locked
SCCM 1606 not updating Windows 10 1607 clients RRS feed

  • Question

  • Hi,

    I have a SCCM 1606 system with all updates. Since we started deploying Windows 10 1607 clients, these systems do not get updated by SCCM. I can see that the SCCM update deployment packages get updated with the new Windows 10 1607 updates but the clients do not install them. I do have the necessary updates to the WSUS server, including the manual step that is needed.

    We also deploy Office 2016 updates through SCCM. These get installed fine to Windows 10 1607.

    Any ideas how to make this work?

    Guy

    Monday, September 19, 2016 12:58 PM

Answers

  • Hi,

    I think I figured it out. As I said before, I had normal windows updates turned on (not by gpo but as default windows settings). However, via GPO I did set deferupgrades on and some other settings regarding this. These settings changed with Windows 10 1607. I had updated my domain admx files to reflect the new settings for 1607. When I disabled windows updates and reset everything else under windows updates to not configured, it still did not work. Turns out the old obsolete deferupgrades setting was still lingering in the group policy as an extra registry setting. When I removed this, refreshed the gpo and restarted, everything started working as expected and updates were delivered via SCCM.

    If you ask me these new wu gpo settings are a real mess and not clear at all. Especially when you have a mixed 1511, 1607 environment.

    regards,

    Guy

    • Marked as answer by GBRAMGX Friday, October 14, 2016 10:02 AM
    Tuesday, September 20, 2016 9:39 AM
  • Guy 

    Thanks for this, I have been pulling my hair out with this issue. Our 1607 clients simply refused to pull updates from SCCM. I set the GP to disable automatic updates and everything started working as it should. It's strange that we have never had to set this previously though, has there been a fundamental change to the way WU operates?

    Dave

    • Proposed as answer by Frank Dong Wednesday, October 12, 2016 4:08 AM
    • Marked as answer by Frank Dong Wednesday, October 12, 2016 12:55 PM
    Friday, September 30, 2016 8:55 AM

All replies

  • To deploy Windows 10 Update 1607, you will have to use Windows 10 Servicing node since technically its upgrade form a previous Win10 build. But for regular updates for Win 10, you can keep using Software Updates node. you cannot deploy Win10 Update 1607 as a normal update using Software Update node

    Sharad Singh | My blogs: SharadTech | Twitter: @SinghSharaad | | Please remember to click “Mark as Answer” on the post that helps you.This can be beneficial to other community members reading the thread.

    Monday, September 19, 2016 1:41 PM
  • Hi Sharad,

    thanks for your reply. I know about the Windows 10 servicing. I'm not deploying the Windows 10 1607 version, simply the updates to Windows 10 1607. All clients that have Windows 10 1607 do not receive the updates to it via SCCM. Windows is updating them via regular windows update, I do not want that, I want them to receive them via SCCM as was the case with Windows 10 1511. I can see that SCCM downloads the version 1607 updates, then updates the deployment package but the clients do not install the updates. The clients do have the latest SCCM client available. Why does Windows 10 1607 insist on updating via regular windows update to Microsoft instead of SCCM? All my SCCM policies tell the clients to update from SCCM.

    Kind regards,

    guy


    • Edited by GBRAMGX Monday, September 19, 2016 1:51 PM
    Monday, September 19, 2016 1:51 PM
  • Regular windows update you have to disable that via GPO. 


    Sharad Singh | My blogs: SharadTech | Twitter: @SinghSharaad | | Please remember to click “Mark as Answer” on the post that helps you.This can be beneficial to other community members reading the thread.

    Monday, September 19, 2016 2:00 PM
  • Are those Windows 10 1607 Devices pointing to your ConfigMgr SUP? Check that you don't overwrite any WSUS Setting on those Devices via GPO

    Also monitor the following logs: ScanAgent.log, WUAHandler.log, Update*.log


    Simon Dettling | msitproblog.com | @SimonDettling

    Monday, September 19, 2016 2:03 PM
  • Dear Sir,

    As you can deploy some of the Office updates to 1607 clients through SCCM, the SUP/client agent settings should be OK. I would suspect if these updates you deployed to 1607 clients applicable or not? Can you see the update compliance via console? Are they showing as 'Required'? If these updates are not applicable, they will be ignored.

