Question about configuring Windows update w/ On prem WSUS in the picture

I have been testing OptiTune with the 10 trial licenses and have a question about Windows Update settings. My desire would be to replicate what is currently being handled by on prem WSUS. But I think I may have missed something.

I installed the OptiTune software on a computer yesterday morning. Yesterday afternoon, after verifying that it had indeed synced up with OptiTune in the cloud, I removed the Group Policy Object containing our organization's WSUS policy from that computer so that OptiTune could manage Windows updates. As soon as I did so and rebooted the computer, it immediately began fetching the Windows 10 1703 update (it was running 1607) as well as a few other .NET fixes.

However, my OptiTune settings should have prevented this. It is supposed to only check in on Friday at 8pm for updates. Attached to this post is a screenshot of my settings. Did I do something wrong here?

https://imgur.com/a/UlGmdglbp2ewo46f9.png

Comments

  • From what you describe, it sounds like Windows itself installed the update using the WSUS server.

    You can check to see if the OptiTune agent installed the update however, by looking in the log file at
    C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Bravura\Logs\OTService.log

    Next, look in the Windows Event log, or look at the diagnostic for Windows Automatic Update itself, to see if Windows installed the update (https://support.microsoft.com/en-us/help/3036646/how-to-read-windows-update-logs-in-windows-10-version-1607).

    At this point, our best guess is that the group policy settings are still allowing Windows itself to install updates. The "Group Policy" setting in the screenshot above will only update the "local" group policy setting. If you do have a conflicting group policy setting applied to the computer for Windows Automatic Updates, it could get overwritten when the computer boots up, for example, and contacts the domain controller. This setting is most useful when the computer is not joined to a domain.
  • edited October 2017
    Hey there.

    Based on the OptiTune logs, it doesn't appear that OptiTune installed the update. Unfortunately, since the computer upgraded from 1607 to 1703, there are no logs that I can work with and the update history is wiped clean with every new major Windows 10 build.

    I have three questions regarding OptiTune's handling of updates:

    1. Assuming that a computer is given the settings that are in the picture above and there are no other settings applied via AD, GPO, local group policy or otherwise, will computers run a Windows update check and install only on Friday at 8pm and no other time?
    2. If a user manually navigates through the settings menu and hits "Check for Updates", will that computer respect the update filtering listed in the screenshot above, or will they grab everything Microsoft sends them as if they are an unmanaged client?
    3. If I have the following hierarchy:

    MainGroup
    -SubGroup
    --LowestGroup

    If I set MainGroup's Automatic Updates setting to ENABLED, but then I set SubGroup's Automatic Updates setting to DISABLED, which one takes precedence? Also, what if both are set to ENABLED but MainGroup's is for the 2nd day of every month while SubGroup is set to every Friday at 8pm? What will a client in LowestGroup do in that case?
  • To answer your questions:

    1) Yes, that is correct.
    2) Yes, that is correct, it will download updates as normal. I believe there are other GPO settings you can apply if you want to prevent end users from installing updates.
    3) Whenever you have a complex interaction of conflicting settings between groups, the group's priority number comes into effect. Each group in OptiTune has a priority number, and the settings are applied from lowest priority to highest priority group. If two groups have the same priority, then they are sorted alphabetically and applied in that order.

    To see the end result of various settings, go to "Server Settings" > "Advanced Settings" > "Inspect Computer Configuration" and select a computer you want to inspect. You will see the exact configuration that is send to the OptiTune agent on that computer, and the XML is fairly readable.
Sign In or Register to comment.