Windows 10 circumvents WSUS

windows-10 windows-update wsus
5,614

Solution 1

Thank you for your question. It makes me feel that I'm not the only one who is in pain since the inception of Windows 10!

The solution is very simple: Ensure that you copy of Windows 10 1703 does not have any of the following value names listed under HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate

(These values names are checked against WindowsUpdate.admx for Windows 10 version 1703.)

 DeferFeatureUpdates
 DeferFeatureUpdatesPeriodInDays
 DeferQualityUpdates
 DeferQualityUpdatesPeriodInDays
 PauseFeatureUpdatesStartTime
 PauseQualityUpdatesStartTime
 ExcludeWUDriversInQualityUpdate

Quoting further from the same article "Why WSUS and SCCM managed clients are reaching out to Microsoft Online":

What just happened here? Aren’t these update or upgrade deferral policies?

Not in a managed environment. These policies are meant for Windows Update for Business (WUfB).

Windows Update for Business aka WUfB enables information technology administrators to keep the Windows 10 devices in their organization always up to date with the latest security defenses and Windows features by directly connecting these systems to Windows Update service.

We also recommend that you do not use these new settings with WSUS/SCCM.

If you are already using an on-prem solution to manage Windows updates/upgrades, using the new WUfB settings will enable your clients to also reach out to Microsoft Update online to fetch update bypassing your WSUS/SCCM end-point.

To manage updates, you have two solutions:

  1. Use WSUS (or SCCM) and manage how and when you want to deploy updates and upgrades to Windows 10 computers in your environment (in your intranet).
  2. Use the new WUfB settings to manage how and when you want to deploy updates and upgrades to Windows 10 computers in your environment directly connecting to Windows Update. — Rasheed, Shadab (9 January 2017) "Why WSUS and SCCM managed clients are reaching out to Microsoft Online". Windows Server Blog. Microsoft Corporation

Be advised that this article's list of Registry value names has typos. Use the value names given above instead.

Solution 2

Dual Scan - this is the reasoning behind it ... such a pain. Fixed in our environment. https://batchpatch.com/deciphering-dual-scan-behavior-in-windows-10

Share:
5,614

Related videos on Youtube

Admin
Author by

Admin

Updated on September 18, 2022

Comments

  • Admin
    Admin almost 2 years

    I am gradually installing Windows 10 in an environment where users hate Windows 10. So, everything has to go perfect.

    This environment already used WSUS to delivery updates to Windows 7 and Windows 8.1 computers, as well as Windows Server 2008 R2 and Windows Server 2012 R2 servers. There was not a single problem.

    Then, I deployed Windows 10 1703 on three computers. And now, each month it is giving me migraine! Windows 10 computers circumvent WSUS and download the update straight from the Internet, especially updates that I have not tested or approved, which pretty much defeats the purpose of having a WSUS.

    I tried:

    • Disabling delivery optimization using the group policy
    • Increasing the grace period
    • Forcing group policy updates on those computers times and again
    • Running Windows Update troubleshooter
    • Clearing the Windows Update cache (SoftwareDistribution)
    • Running Disk Cleanup and choosing "Windows Update Cleanup" (8 GB was cleaned)

    Here are my client settings:

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\windows\WindowsUpdate]
"WUServer"="http://evolution-pit:8530"
"WUStatusServer"="http://evolution-pit:8530"
"UpdateServiceUrlAlternate"=""
"SetActiveHours"=dword:1
"ActiveHoursStart"=dword:8
"ActiveHoursEnd"=dword:12
"DeferFeatureUpdates"=dword:1
"BranchReadinessLevel"=dword:20
"DeferFeatureUpdatesPeriodInDays"=dword:b4
"PauseFeatureUpdatesStartTime"=""
"DeferQualityUpdates"=dword:1
"DeferQualityUpdatesPeriodInDays"=dword:f
"PauseQualityUpdatesStartTime"=""
"DoNotConnectToWindowsUpdateInternetLocations"=dword:1

