SCCM Software Updates - Windows 10 v1607 and Group Policy Issues

The following post is for professionals that use System Center Configuration Manager (SCCM) to manage their Software Updates. Even though some of what is mentioned is a tad "old", I thought I would put pen to paper as I was once again reminded of the problem this week.  With more computers featuring Skylake or Kaby Lake processors, organisations will be forced to migrate to Windows 10 so this could still be relevant to them.

Background

Patching in Windows 10 RTM and v1511 was run of the mill. Then came the Anniversary Update also known as v1607 and suddenly for many of us, Windows 10 not only stopped patching, but was no longer even scanning WSUS. Reports showed the clients as not requiring the cumulative updates which didn't make sense. Microsoft also released new administrative templates that deprecated some policy settings used by Windows v1511. Information and documentation from Microsoft was scant or non-existant which left many of us scouring the internet for hours looking for answers. All the talk was about Windows Update for Business (WUfB) and Delivery Optmization.

Eventually Microsoft fixed the bug in Windows Update Agent which resolved the WSUS issue but for those of use who use WSUS and SCCM to patch workstations there was still another problem.

Symptom

So you've installed the servicing stack update or a recent Windows 10 cumulative update but you notice that your Windows 10 computers only install Office patches. If you check the compliance reports, the computers will show as not requiring the patch and are therefore Compliant. The UpdatesDeployment.logs only lists Office patches as missing. There is no mention of Windows patches. WUAHandler.log shows that the computers are scanning for updates.

The Problem

I mentioned earlier that Microsoft released new group policy administrative templates. They also changed how those policies now affect Windows Update Agent. The best article I've read about this problem is this:

https://blogs.technet.microsoft.com/windowsserver/2017/01/09/why-wsus-and-sccm-managed-clients-are-reaching-out-to-microsoft-online/ 

To summarise, WUfB stops SCCM client from managing your updates so make sure that you have none of those policies enabled under the section "What you need to check". Microsoft threw us a curveball on this. Under Windows 10 v1511 enabling the equivalent policy "Defer Upgrades and Updates" did not impact the SCCM client which caught some of us off guard when we moved to the next branch release.

-- Matt