locked
How to deploy v1809 feature upgrade to only v1607 machines? RRS feed

  • Question

  • Hi,

    Since v1607 is going EOS in April, I want to deploy v1809 to those (337) machines. Since other builds have significantly more time before they go EOS, I would like to avoid bothering the users of 1703 (414), 1709 (799), and 1803 (723) with a feature upgrade which takes time to install and requires a restart.

    I've started with a WMI filter for machines running any Win 10 build older than 1703 (it works). Since then, I've been overthinking it trying to determine the most elegant way to deploy the upgrade via GPO/WSUS to only the machines running 1607.

    I'm trying to keep my question simple without adding too many details. If there are details which might help you help me, just let me know and I'll be happy to provide. Thanks for any assistance.


    • Edited by Garrett B Friday, March 1, 2019 6:49 PM detail
    Friday, March 1, 2019 6:36 PM

Answers

  • GPOs overwrite each other if the policy is specified.

    Adam Marshall, MCSE: Security
    https://www.ajtek.ca
    Microsoft MVP - Windows and Devices for IT

    • Marked as answer by Garrett B Tuesday, March 5, 2019 10:53 PM
    Tuesday, March 5, 2019 7:59 PM

All replies

  • Create a ring deployment group, and use the WMI query you've got to scope the GPO to only apply to those machines. Approve the feature upgrade to that group. Similar to my test group setup that my 8 part blog series is based off of. Feel free to read the rest of the blog series too.

    https://www.ajtek.ca/wsus/how-to-setup-manage-and-maintain-wsus-part-5-linking-your-gpos-inheritance-is-your-friend/

    Another one, that is off-topic but has relevance is RBAC (basis of how you can scope GPOs and do GPO inheritance). If you watch those videos it will change your life on how you manage AD and work with Groups and GPOs.

    https://www.ajtek.ca/guides/role-based-access-security/


    Adam Marshall, MCSE: Security
    https://www.ajtek.ca
    Microsoft MVP - Windows and Devices for IT

    Saturday, March 2, 2019 9:08 PM
  • Thanks Adam!

    This was exactly the straightforward, "clear my head" type of advice I was looking for. One question: As long as the GPO isn't enforced, it shouldn't remove computers from any of their current WSUS groups, correct?

    Monday, March 4, 2019 9:55 PM
  • Unfortunately, you can't 'append' groups to one another through GPO like AD group inheritance. You must create a specific target group in GPO that includes each of the combinations that you want. So if you have Ring1, Ring2, Manual, Servers, Workstations and you want a Ring1, Ring2, and Manual for each Servers and workstations, you'd have to create a total of 8 groups (6 combinations and the original 2)

    Servers
    Workstations
    Ring1; Servers
    Ring1; Workstations
    Ring2; Servers
    Ring2; Workstations
    Manual1; Servers
    Manual1; Workstations

    It sucks... I know. That's why I promote the KISS method (which is above - keep all systems into 2 categories - servers and workstations. Everything else is superfluous.)


    Adam Marshall, MCSE: Security
    https://www.ajtek.ca
    Microsoft MVP - Windows and Devices for IT


    • Edited by AJTek.caMVP Tuesday, March 5, 2019 6:08 PM Updated syntax for groups
    Tuesday, March 5, 2019 1:27 AM
  • I'd love to re-organize my superfluous groups, and I plan to. But until I can, I need to figure out how to get this filter to work.

    I can't seem to get machines to join the WSUS group that I want to approve the update for. I've got two GPOs enabled and applied to the same OU that address WSUS settings. They're identical except for the fact that one has the 1607 WSUS filter and adds an additional WSUS group: 1809 Upgrade. I can see (via gpresult /r) that both GPOs are applying, but I don't understand why it's not joining the WSUS group.

    Since groups don't append, it seems like it should still work since the GPO adds all of the other groups that are present in the preexisting GPO.

    Thanks again for your help. The work you've done to help us deal with WSUS is invaluable.
    Tuesday, March 5, 2019 5:35 PM
  • I'm sorry, I'm editing my post above. They are not comma separated groups, rather they are semi-colon <space> separated in GPO

    Workstations; Test – Workstations


    Adam Marshall, MCSE: Security
    https://www.ajtek.ca
    Microsoft MVP - Windows and Devices for IT

    Tuesday, March 5, 2019 6:07 PM
  • Yeah, mine are semi-colon <space> separated. 

    I do have a GPO applied to another OU which only adds machines to the 1809 Upgrade WSUS group and it works. Besides the fact that it's only doing one WSUS thing, the other difference is that there aren't any other GPOs trying to put the machines in that OU into a WSUS group. So it looks like I can't apply 2 separate GPOs (one filtered, one not), or the existing group is taking precedence over the new one. Not sure how to handle it outside of maybe applying a WMI filter to the old WSUS GPO for every other Windows version in the OU.

    Tuesday, March 5, 2019 7:35 PM
  • GPO Inheritance ordering. Take a look at it in the OU view (click on the OU)

    Adam Marshall, MCSE: Security
    https://www.ajtek.ca
    Microsoft MVP - Windows and Devices for IT

    Tuesday, March 5, 2019 7:58 PM
  • GPOs overwrite each other if the policy is specified.

    Adam Marshall, MCSE: Security
    https://www.ajtek.ca
    Microsoft MVP - Windows and Devices for IT

    • Marked as answer by Garrett B Tuesday, March 5, 2019 10:53 PM
    Tuesday, March 5, 2019 7:59 PM