News

Microsoft Promises Relief on Windows 10 Update Deferral Confusion

Microsoft is planning to address confusion for System Center Configuration Manager (SCCM) users when they attempt to defer Windows 10 updates and upgrades.

Currently, Microsoft has Group Policy settings to defer Windows 10 updates and upgrades that many SCCM users think they need to activate in order to control the arrival of Windows 10 under Microsoft's operating system servicing plans, which have "current branch" (CB) and "current branch for business" releases, among others. Unfortunately, those defer settings are supposed to be for Windows Update for Business, a different Microsoft client management scheme.

Using those Windows Update for Business defer settings with SCCM kicks off a so-called "dual-scan" behavior. The update policy then defaults to Windows Update for Business behavior. It actually causes the latest cumulative update release of Windows 10 to get delivered to client devices, something that SCCM users may have been trying to avoid.

Microsoft explained the dual-scan problem back in January. However, confusion largely persists, in part because of Microsoft's documentation. For instance, here's how this TechNet article described deferring updates in SCCM at press time:

When you use System Center Configuration Manager to manage Windows 10 servicing, you must first set the Defer Updates or Upgrades policy on the clients that should be on the Current Branch for Business (CBB) servicing branch so that you can use CBB servicing plans from Configuration Manager. You can do this either manually or through Group Policy. If you don't set this policy, Configuration Manager discovers all clients, as it would in Current Branch (CB) mode.

Don't Use Defer Updates and Upgrades

The dilemma was noted by Jason Sandys, a Microsoft Most Valuable Professional and senior consultant at Coretech Alliance. In a blog post this week, Sandys offered some advice for SCCM users thinking about turning on the Defer Update and Upgrades setting:

If you are using System Center Configuration Manager (ConfigMgr) for updates, you should not be setting this value at all (and if you're not using ConfigMgr, you're doing it wrong to begin with). Setting this value, as detailed in the post above, enables dual-scan for Windows Update which in turn has multiple nasty side effects. Don't do it and delete it ASAP if you have.

Sandys' advice was partly confirmed in the comments section of his blog post by Michael Niehaus, director of product marketing for Windows at Microsoft. Niehaus noted that SCCM users can "expect some changes soon too that we hope will simplify this whole discussion." He didn't specify when it would happen, though.

Part of the problem is that the Windows 10 servicing dashboard in SCCM "relies on the Defer Upgrade GPO setting (or really the registry value behind this setting) to show CB and CBB systems," Sandys explained.

IT pros instead should track Windows 10 builds when controlling system updates, Sandys argued.

"If you need a tracking mechanism and you are using ConfigMgr, you should do what you’ve always done: build and populate collections," Sandys wrote. "What you put in those collections and how you get them there is completely up to you -- just don’t use the Defer Updates and Upgrade setting for this."

Other News

In other Windows 10 management news, Niehaus explained today that the Windows 10 "creators update" (version 1703) is bringing a new policy for IT pros that will let them hide Settings controls from end users. It's a new "Settings Page Visibility" Group Policy option. This new addition is also available for use with mobile device management systems, such as Microsoft Intune, Niehaus indicated.

Microsoft's SCCM team warned this week that in-console SCCM upgrades have a side effect. They'll reset user-defined business hours to the default setting in the SCCM client. Any customizations will get ignored. As a remedy, the team published a script that can be run when an SCCM client upgrade happens.

Also this week, Microsoft posted demos of two new tools for Windows 10 version 1703, namely the Windows Defender Advanced Threat Protection service and the new MBR2GPT tool. The latter tool converts PCs with BIOS disks to UEFI, which is needed for some of Microsoft's more advanced security protections in Windows 10.

Microsoft is planning an event of note for IT pros this month. There will be live Webcast, happening on April 27, featuring Microsoft luminaries Michael Niehaus and Nathan Mercer on Windows 10 deployment and management concerns. Registration can be found in this Microsoft Tech Community announcement.