Welcome to our new forums. If you are having any problems signing in or registering, please email us at customer_support@bravurasoftware.com

Question about configuring Windows update w/ On prem WSUS in the picture

I have been testing OptiTune with the 10 trial licenses and have a question about Windows Update settings. My desire would be to replicate what is currently being handled by on prem WSUS. But I think I may have missed something.

I installed the OptiTune software on a computer yesterday morning. Yesterday afternoon, after verifying that it had indeed synced up with OptiTune in the cloud, I removed the Group Policy Object containing our organization's WSUS policy from that computer so that OptiTune could manage Windows updates. As soon as I did so and rebooted the computer, it immediately began fetching the Windows 10 1703 update (it was running 1607) as well as a few other .NET fixes.

However, my OptiTune settings should have prevented this. It is supposed to only check in on Friday at 8pm for updates. Attached to this post is a screenshot of my settings. Did I do something wrong here?



  • bravurasoft
    Redmond, WA
    From what you describe, it sounds like Windows itself installed the update using the WSUS server.

    You can check to see if the OptiTune agent installed the update however, by looking in the log file at

    Next, look in the Windows Event log, or look at the diagnostic for Windows Automatic Update itself, to see if Windows installed the update (https://support.microsoft.com/en-us/help/3036646/how-to-read-windows-update-logs-in-windows-10-version-1607).

    At this point, our best guess is that the group policy settings are still allowing Windows itself to install updates. The "Group Policy" setting in the screenshot above will only update the "local" group policy setting. If you do have a conflicting group policy setting applied to the computer for Windows Automatic Updates, it could get overwritten when the computer boots up, for example, and contacts the domain controller. This setting is most useful when the computer is not joined to a domain.
  • HV_matt
    edited October 2017
    Hey there.

    Based on the OptiTune logs, it doesn't appear that OptiTune installed the update. Unfortunately, since the computer upgraded from 1607 to 1703, there are no logs that I can work with and the update history is wiped clean with every new major Windows 10 build.

    I have three questions regarding OptiTune's handling of updates:

    1. Assuming that a computer is given the settings that are in the picture above and there are no other settings applied via AD, GPO, local group policy or otherwise, will computers run a Windows update check and install only on Friday at 8pm and no other time?
    2. If a user manually navigates through the settings menu and hits "Check for Updates", will that computer respect the update filtering listed in the screenshot above, or will they grab everything Microsoft sends them as if they are an unmanaged client?
    3. If I have the following hierarchy:


    If I set MainGroup's Automatic Updates setting to ENABLED, but then I set SubGroup's Automatic Updates setting to DISABLED, which one takes precedence? Also, what if both are set to ENABLED but MainGroup's is for the 2nd day of every month while SubGroup is set to every Friday at 8pm? What will a client in LowestGroup do in that case?
  • bravurasoft
    Redmond, WA
    To answer your questions:

    1) Yes, that is correct.
    2) Yes, that is correct, it will download updates as normal. I believe there are other GPO settings you can apply if you want to prevent end users from installing updates.
    3) Whenever you have a complex interaction of conflicting settings between groups, the group's priority number comes into effect. Each group in OptiTune has a priority number, and the settings are applied from lowest priority to highest priority group. If two groups have the same priority, then they are sorted alphabetically and applied in that order.

    To see the end result of various settings, go to "Server Settings" > "Advanced Settings" > "Inspect Computer Configuration" and select a computer you want to inspect. You will see the exact configuration that is send to the OptiTune agent on that computer, and the XML is fairly readable.
Sign In or Register to comment.
© Copyright 2007 - 2018 Bravura Software LLC