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\windows\WindowsUpdate\AU]
"NoAutoUpdate"=dword:0
"AUOptions"=dword:4
"AutomaticMaintenanceEnabled"=dword:1
"ScheduledInstallDay"=dword:0
"ScheduledInstallTime"=dword:11
"AllowMUUpdateService"=dword:1
"UseWUServer"=dword:1
"EnableFeaturedSoftware"=dword:0
    • Daniel B
      Daniel B over 6 years
      I assume your WSUS server fulfills the requirements...?
    • Admin
      Admin over 6 years
      Yeah. An update that supersedes KB3095113 and KB3159706 is installed. All Windows 10 clients report to WSUS and properly inventory their configurations. Even they download from WSUS. But they also download from the Internet, which I don't want.
    • Daniel B
      Daniel B over 6 years
      There is supposedly a GPO setting called “Do not connect to any Windows Update Internet locations”. Do you have that enabled?
    • Admin
      Admin over 6 years
      Yes. It only disables the link that allows me to manually circumvent Windows Update on a case-by-case basis, as well as Windows Store.
    • Davidw
      Davidw over 6 years
      Could there be a conflict in the policies? You may want to run a GPResult report.
    • Admin
      Admin over 6 years
      @Davidw I do that quite often. (And I posted the actual policy effect on the Registry above, so any conflict would be visible in it.) As I said, it is a pilot deployment, so the policy set is extremely simple. One GPO called "WSUS vanilla" is in charge of setting all Windows Update settings for these clients. Windows 7 and 8.1 clients behave normally in its presence. Therefore, I don't think it is a server or policy issue at all. Rather, I believe it is a quirk of Windows 10 that must not be.
    • Admin
      Admin over 6 years
      Maybe I should delay the deployment until Update 1803 is out. (What are they calling it? "Destroyers Update"?)
  • Admin
    Admin over 6 years
    Alright. I am starting verification. First problem: The listed registry value names are wrong. I am going find out their correct version. But DeferFeatureUpdate must be DeferFeatureUpdates. I'll edit the answer to reflect this when I am done.
  • Admin
    Admin over 6 years
    One system has starting behaving! :) Hooray. Let's see what other systems do. I've approved an Adobe Flash update today.
  • Admin
    Admin over 6 years
    Of the four pilot computers, three has started behaving. One is still connecting to the Internet. So, I am giving your answer the green check-mark. Now, I must go about finding what's wrong with the last one.
  • Am_I_Helpful
    Am_I_Helpful over 6 years
    @FleetCommand - I don't want to repeat the same line what I've added in the top of my answer (you know how good their product is)!. It's just that you'd have to take extra pain to find out the culprit. But, I'm very sure once you make the necessary changes as described here, it'll do the desired job. Good Luck once again, :)
  • Patrick Mevzek
    Patrick Mevzek over 6 years
    Please provide at least the core of the explanations inline as text, not just with a link outside.
  • Admin
    Admin over 6 years
    I fixed that last computer too. I disconnected it from the network, deleted the whole Policies\Microsoft\Windows\WindowsUpdate key, and nudged the Windows Update in the ribs until it acknowledged a policy change. Then, I went on and reset every single Windows Update setting to default. Next, I enabled the network connection with no gateway settings (so it won't connect to the Internet) and applied the policy. Finally... Windows Update logs says WSUS is the default service.
  • Am_I_Helpful
    Am_I_Helpful over 6 years
    @FleetCommand - Cheers Friend. :)

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Stop Feature upgrades and properly manage them via WSUS
Windows 10 Optional Feature Optical Character Recognition Install Failed
Unable to update my PC - error 0x80244022
Windows 10 Update Failure (2021-05 Version 20H2) KB5003173
Windows 10 Updater doesn't work (0x80080005) and Windows updater service won't start (0x80070002)
Update to Windows 10 version 1709 is stuck, how can I fix it?
Error 0x80070643 - Can't get the update
For Windows 10 update, what are the IP address for firewall?
Update Windows 10 Enterprise LTSB and keep activation status
Windows 10 update stuck after restart with message "Working on updates 0%"