Latest posts by Robert Pearman (see all)
- Schedule user account closure with PowerShell - Tue, Jan 3 2017
- Create a new folder and set permissions with PowerShell - Fri, Oct 7 2016
- Managing Windows Update changes in Windows 10 1607 with Group Policy - Mon, Aug 15 2016
With the release of Windows 10 1607 (Anniversary Update), Microsoft changed certain functionalities within the operating system. What is not immediately clear, however, is that some settings corresponding GPO settings also changed. This has led me, and probably others, to some puzzling troubleshooting sessions.
The two builds on Windows 10 that we will be looking at are 1511 (10586) and 1607 (14393). Between these two builds, the GPO settings for Windows Update for Business and Windows Update Delivery Optimization (WUDO) have changed.
To configure WUDO, open Group Policy Management, expand Computer Configuration, and select Policies > Administrative Templates > Windows Components > Delivery Optimization. Note that you will only see the policy on Windows Server 2012 R2 machines if you copied the ADMX and AMDL templates to your Policy Definitions folder or to your Central Store.
These are the policies for Delivery Optimization on Windows 10 1511:
On Windows 10 1607, new policies have been added:
In addition, some polices were changed. The Download Mode policy in Build 1511 has these options available:
In 1607, the options changed to the following:
- HTTP Only
While 1607 introduces additional customizations to WUDO, the settings no longer align with earlier builds. In addition, the Defer Upgrades and Updates policy setting from build 1511, a single setting with two options, is now split into two separate policy settings, which, again, no longer align with earlier builds.
Assuming you will have different builds in production for a period of time, you may find that you need to manage these settings via GPOs. To do this, you need both the 1511 ADMX/ADML and 1607 ADMX/ADML templates. These need to be copied into the correct location in your Domain Controller's PolicyDefinitions folder.
If you are using a Central Store for PolicyDefinitions, you may want to take extra care here as it may impact replication. For the purposes of this article, we are using the default PolicyDefinitions location in the Domain Controller. More info on a Central Store can be found here.
You will need permission to modify your ProfileDefinitions folder, which will require you to take ownership from TrustedInstaller
Of course, you can just copy and paste, but if you intend to switch between the two policy versions frequently, you can use PowerShell to copy ADMX/ADML templates to your PolicyDefinitions folder before you create a new GPO.
First, we need to collect the relevant GPO template files. On your server, create a backup folder to hold the templates for both 1511 and 1607 (in my example, C:\backup).
Create a folder for each build of Windows 10.
On your 1511 Windows 10 machine, go to C:\Windows\PolicyDefinitions and find the following:
Inside the subfolder en-US, locate the following:
Copy these to the corresponding folder within your build folder.
Repeat the same process for a 1607 build machine.
Once you have done this, create a backup folder where want to store the templates. We are now ready to create our PowerShell script.
We are now ready to create the PowerShell script. First, we can define two folder paths: one to our backup folder and one to our PolicyDefinitions folder. Next, we prompt the admin to enter which version of the templates he or she would like to restore. We add a quick check to make sure we entered the version correctly, and we add a command to copy the files.
$policyDefFolder = "C:\Windows\PolicyDefinitions"
$backupFolder = "C:\backup"
$version = Read-Host -Prompt "Enter Version to Restore"
$source = $backupFolder + "\$version\*"
Write-Output "Error - Path Not Found"
Copy-Item $source $policyDefFolder -Recurse -Force
When you start the script, it will ask you to enter the build number of the templates you want to restore. If we enter 1511, the templates for that build will be moved to our PolicyDefinitions folder; if we enter 1607, the corresponding templates will be copied.
Whenever you have to create a GPO for a particular Windows 10 build, you can use the above script to copy the correct templates to your PolicyDefinitions folders. You can work with different containers for each build to ensure that the correct GPO is applied. However, whenever a machine is updated, you must move the computer to another container.
It is easier to use a WMI filter to ensure that a Windows 10 build receives the correct GPO. I have written more about how to create a WMI filter here. From within the Group Policy Management Console, find the WMI Filters section, right click it, select New, and enter a name for the WMI filter.
I have created two filters:
- Windows 10 Build 1511
- Windows 10 Build 1607
Inside the filter, we need to add a query. Right click the filter, and select Edit.
Here is the query we need to enter for Build 1511:
select * from Win32_OperatingSystem where VERSION = "10.0.10586"
This is the query we need to enter for Build 1607:
select * from Win32_OperatingSystem where VERSION = "10.0.14393"
As mentioned above, to make use of these two filters, we need to create two GPOs. Once again, inside the Group Policy Management Console, right click on Group Policy Objects, and select New. You can name the GPOs "Windows 10 Build 1511" and "Windows 10 Build 1607."
Now, select one of the policies in the tree, and switch to the Scope tab. Notice the WMI section at the bottom of the page. You can use the dropdown menu to select the WMI filter you want to assign to this policy.
We can now edit each policy to configure WUDO and the Defer Upgrade Settings ahead of time so that, as a build updates, the correct new Policy Settings are ready to be applied.
Using our script, we can very easily switch between each build's set of Policy Templates.