A Reader Asks:
I have just upgraded from Windows 7 to Windows 10 and I notice under Windows Store, settings I am unable to turn off “Update apps automatically” under “App updates”. There is a message below saying: Contact your system administrator about changing this setting. My user is set to admin so I am not sure how to fix this. I am unable to access group policy editor as it appears not to be available on Windows 10 Home. Any advice?
With all of the Internet-connected Windows computers in the world today, Microsoft has faced challenges in keeping all of those machines as secure as possible. A significant number of those machines never see any security updates at all while others take a long time to get patched and remain vulnerable to malware, thus posing an even greater risk to other connected machines.
As a result, Microsoft has changed its patching scheme for the latest iteration of Windows in an effort to keep the window of vulnerability as small as possible.
Microsoft’s New Updating Methods
Throughout the entire Technical Preview a whole new scheme for updating Windows 10 was used. It involved fast and slow rings, which controlled how frequently updates were installed on the participant’s devices depending on which ring they belonged to. Now that Windows 10 is being sent out into the wild, update branches (described below) will be used to decide who gets updates at what time once they are available.
The most flexibility is with the Enterprise edition on the Long Term Servicing Branch (LTSB). This is only available for customers with a Volume Licensing Agreement (VLA) or Software Assurance (SA) and it allows any update to be postponed indefinitely.
In the middle, we have the Professional, Enterprise, and Education editions with the Current Branch for Business (CBB). It allows users to defer updates for an unspecified amount of time before they are forced onto the machines. This allows companies to test the security patches, fixes, and new features before rolling them out via Windows Server Update Services (WSUS) or other compatible patch management systems such as System Center Configuration Manager, thus allowing more company control while still making sure all updates eventually get rolled out.
And at the bottom of our list we have Windows 10 Home which uses the Current Branch (CB). It allows very little control over updates. The other issue that arises with the Home edition is that Microsoft has decided to apply the same behavior to all apps installed from the Store. A user can initiate an update check and install cycle, but you cannot select what updates will be applied. You simply get them all.
What You Can Do
At the time of this writing, there is no way to change the app update setting in the Home edition other than upgrading to Windows 10 Pro. Fortunately, Microsoft makes the upgrade to Pro relatively painless. Simply go to Settings > System > About > Change your product key or upgrade your edition of Windows (or Settings > Update & Security > Activation) > Go to Store. This will bring you to the Store page for the upgrade which will cost US $100. Surprisingly enough, searching for this upgrade in the Store doesn’t return any relevant results. After making the purchase, it will be delivered through the Store update mechanism.
If you don’t intend on using any of the additional features of the Pro version, any device you have running Win 10 Home will be able to successfully run Pro. There are additional requirements for specific features such as a Trusted Platform Module (TPM) version 1.2 or 2.0 or a USB drive to use BitLocker, or a minimum of 4 GB of RAM for Hyper-V to run virtual machines (only available with the 64-bit version).
It’s also worth noting that there are rumors that an incoming update due in September will allow Windows 10 Home users to deactivate automatic updates.
With all editions of Windows 10 except Home, you can change the app update setting on a per-user basis. To do so, open the Store, click/tap on your user icon at the top of the screen and click/tap Settings. Here, the App updates section is not grayed out and you can turn the selection for “Update apps automatically” on or off.
Group policy is a mechanism for larger organizations to control a large number of registry settings – and thus the behavior – of any number of machines on a network domain based on the user logged into the machine, the groups the user belongs to, and/or any groups that the machine belongs to. This offers an easier way to provide the proper operating environment for clerks in the warehouse, which is different from what the accountants in payroll see, and which differs from what the corporate executives use. It is part of Active Directory and was rolled out to the public with Windows 2000. There is also a local version that can be used on some editions of Windows, generally Professional and higher.
Previous builds during the development process included a setting in group policy to change the app update behavior machine-wide. It no longer exists in the release build nor are they included in the group policy administrative template files and reference spreadsheet released by Microsoft on July 30th.
I loaded the release build (10240) of both the Pro and Enterprise editions of Windows 10 into VirtualBox in order to find out if these settings were only removed from the Local Group Policy Editor, yet remained functional by manually editing the registry. In the image above, the top portion shows the group policy entries, while the bottom shows the values in the registry when both the automatic download and install of updates and the offer to update to the latest version of Windows options are turned off (enabled) under build 10041.
Manually entering the appropriate registry keys and values results in no change in behavior for the release version of Windows 10.
Unfortunately, for Windows 10 Home users, if you wish to have control over your Store app updates your only recourse is to upgrade to the Professional edition which will impact your wallet. However, this behavior may also have a significant impact over how easily malware spreads through Windows systems connected to the Internet. Only time will tell how well Microsoft’s choice works out.