    Best regards

    Frank


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, September 20, 2016 6:21 AM
  • Hi,

    Problem is that most of the 1607 versions now have updated via regular windows update. So required will not be the case. I did have 1 machine where Windows Update was disabled via GPO. This one seemed to be able to work as expected. Updates were installed via SCCM. With Windows 7, 8.1 and 10 1511, windows update was not disabled but these clients did receive their updates via SCCM. I suppose the SCCM client just took over and regular windows update was bypassed. Can anyone confirm this is how it usually works? I'm starting to suspect that machines that have this problem are the ones that were upgraded (in place) from Windows 10 1511 to 1607. I'll try to test this further.

    I can confirm that on the windows clients the configmgr SUP is configured correctly in the registry. One thing is not clear to me. If distributing updates via configmgr, does Windows update need to be disabled via GPO. As stated above, I have 1 machine where it is disabled this way. However, when I go to update & security, the update settings still say "Available updates will be downloaded and installed automatically, except over metered connections".

    regards,

    Guy

    Tuesday, September 20, 2016 7:35 AM
  • Hi,

    It sounds to me like you have configuration issue.

    So I suggest you to review your environment and your software updaet settings.

    Here are a couple of blog's from Jason's site : 

    Why You Should Disable Automatic Updates

    ConfigMgr Software Update Management and Group Policy

    ConfigMgr Software Update Management and Group Policy (part 2)

    Hope that it helps

    Regards,



    • Edited by T.S.K Tuesday, September 20, 2016 7:48 AM New links have been added
    Tuesday, September 20, 2016 7:44 AM
  • Hi,

    I think I figured it out. As I said before, I had normal windows updates turned on (not by gpo but as default windows settings). However, via GPO I did set deferupgrades on and some other settings regarding this. These settings changed with Windows 10 1607. I had updated my domain admx files to reflect the new settings for 1607. When I disabled windows updates and reset everything else under windows updates to not configured, it still did not work. Turns out the old obsolete deferupgrades setting was still lingering in the group policy as an extra registry setting. When I removed this, refreshed the gpo and restarted, everything started working as expected and updates were delivered via SCCM.

    If you ask me these new wu gpo settings are a real mess and not clear at all. Especially when you have a mixed 1511, 1607 environment.

    regards,

    Guy

    • Marked as answer by GBRAMGX Friday, October 14, 2016 10:02 AM
    Tuesday, September 20, 2016 9:39 AM
  • Guy 

    Thanks for this, I have been pulling my hair out with this issue. Our 1607 clients simply refused to pull updates from SCCM. I set the GP to disable automatic updates and everything started working as it should. It's strange that we have never had to set this previously though, has there been a fundamental change to the way WU operates?

    Dave

    • Proposed as answer by Frank Dong Wednesday, October 12, 2016 4:08 AM
    • Marked as answer by Frank Dong Wednesday, October 12, 2016 12:55 PM
    Friday, September 30, 2016 8:55 AM
  • Hi Dave,

    glad it solved the problem for you too. Apart from new group policy settings, I don't know what else changed under the hood for WU with version 1607. In any case, there seem to be conflicts if you have a mixed 1511, 1607 Windows 10 environment. Apparently the golden here rule is, if you use SCCM, switch off WU by GPO and don't touch any of the other parameters that have to do with WU. Let SCCM handle the WU process.

    regards,

    Guy

    Friday, September 30, 2016 10:20 AM
  • I am suffering through this right now and can't figure out where the issue is.  Where did you find the lingering GP in the registry? Curious. Do your 1607 CBB clients show as "other" and your CB clients show as "Windows 10 version 1607" in the Windows 10 Servicing dashboard?
    Thursday, January 5, 2017 2:01 AM
  • I had similar issue.

    The registry entry was found in a GPResult request under 'Extra Registry Settings'.

    As I couldn't remove the setting from the GPMC GUI it had to be stripped out via powershell.
    The command below is what I used to delete the entry.

    Remove-GPRegistryValue -Name <GPO_Name> -key "HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate" -ValueName DeferUpgrade

    Thursday, February 15, 2018 8:51 AM