Managing Windows Update changes in Windows 10 1607 with Group Policy

In Windows 10 1607 (Anniversary Update), Microsoft introduced changes to Windows Update Delivery Optimization (WUDO), resulting in different Group Policy settings. In this post, I will explain how you can work with two different GPOs: one for Windows 10 1511 and one for Windows 10 1607.
Profile gravatar of Robert Pearman

Robert Pearman

Robert is a small business specialist from the UK and currently works as a system administrator for IT Authority. He has been a Microsoft MVP for seven years and has worked as a technical reviewer for Microsoft Press. You can follow Robert in his blog.
Profile gravatar of Robert Pearman

With the release of Windows 10 1607 (Anniversary Update), Microsoft changed certain functionalities within the operating system. What is not immediately clear, however, is that some settings corresponding GPO settings also changed. This has led me, and probably others, to some puzzling troubleshooting sessions.

The two builds on Windows 10 that we will be looking at are 1511 (10586) and 1607 (14393). Between these two builds, the GPO settings for Windows Update for Business and Windows Update Delivery Optimization (WUDO) have changed.

To configure WUDO, open Group Policy Management, expand Computer Configuration, and select Policies > Administrative Templates > Windows Components > Delivery Optimization. Note that you will only see the policy on Windows Server 2012 R2 machines if you copied the ADMX and AMDL templates to your Policy Definitions folder or to your Central Store.

These are the policies for Delivery Optimization on Windows 10 1511:

WUDO Group Policy for Windows 10 1511

WUDO Group Policy for Windows 10 1511

On Windows 10 1607, new policies have been added:

WUDO Group Policy for Windows 10 1607

WUDO Group Policy for Windows 10 1607

In addition, some polices were changed. The Download Mode policy in Build 1511 has these options available:

  • Group
  • Internet
  • LAN
  • None

In 1607, the options changed to the following:

  • Bypass
  • Group
  • HTTP Only
  • Internet
  • LAN
  • Simple

While 1607 introduces additional customizations to WUDO, the settings no longer align with earlier builds. In addition, the Defer Upgrades and Updates policy setting from build 1511, a single setting with two options, is now split into two separate policy settings, which, again, no longer align with earlier builds.

Assuming you will have different builds in production for a period of time, you may find that you need to manage these settings via GPOs. To do this, you need both the 1511 ADMX/ADML and 1607 ADMX/ADML templates. These need to be copied into the correct location in your Domain Controller's PolicyDefinitions folder.

If you are using a Central Store for PolicyDefinitions, you may want to take extra care here as it may impact replication. For the purposes of this article, we are using the default PolicyDefinitions location in the Domain Controller. More info on a Central Store can be found here.

You will need permission to modify your ProfileDefinitions folder, which will require you to take ownership from TrustedInstaller

Of course, you can just copy and paste, but if you intend to switch between the two policy versions frequently, you can use PowerShell to copy ADMX/ADML templates to your PolicyDefinitions folder before you create a new GPO.

First, we need to collect the relevant GPO template files. On your server, create a backup folder to hold the templates for both 1511 and 1607 (in my example, C:\backup).

Create a backup folder

Create a backup folder

Create a folder for each build of Windows 10.

On your 1511 Windows 10 machine, go to C:\Windows\PolicyDefinitions and find the following:

  • DeliveryOptimization.admx
  • WindowsUpdate.admx

Inside the subfolder en-US, locate the following:

  • DeliveryOptimization.adml
  • WindowsUpdate.adml

Copy these to the corresponding folder within your build folder.

Copy ADMX templates to your backup folder

Copy ADMX templates to your backup folder

Copy ADML files to your backup folder

Copy ADML files to your backup folder

Repeat the same process for a 1607 build machine.

Once you have done this, create a backup folder where want to store the templates. We are now ready to create our PowerShell script.

We are now ready to create the PowerShell script. First, we can define two folder paths: one to our backup folder and one to our PolicyDefinitions folder. Next, we prompt the admin to enter which version of the templates he or she would like to restore. We add a quick check to make sure we entered the version correctly, and we add a command to copy the files.

When you start the script, it will ask you to enter the build number of the templates you want to restore. If we enter 1511, the templates for that build will be moved to our PolicyDefinitions folder; if we enter 1607, the corresponding templates will be copied.

Restored templates

Restored templates

Whenever you have to create a GPO for a particular Windows 10 build, you can use the above script to copy the correct templates to your PolicyDefinitions folders. You can work with different containers for each build to ensure that the correct GPO is applied. However, whenever a machine is updated, you must move the computer to another container.

It is easier to use a WMI filter to ensure that a Windows 10 build receives the correct GPO. I have written more about how to create a WMI filter here. From within the Group Policy Management Console, find the WMI Filters section, right click it, select New, and enter a name for the WMI filter.

I have created two filters:

  • Windows 10 Build 1511
  • Windows 10 Build 1607
WMI filters

WMI filters

Inside the filter, we need to add a query. Right click the filter, and select Edit.

Edit WMI filter

Edit WMI filter

Here is the query we need to enter for Build 1511:

This is the query we need to enter for Build 1607:

As mentioned above, to make use of these two filters, we need to create two GPOs. Once again, inside the Group Policy Management Console, right click on Group Policy Objects, and select New. You can name the GPOs "Windows 10 Build 1511" and "Windows 10 Build 1607."

Now, select one of the policies in the tree, and switch to the Scope tab. Notice the WMI section at the bottom of the page. You can use the dropdown menu to select the WMI filter you want to assign to this policy.

Group Policy Objects

Group Policy Objects

We can now edit each policy to configure WUDO and the Defer Upgrade Settings ahead of time so that, as a build updates, the correct new Policy Settings are ready to be applied.

Using our script, we can very easily switch between each build's set of Policy Templates.

Take part in our competition and win $100!

Related Posts

1 Comment
  1. avatar
    Mike 7 months ago

    Thanks for the useful information.  If you know what the v1511 value requirements are you can make edits to the GPO with powershell even though you have the new ADMX template for 1607 in place.  For example you will see v1511 settings showing as "Extra Registry Settings" in the GPO when the new ADMX templates are in place.

    To Modify

    Set-GPRegistryValue -guid PutYourGPOGUIDhere -key "HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate" -ValueName "DeferUpdatePeriod" -Value "1" -Type dword

    To Remove from GPO.  (setting it to disable)

    Set-GPRegistryValue -disable -guid PutYourGPOGUIDhere -key

    "HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate" -ValueName "DeferUpdatePeriod"

    1+

Leave a reply

Your email address will not be published. Required fields are marked *

*

CONTACT US

Please ask IT administration questions in the forum. Any other messages are welcome.

Sending
© 4sysops 2006 - 2017
Do NOT follow this link or you will be banned from the site!

Log in with your credentials

or    

Forgot your details?

Create Account