I understand and accept that Microsoft has changed patching in Windows 10, I expect that Microsoft will make these same changes to their other products including their new Server OS.
Microsoft has aggressively pushed Windows 10 in the consumer market by making it a free upgrade for both existing Windows 7 and Windows 8 machines and this has already reached many businesses that want the latest and greatest.
The majority of our in-house workstation have already been upgraded, I have requested that our customers don't upgrade yet as it prevents us from patching their machines, but we won't be able to hold the off for very long and it just a matter of time before it will cost us customers.
The question I have for Kaseya is what are you doing about it?
The missing patch functionality in Windows 10 is important to us can we expect to see a solution for this before it is to late?
Do we have an update on this? Sounds like while VSA 9.2 can patch scan as well as approve patches for Windows 10 agents, Kaseya isn't able to deny patches as Windows 10 will eventually download denied/missing patches from the internet?
We can only scan and patch Win 10 ent. clients.
Win10 Pro doesn't work for patching unfortunately
The information posted in the 9.2 Roadmap Webinar Q&A is still accurate and can be found here:
Win10 Home Edition has been designed by MS to automatically patch. All other versions of Windows 10, including Win10 Pro, can be managed by Kaseya. MS has changed the methodology for patching the Win10 OS - specifically, MS will eventually automatically push any patches it deems necessary to the devices. However, admins can still configure patch policies and schedules to coordinate installs and delay the release of optional patches.
J. Muller, if you are having difficulties patching Win10 Pro endpoints, I recommend you open a ticket with Support so they can assist. With the exception of Home edition, all Win10 devices should allow for the same level of patching management.
So this leaves me totally confused, between the statement from the roadmap document:
"For other Windows 10 Editions, updates can be audited and applied, but Microsoft does not provide the ability to block specific updates as they do with other Windows Operating Systems."
and the statement in Brande's update:
"All other versions of Windows 10, including Win10 Pro, can be managed by Kaseya. MS has changed the methodology for patching the Win10 OS - specifically, MS will eventually automatically push any patches it deems necessary to the devices. However, admins can still configure patch policies and schedules to coordinate installs and delay the release of optional patches. "
I guess if we tell Windows 10 (non-home) endpoints to not include optional patches, we can choose to push them with Kaseya, but we've got no ability to prevent patching - thanks Microsoft. Has anyone had any luck with scripting shutdown of the Windows Update service, to just block the entire patch mechanism of Windows via Kaseya Agent Procedure? Or does anyone have some notion that Kaseya will start supporting the mechanisms exposed to Windows Update for Business (WUB) to formally defer updates (aside from Security updates which we can never defer, prevent, or control on Windows 10 endpoints)... what a mess!
If you have endpoints running an OS other than Win10 and you want to prevent Win10 from upgrading the system, you will need to block (deny) the patches associated with Windows10 upgrade. Microsoft has released several versions of patches to push Win10 upgrade, so I recommend you consult with Microsoft to ensure you deny all current KBs related to the Win10 upgrade and/or the Win10 GWX notification.
I do recommend using the KB Override function to block the KBs related to the upgrade/notification to ensure that any future variations of the patches with the same KB number are denied upon discovery. However, as MS has released several KBs over the past ~year, it is important to remain diligent with regard to these MS patches. You might consider subscribing to an RSS/listserv focused on patch management and/or MS patching. Patchmanagement.org is one I use regularly, but there are others out there. These lists may help inform you in the event MS releases or is preparing to release a new KB related to the Win10 upgrade - with a heads-up, you can add an upcoming patch to KB Override, even if there are no machines in your environment reporting that specific patch. It may allow you to stay a step ahead.
Simply Google the question and you will find registry updates that help prevent installation as well. You can then block the patches that start the process and run an agent procedure to make the registry changes. We have had no issues with managed systems getting prompted to upgrade.
Has there been any further news on this? We are not looking to block the Windows 10 update but as with others in this thread to use the VSA to to patch manage Windows 10 endpoints.