feature updates.  What role does the "Defer Windows Updates" group policy play in this?  Does it work then to delay feature updates for administrative users who go to the check updates screen and check online to bypass our WSUS policies?

    this may be helpful information:

    https://social.technet.microsoft.com/Forums/en-US/5521e7f1-fa2d-4867-a47c-b276c66e6a82/windows-10-anniversary-update-1607?forum=winserverwsus

    Yes, there is a new feature in 1607 called Dual Scan that is intended to allow you to connect to Windows Update for Business and still get third-party/other updates from WSUS as needed.  This mode automatically goes into effect when WU for Business policy is enabled and the machine is configured to be managed by WSUS--we wanted to avoid creating a whole new policy for this scenario, so we used a combination of existing policies.
    The confusion came when folks were [reasonably] using the Defer Upgrades setting in a WSUS environment.  Running 1511, there is no impact; however, as soon as you upgrade to 1607 with these settings active, your machine begins scanning both WU and WSUS.
    In short, this is a known issue, and we'll be shipping a patch to the client to correct it.
    Thursday, September 22, 2016 10:35 PM
    Steve Henry [MSFT]
    Microsoft


    Don [doesn't work for MSFT, and they're probably glad about that ;]

    • Marked as answer by WSUAL2 Tuesday, October 4, 2016 1:27 PM
    Friday, September 30, 2016 9:27 PM