Halting Windows 10 1803 Updates
-
What are people doing to halt the roll out of 1803? You can do things from the GUI, you can stop the update service, etc.
Ideally from the command line, is there a good way to switch things to being off the early release channel or outright stopping 1803 until "manually" allowed?
Thanks to this thread and other research, we have these three commands that are shown to be working for us on Windows 10 1709:
New-ItemProperty -Path HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate\ -Name BranchReadinessLevel -Value 10 -PropertyType Dword New-ItemProperty -Path HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate\ -Name DeferFeatureUpdates -Value 1 -PropertyType DWord New-ItemProperty -Path HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate\ -Name DeferFeatureUpdatesPeriodInDays -Value 168 -PropertyType DWord -
Go to Settings > Update & security > Advanced options
Option 1 allows you to choose a servicing channel (previously called a branch). The default setting is Semi-Annual Channel (Targeted), which corresponds to what was previously known as the Current Branch.
You can change this setting to Semi-Annual Channel (the new name for what was previously known as Current Branch for Business, as shown here. That defers feature updates until Microsoft declares them "ready for business deployment," a milestone that typically occurs about four months after the initial release.
-
@aaronstuder said in Halting Windows 10 1803 Updates:
Go to Settings > Update & security > Advanced options
That's from a GUI. This is a production environment. Any idea how to do this from the command line? We know the GUI method but are looking for something far better. GUI would take hours and all kinds of man power and disruption.
-
Basically this process, via PowerShell? I think that that is all that we need. But haven't seen this documented anywhere yet.
-
@scottalanmiller said in Halting Windows 10 1803 Updates:
What are people doing to halt the roll out of 1803? You can do things from the GUI, you can stop the update service, etc.
Ideally from the command line, is there a good way to switch things to being off the early release channel or outright stopping 1803 until "manually" allowed?
We setup Defer updates in the GPO with Current Branch for Business instead of Current Branch Under:
Computer Configuration > Administrative Templates > Windows Components > Windows Update > Windows Update for Business
Then Open the Select when Preview Builds and Feature Updates are received policy policy, enable it and then Change it to Semi-Annual Channel
-
There is also registry as below:
For the Channel
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsUpdate\UX\Settings\ BranchReadinessLevel, REG_DWORD, 0x20 (32)For the Days
HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\DeferFeatureUpdatesPeriodInDays -
Most of our clients are all handling updates through WSUS. For those not using WSUS, dbeato's GPO would work fine.
-
Appears that these commands are correct:
New-ItemProperty -Path HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate\ -Name BranchReadinessLevel -Value 10 -PropertyType Dword New-ItemProperty -Path HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate\ -Name DeferFeatureUpdates -Value 1 -PropertyType DWord New-ItemProperty -Path HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate\ -Name DeferFeatureUpdatesPeriodInDays -Value 168 -PropertyType DWordAnd this will halt the update for 360 days, in theory, if nothing else overrides it.
-
@scottalanmiller Good to know, thanks
-
@jmoore said in Halting Windows 10 1803 Updates:
@scottalanmiller Good to know, thanks
We are still in early testing, so don't run out and do it everywhere yet. But so far, no issues.
-
This is the command to see if you have any settings in place currently:
Get-ItemProperty HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate\ -
At my work we have Managed Engine Desktop Central so I declined the update in it.
-
I use WSUS with Group Policy to have 100% control over updates and releases. Works great.
-
@obsolesce said in Halting Windows 10 1803 Updates:
I use WSUS with Group Policy to have 100% control over updates and releases. Works great.
How do you handle laptops that are sometimes offsite? Are they domain or workgroup laptops?
-
@black3dynamite said in Halting Windows 10 1803 Updates:
@obsolesce said in Halting Windows 10 1803 Updates:
I use WSUS with Group Policy to have 100% control over updates and releases. Works great.
How do you handle laptops that are sometimes offsite? Are they domain or workgroup laptops?
All user devices are domain. All product devices are 100% updated and stable before shipped... then it's up to the customer to keep updated.
Offprem user devices are domain, and users understand they need to phone home at least once a month and bu current with approved updates or they get kicked off the domain/network. At which point its up to them to bring back to be brought back to compliance if the want to access company resources.
-
@obsolesce said in Halting Windows 10 1803 Updates:
@black3dynamite said in Halting Windows 10 1803 Updates:
@obsolesce said in Halting Windows 10 1803 Updates:
I use WSUS with Group Policy to have 100% control over updates and releases. Works great.
How do you handle laptops that are sometimes offsite? Are they domain or workgroup laptops?
All user devices are domain. All product devices are 100% updated and stable before shipped... then it's up to the customer to keep updated.
That would have killed us. 100% updated = Can't run SAP.
-
@scottalanmiller said in Halting Windows 10 1803 Updates:
@obsolesce said in Halting Windows 10 1803 Updates:
@black3dynamite said in Halting Windows 10 1803 Updates:
@obsolesce said in Halting Windows 10 1803 Updates:
I use WSUS with Group Policy to have 100% control over updates and releases. Works great.
How do you handle laptops that are sometimes offsite? Are they domain or workgroup laptops?
All user devices are domain. All product devices are 100% updated and stable before shipped... then it's up to the customer to keep updated.
That would have killed us. 100% updated = Can't run SAP.
These are specifically used as single purpose tools / instruments, not as user endpoints or PCs. Things like this wouldn't apply.
-
@obsolesce said in Halting Windows 10 1803 Updates:
I use WSUS with Group Policy to have 100% control over updates and releases. Works great.
This is now in our "projects to do at some point" folder
-
@scottalanmiller said in Halting Windows 10 1803 Updates:
Appears that these commands are correct:
New-ItemProperty -Path HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate\ -Name BranchReadinessLevel -Value 10 -PropertyType Dword New-ItemProperty -Path HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate\ -Name DeferFeatureUpdates -Value 1 -PropertyType DWord New-ItemProperty -Path HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate\ -Name DeferFeatureUpdatesPeriodInDays -Value 168 -PropertyType DWordAnd this will halt the update for 360 days, in theory, if nothing else overrides it.
We just had machines go through a round of updates after these commands were run and they worked. Systems were able to patch, without attempting to go up to 1803.
-
@scottalanmiller said in Halting Windows 10 1803 Updates:
New-ItemProperty -Path HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate\ -Name BranchReadinessLevel -Value 10 -PropertyType Dword
New-ItemProperty -Path HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate\ -Name DeferFeatureUpdates -Value 1 -PropertyType DWord
New-ItemProperty -Path HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate\ -Name DeferFeatureUpdatesPeriodInDays -Value 168 -PropertyType DWordI had to remove the 1803 update for our database guy because it was messing with a license. I used these commands to keep them from coming for a while so thanks.
