rhuhman1 Absent Member.
Absent Member.
366 views

Prevent Feature Updates?

Is there a preferred method on how to block Microsoft from automatically installing Feature Updates on devices with Patch Management agents installed? I would like to still have the option of doing this via Patch Management or a bundle but not have Microsoft deploy it through there system automatically.

Thanks

Richard
Labels (2)
0 Likes
3 Replies
AutomaticReply Absent Member.
Absent Member.

Re: Prevent Feature Updates?

rhuhman,

It appears that in the past few days you have not received a response to your
posting. That concerns us, and has triggered this automated reply.

These forums are peer-to-peer, best effort, volunteer run and that if your issue
is urgent or not getting a response, you might try one of the following options:

- Visit https://www.microfocus.com/support-and-services and search the knowledgebase and/or check
all the other self support options and support programs available.
- Open a service request: https://www.microfocus.com/support
- You could also try posting your message again. Make sure it is posted in the
correct newsgroup. (http://forums.microfocus.com)
- You might consider hiring a local partner to assist you.
https://www.partnernetprogram.com/partnerfinder/find.html

Be sure to read the forum FAQ about what to expect in the way of responses:
http://forums.microfocus.com/faq.php

Sometimes this automatic posting will alert someone that can respond.

If this is a reply to a duplicate posting or otherwise posted in error, please
ignore and accept our apologies and rest assured we will issue a stern reprimand
to our posting bot.

Good luck!

Your Micro Focus Forums Team
http://forums.microfocus.com



0 Likes
Micro Focus Expert
Micro Focus Expert

Re: Prevent Feature Updates?

It is unlikely Micro Focus would provide an "Official" Solution as that really falls outside of our control...

#1 - There are official MS Methods of doing this....
Of course Mr Google will quickly reveal these methods are not reliable.
Despite this, it is best to start with the official methods to delaying/blocking/preventing the OS upgrades.
(Note: Newer Versions of Windows 10 are slightly more reliable than older versions at blocking...
Sadly Every Version of Windows 10 has seemed to "Tweak" the "Rules" vs giving customers what they really ask for....

Use GPOs to Place your PC in an Slow Update Ring and Max Deferrals...
https://www.petri.com/create-deployment-rings-using-windows-10-update-business
https://deepstechtips.blogspot.com/2018/03/solution-windows-10-eating-up-internet.html

There are many more links that talk about the various settings...
It is important to remember that older copies of Windows 10 may not support all of these settings.

It is also important to realize MS only Supports delaying updates for a limited period of time.
Regardless of what you want, MS will force it eventually.

Thus any solution should be around setting Delays so that MS does not automatically force upgrades....
But ZCM should be used to deploy the upgrades before your deferral period runs out.


#2 - After this, I would add in some layer defenses for when Windows 10 decides to upgrade anyway that block certain processes for when the MS method does not work.
This way if a Rogue Upgrade attempt occurs before the deferral period it will get blocked.
It can also help block after that, but at this point you are really getting into an argument with the OS....

---
https://www.thewindowsclub.com/block-updates-windows-10-stopupdates10
https://www.reddit.com/r/sysadmin/comments/7ypsug/help_removing_or_stopping_the_windows_10_update/
https://gyazo.com/281900cd4d7aa0bad796ff136ec72d27

Among these...I would focus mostly on blocking the specific Windows 10 upgrade processes.
While you CAN set the Windows Update Service to Disabled, that will break Store Functionality, so I would try other methods 1st.


#3 - None of these talk about "Metered Connections". When this is enabled, Windows will not download updates to save your bandwidth.
There are various scripts on the internet that will set all connections to metered.
This can impact some other apps in minor ways. I believe Outlook required me to manually check for new mail if I recall correctly.
If you see an impact in other apps, you may want to delay deploying this setting until a device is approaching the end of deferral period.

--

Again....A large part of the issue is that MS claims that OS upgrades/updates are now its moral imperative, since outdated devices on the internet are a risk to all.
I suspect it is that it makes their support life easier knowing they dont have to worry too much about 1603, 1607, etc.. any more for the most part.

That is why they used to give a list of Windows Update servers you could block.
Today they say you must block *.microsoft.com, which is not really valid.
0 Likes
Micro Focus Expert
Micro Focus Expert

Re: Prevent Feature Updates?

GPEDIT->Administrative Templates->Windows Components->Windows Updates->Windows Update for Business

Select When Preview Buildes and Feature Updates are Received.
Set to Enbabled. Set to Semi-Annual Channel (4 months after General Release). Set to Defer 365 Days.
This gives you 16 Months to get your PC upgraded before Windows will force it.
The "Pause" setting will be valid for up to 35 days....
So in theory, you could update the GPO the 1st of Every Month to Pause for 35 more days....

--

Do the Same thing for Quality Updates, but they can only be deferred for 30 Days.
Pause works the same.....

--

Also these GPO Settings may help....
Do not allow update deferral policies to cause scans against Windows Update may be good to set as well.
Do not connect to any Windows Update Internet Locations.

Disable DualScan....
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\
DisableDualScan REG_DWORD 1

Most of these latter settings apply if you have set "Specify Intranet Microsoft Update Service Location".
Setting that to a Bogus Location may help as well with the above settings.....

But again...Microsoft does its best to make sure patches go through eventually.....
Windows 10 will detect a Disabled Windows Update Service and Re-enable it on a regular basis.

These MS processes help delay updates so they can be deployed via other means.....
They are not intended to prevent the updates as long as their customers may want.....
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.